INFO-VAX Wed, 18 Jul 2007 Volume 2007 : Issue 390 Contents: /. openMosix Is Shutting Down CMMI Practices Re: Debugging shareable images weirdness Re: Debugging shareable images weirdness Re: EDT Replacement Re: Linux (was Re: How many people here use Itanium w VMS) MUTEX's to be investigated Re: MUTEX's to be investigated Re: PC EDT keypad (was EDT Replacement) these sshmucks are at it again... Re: these sshmucks are at it again... Re: these sshmucks are at it again... Re: these sshmucks are at it again... Re: these sshmucks are at it again... Re: these sshmucks are at it again... Re: these sshmucks are at it again... Re: What does GEM mean? Re: What does GEM mean? Re: What's up with Google - Groups today? Re: What's up with Google - Groups today? ---------------------------------------------------------------------- Date: Wed, 18 Jul 2007 08:47:30 +0200 From: Martin Krischik Subject: /. openMosix Is Shutting Down Message-ID: <469db782$1@news.post.ch> How about a little bit of schandenfreude: http://linux.slashdot.org/article.pl?sid=07/07/17/2342252 You also have to read the "End of Life Announcement" where they pretend to have invented clustering: http://sourceforge.net/forum/forum.php?forum_id=715406 So, with multi core CPU's clustering becomes obsolete - interesting opinion. Martin PS: you might consider discussing on /. as well. -- mailto://krischik@users.sourceforge.net Ada programming at: http://ada.krischik.com ------------------------------ Date: Wed, 18 Jul 2007 12:11:22 -0000 From: Michal Subject: CMMI Practices Message-ID: <1184760682.438958.64900@i13g2000prf.googlegroups.com> Software configuration management specific practices play a great part in maintaining and monitoring configuration of various items. More to read... http://testingmechanism.blogspot.com ------------------------------ Date: Wed, 18 Jul 2007 16:21:16 -0000 From: Neil Lowden Subject: Re: Debugging shareable images weirdness Message-ID: <1184775676.704184.57570@z28g2000prd.googlegroups.com> Many thanks for all the replies. I have had to open a support call with HP for this as some developers have been relying on the fact they can debug against installed shareable images on Alpha and kicking up a hell of a fuss that it seems to be broken on I64. I will let you know the outcome when I hear from HP. Regards ------------------------------ Date: Wed, 18 Jul 2007 10:26:41 -0700 From: Neil Lowden Subject: Re: Debugging shareable images weirdness Message-ID: <1184779601.489703.6730@i38g2000prf.googlegroups.com> Hi again guys, Sorry, I missed a few of your replies as I was only watching the Google comp.os.vms archive which has been offline for a few hours today. To clalrify a question I think Jeff asked, yes the debugger does stop at the breakpoint but from then on STEPping doesn't increment the line reported. I should also add that I have now found that blindly continuing to STEP sometimes raises a SYSTEM-F-BREAK_ARCH exception although it is not consistent. It can happen after STEPping just a coupl of times or sometimes needs 4 or 5. Sometimes no exception is raised at all. All this info is with HP so hopefully I'll have an answer soon. Regards -Neil ------------------------------ Date: Wed, 18 Jul 2007 17:52:59 +0000 (UTC) From: moroney@world.std.spaamtrap.com (Michael Moroney) Subject: Re: EDT Replacement Message-ID: John Sauter writes: >My memory must be failing me in my old age. I seem to remember >instrumenting EDT so it would write a record for each line read from and >written to the terminal, then turning those records into a script for a >test program, which we got from another group. It would play the >recorded input lines and capture the output. EDT automagically logs its commands to a .JOU file, what you are talking about must be a variation of this. If your process gets killed