[Info-vax] Kernel Transplantation

Simon Clubley clubley at remove_me.eisner.decus.org-Earth.UFP
Tue Jan 23 08:29:56 EST 2024 

On 2024-01-22, Mark Berryman <mark at theberrymans.com> wrote:
>
> Sadly, when an IP-based attack makes it through the firewall and into a 
> host, the host typically does worse than "fall over".  It lets the 
> attacker in where the attacker can then do all kinds of nefarious 
> things.  This is often not detected until long after the fact.  If there 
> has ever been a successful attack from an external source on a VMS 
> system that allowed the attacker to muck around on that system, I am not 
> aware of it.  Are you?
>

I know that Stephen has mentioned he has had to clean up compromised VMS
systems for clients, but I don't recall him stating the infection origin.
I suspect, given the nature of VMS systems and the people who manage them,
such details are kept private however.

The biggest external problem I have ever had to personally deal with was
that the UCX stack still had an SMTP open relay with no way of restricting
it, when the rest of the world had moved on and this was very, very, no
longer acceptable.

It's been too long, so I don't recall how I fixed that. I could have waited
for a later version of UCX before enabling this, or I could have put a Linux
email server in front of the VMS system.

I do know this was about the time I finally abandoned the idea of directly
attaching a webserver running on a VMS system to the Internet and placing
it instead behind a Linux webserver, but I can't remember how I fixed the
open relay issue.

> The purpose of a firewall is to protect the IP stack of the hosts behind 
> it.  I merely suggested a couple of ways one can firewall one's DECnet 
> traffic, and thereby protect that stack.  Nothing unusual or exceptional 
> about it.
>
> I ran a VMS host fully exposed to the Internet with DECnet phase V on it 
> for years without issue.  It was a honeypot so it wanted to see as many 
> attack attempts as possible.  It was running WASD instead of Apache so 
> none of the attacks on the web port succeeded and none of the attacks on 
> the ports used by DECnet ever caused an issue.  So, real word 
> experience, not guess work.  And, no, I wouldn't try this with any other 
> platform.
>

I assume this was way after the DECnet worms were no longer a thing... :-)

Simon.

-- 
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Walking destinations on a map are further away than they appear.

More information about the Info-vax mailing list