somehow you can recover (most of) your work with $ EDIT/EDT/RECOVER, and it's kind of neat watching the cursor fly around redoing all your edits. I would guess that a substantial verification of EDT functionality could be done by using a standard input and .JOU files, and compare the resulting output file to a standard. ------------------------------ Date: Wed, 18 Jul 2007 06:28:02 -0700 From: "Jeffrey H. Coffield" Subject: Re: Linux (was Re: How many people here use Itanium w VMS) Message-ID: Ron Johnson wrote: >t's very interesting. > > Are these narrow-focus desktops, and they've found an adequate > substitute for Exchange? > Due to legal issues, most of the employees do not have e-mail. Jeff Coffield ------------------------------ Date: Wed, 18 Jul 2007 01:19:34 -0700 From: "hanblo {at} netscape.net" Subject: MUTEX's to be investigated Message-ID: <1184746774.685819.252350@m37g2000prh.googlegroups.com> Hello, I'm, running OpenVMS 7.3-2 on a ES47 with 4 CPUs and 16Gb of memory. I have a problem (+) with processes, both application user processes and TCPIP$FTPC##### processes. All of a sudden they go into MUTEX wait. Not too long, but long enough for me so see it and to get curious. The PCB EFWM mask says LNM$AQ_MUTEX. Is this something worth digging into? What are they waiting for and why? Any comments would be great. Regards Hans Blom ------------------------------ Date: 18 Jul 2007 07:04:05 -0500 From: koehler@eisner.nospam.encompasserve.org (Bob Koehler) Subject: Re: MUTEX's to be investigated Message-ID: In article <1184746774.685819.252350@m37g2000prh.googlegroups.com>, "hanblo {at} netscape.net" writes: > Hello, > I'm, running OpenVMS 7.3-2 on a ES47 with 4 CPUs and 16Gb of memory. > I have a problem (+) with processes, both application user processes > and > TCPIP$FTPC##### processes. > All of a sudden they go into MUTEX wait. Not too long, but long enough > for me > so see it and to get curious. The PCB EFWM mask says LNM$AQ_MUTEX. It looks like they're temporarily hung up messing around with logical names. It is normal for a process to go in and out of MUTEX states, usually so fast you don't even see them. Perhaps the tool you're using to look is running at real-time priority? ------------------------------ Date: 18 Jul 2007 07:01:30 -0500 From: koehler@eisner.nospam.encompasserve.org (Bob Koehler) Subject: Re: PC EDT keypad (was EDT Replacement) Message-ID: In article , Ron Johnson writes: > > I'm referring to a PC-102 keyboard that accesses VMS using a > terminal emulator. I'm refereing to a lenevo laptop and a Targus keypad. All the keys are grey. Perhaps you'll let us know which of your keys are grey? All PCs are different, and your post kind of hinges on that. ------------------------------ Date: Wed, 18 Jul 2007 12:21:18 GMT From: VAXman- @SendSpamHere.ORG Subject: these sshmucks are at it again... Message-ID: <2Bnni.12444$xe1.3929@newsfe12.lga> More ssh attacks. They are mostly a nuisance. However, logs full of OPCOM messages like this %%%%%%%%%%% OPCOM 18-JUL-2007 08:05:42.85 %%%%%%%%%%% Message from user AUDIT$SERVER on ****** Security alarm (SECURITY) and security audit (SECURITY) on ******, system id: 1234 Auditable event: Network login Event time: 18-JUL-2007 08:05:42.85 PID: 20200D5E Process name: TCPIP$SS_BG3304 Username: TCPIP$SSH Process owner: [TCPIP$AUX,TCPIP$SSH] Image name: DKA0:[SYS0.SYSCOMMON.][SYSEXE]LOGINOUT.EXE Remote node id: 11223344 (aa.bbb) Remote node fullname: aa.bb.cc.dd Remote username: TCPIP$SSH Posix UID: -2 Posix GID: -2 (%XFFFFFFFE) %%%%%%%%%%% OPCOM 18-JUL-2007 08:05:48.42 %%%%%%%%%%% Message from user AUDIT$SERVER on ****** Security alarm (SECURITY) and security audit (SECURITY) on ******, system id: 1234 Auditable event: Network login failure Event time: 18-JUL-2007 08:05:48.42 PID: 20200D5E Process name: TCPIP$SS_BG3304 Username: TCPIP$SSH Remote node fullname: SSH_PASSWORD:some.hackers.net Remote username: SSH_11223344 Status: %LOGIN-F-NOTVALID, user authorization failure would be much more useful if ONE of the above two logged messages would include the username the hacker is trying to use for access. I do not see it (the username under attack) in any of the SSH log files either. This is TCPIP services ssh, BTW. If anybody has a quick and dirty to get the username under attack, I'd appreciate it. HP, if you are listening, this would be a nice feature if it doesn't already exist (I didn't see a way get it when I perused the ssh doc). -- VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)COM "Well my son, life is like a beanstalk, isn't it?" http://tmesis.com/sig.jpg ------------------------------ Date: Wed, 18 Jul 2007 13:30:31 +0100 From: "Richard Brodie" Subject: Re: these sshmucks are at it again... Message-ID: wrote in message news:2Bnni.12444$xe1.3929@newsfe12.lga... > This is TCPIP services ssh, BTW. If anybody has a quick and dirty to get > the username under attack, I'd appreciate it. I just use a script to summarize and archive the logs: search TCPIP$SSH_HOME:TCPIP$SSH_RUN.LOG;* "warning" would do as a quick and dirty hack, I guess. ------------------------------ Date: Wed, 18 Jul 2007 13:36:00 +0000 (UTC) From: gartmann@nonsense.immunbio.mpg.de (Christoph Gartmann) Subject: Re: these sshmucks are at it again... Message-ID: In article <2Bnni.12444$xe1.3929@newsfe12.lga>, VAXman- @SendSpamHere.ORG writes: >More ssh attacks. They are mostly a nuisance. However, logs full of >OPCOM messages like this > >%%%%%%%%%%% OPCOM 18-JUL-2007 08:05:42.85 %%%%%%%%%%% >Message from user AUDIT$SERVER on ****** >Security alarm (SECURITY) and security audit (SECURITY) on ******, system id: 1234 >Auditable event: Network login >Event time: 18-JUL-2007 08:05:42.85 >PID: 20200D5E >Process name: TCPIP$SS_BG3304 >Username: TCPIP$SSH >Process owner: [TCPIP$AUX,TCPIP$SSH] >Image name: DKA0:[SYS0.SYSCOMMON.][SYSEXE]LOGINOUT.EXE >Remote node id: 11223344 (aa.bbb) >Remote node fullname: aa.bb.cc.dd >Remote username: TCPIP$SSH >Posix UID: -2 >Posix GID: -2 (%XFFFFFFFE) [...] >would be much more useful if ONE of the above two logged messages would >include the username the hacker is trying to use for access. I do not >see it (the username under attack) in any of the SSH log files either. > >This is TCPIP services ssh, BTW. If anybody has a quick and dirty to get >the username under attack, I'd appreciate it. HP, if you are listening, >this would be a nice feature if it doesn't already exist (I didn't see a >way get it when I perused the ssh doc). With Multinet I get: Security alarm (SECURITY) and security audit (SECURITY) on MPI5, system id: 1029 Auditable event: Network login failure Event time: 18-JUL-2007 08:02:41.33 PID: 2020392F Process name: SSHD 0474 Username: irc Remote nodename: 83.170.73.89 Remote node id: 1497999955 Remote username: SSH:IRC Status: %LOGIN-F-NOSUCHUSER, no such user But why would you like to know the user-ID? The IP-address from where the attack occurs is more interesting. Regards, Christoph Gartmann -- Max-Planck-Institut fuer Phone : +49-761-5108-464 Fax: -452 Immunbiologie Postfach 1169 Internet: gartmann@immunbio dot mpg dot de D-79011 Freiburg, Germany http://www.immunbio.mpg.de/home/menue.html ------------------------------ Date: Wed, 18 Jul 2007 10:15:15 -0500 (CDT) From: sms@antinode.org (Steven M. Schweda) Subject: Re: these sshmucks are at it again... Message-ID: <07071810151508_202003EE@antinode.org> From: gartmann@nonsense.immunbio.mpg.de (Christoph Gartmann) > But why would you like to know the user-ID? The IP-address from where the > attack occurs is more interesting. Well, someone guessing SYSTEM passwords might be more of a threat than someone guessing "root" passwords. I'd be happier if TCPIP always logged the IP address, instead of "helping" me by translating it to a name when it thinks that it can. For example: Event time: 17-JUL-2007 18:25:56.25 PID: 20239451 Process name: TCPIP$SS_BG1929 Username: TCPIP$SSH Remote node fullname: SSH_PASSWORD:S01060013460A776F.CG.SHAWCABLE.NET Remote username: SSH_4492EA92 versus: Event time: 15-JUL-2007 12:00:10.13 PID: 20236AEF Process name: TCPIP$SS_BG1343 Username: TCPIP$SSH Remote node fullname: SSH_PASSWORD:208.176.66.8 Remote username: SSH_D0B04208 I gather that when the attack involves a real user name, you get one of these: Security alarm (SECURITY) and security audit (SECURITY) on ALP, system id: 1119 Auditable event: System UAF record modification Event time: 17-JUL-2007 18:26:19.10 PID: 20233058 Process name: TCPIP$SS_BG2000 Username: TCPIP$SSH Process owner: [TCPIP$AUX,TCPIP$SSH] Image name: ALP$DKA0:[SYS0.SYSCOMMON.][SYSEXE]TCPIP$SSH_SSHD2.EXE Object class name: FILE Object name: SYS$COMMON:[SYSEXE]SYSUAF.DAT;1 User record: GUEST Flags: New: (none) Original: (none) Login failures: New: 939 Original: 938 Posix UID: -2 Posix GID: -2 (%XFFFFFFFE) before this one: Security alarm (SECURITY) and security audit (SECURITY) on ALP, system id: 1119 Auditable event: Network login failure Event time: 17-JUL-2007 18:26:19.16 PID: 20233058 Process name: TCPIP$SS_BG2000 Username: TCPIP$SSH Remote node fullname: SSH_PASSWORD:S01060013460A776F.CG.SHAWCABLE.NET Remote username: GUEST(LOCAL) Status: %LOGIN-F-NOTVALID, user authorization failure A few days ago, I got six or seven of these attacks in one day, but the average is still around one to two per day. ALP $ tcpip show version HP TCP/IP Services for OpenVMS Alpha Version V5.4 - ECO 6 on a COMPAQ Professional Workstation XP1000 running OpenVMS V7.3-2 (Still contemplating an upgrade.) ------------------------------------------------------------------------ Steven M. Schweda sms@antinode-org 382 South Warwick Street (+1) 651-699-9818 Saint Paul MN 55105-2547 ------------------------------ Date: Wed, 18 Jul 2007 11:23:35 -0600 From: Kevin Handy Subject: Re: these sshmucks are at it again... Message-ID: <1184779392_1671@sp12lax.superfeed.net> VAXman- @SendSpamHere.ORG wrote: > More ssh attacks. They are mostly a nuisance. However, logs full of > OPCOM messages like this SSH attacks like this are very common. Everyone with internet access is probably getting them, but most people are running Windows and don't see any errors, or don't check their log files. They were consuming over half my bandwidth for significant amount of time on my DSL line, which has a Linux bix attached to it. It doesn't even have any kind of name attached to it, so they are just attacking random IP addresses. The '/var/log/secure' log file under Linux does list attempted user names. If you have an extra IP address available, you may want to set up a "scratch monkey" Linux box (include openssh in the install), just so you can scan the various /var/log files to see what they are doing. There are several attack patterns. The user names attempted are usually common unix account names (root, uucp, mysql, postgres, etc.), or common peoples names (john, smith, jerry, etc.) They usually try one user name for several attempts, change the attempted user name, and repeat. Attempting to block these attacks using the linux hosts.deny (black-list) didn't get me anywhere. They come in from a huge number of different addresses, mostly from, but not limited to, Asian countries (Japan, China, Taiwan, ...). Tried blocking using the first two bytes of attacking addresses, and was well over 100 different groups within a month without making a significant dent in the attacks. I went to a white-list (hosts.allow), and now am averaging only two attempts per day now, with them getting a "refused connect" error. The white-box solution may not work in your situation, but it works quite well for me. ----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet News==---- http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups ----= East and West-Coast Server Farms - Total Privacy via Encryption =---- ------------------------------ Date: Wed, 18 Jul 2007 13:15:28 -0400 From: JF Mezei Subject: Re: these sshmucks are at it again... Message-ID: Christoph Gartmann wrote: > But why would you like to know the user-ID? The IP-address from where the > attack occurs is more interesting. If they are trying "microsoft" usernames like Administrato , if they are constantly trying the same username with different passwords, if they are using very VMS specific usernames (eg: a real attack directed at your system), or if they are using some dictionary of usernames to try. You can tell a lot about the type of attack by looking at the usernames being attempted. And one could learn even a lot more if we could see the passwords being attempted. If one is visibly targetting your system with usernames that exist only only your system, then you call in the police. If it is just some windows weenie running some kiddie script, you can just call their ISP to complain or let it pass. etc etc ------------------------------ Date: Wed, 18 Jul 2007 17:37:13 GMT From: VAXman- @SendSpamHere.ORG Subject: Re: these sshmucks are at it again... Message-ID: In article , JF Mezei writes: > > >Christoph Gartmann wrote: > >> But why would you like to know the user-ID? The IP-address from where the >> attack occurs is more interesting. > > >If they are trying "microsoft" usernames like Administrato , if they are >constantly trying the same username with different passwords, if they >are using very VMS specific usernames (eg: a real attack directed at >your system), or if they are using some dictionary of usernames to try. > >You can tell a lot about the type of attack by looking at the usernames >being attempted. And one could learn even a lot more if we could see the >passwords being attempted. > >If one is visibly targetting your system with usernames that exist only >only your system, then you call in the police. If it is just some >windows weenie running some kiddie script, you can just call their ISP >to complain or let it pass. etc etc I had a Dr. appointment so I didn't get to respond with my answer but JFM has answered it adequately. -- VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)COM "Well my son, life is like a beanstalk, isn't it?" http://tmesis.com/sig.jpg ------------------------------ Date: Wed, 18 Jul 2007 09:12:51 -0400 From: John Reagan Subject: Re: What does GEM mean? Message-ID: Tom Linden wrote: > I guess my assertion is never-the-less correct. The CDC code generator > was written > by a couple of guys, who moved from Boston area to Sunnyvale and was > based on > our backend, which had been written for the IBM series 1. Not sure what > V1 was, VCG > was certainly an independently developed original design. > From the comments in the VAX Pascal V1 code generator (written in Pascal): ** PASCAL COMPILER FOR VAX-11/780 ** ** ============================== ** ** ** ** ** ** VERSION V1.2 -- MAY 1980 ** ** ** ** ** ** DEVELOPED BY: COMPUTER SCIENCE DEPARTMENT ** ** UNIVERSITY OF WASHINGTON ** ** SEATTLE, WA 98195 ** ** ** ** AUTHORS: MARK BAILEY, JOHN CHAN, JILL DRACOS, ** ** HELLMUT GOLDE, JAN SANISLO, AND ** ** JEFF SCOFIELD ** Is this the one you are thinking of? -- John Reagan OpenVMS Pascal/Macro-32/COBOL Project Leader Hewlett-Packard Company ------------------------------ Date: Wed, 18 Jul 2007 06:30:26 -0700 From: "Tom Linden" Subject: Re: What does GEM mean? Message-ID: On Wed, 18 Jul 2007 06:12:51 -0700, John Reagan wro= te: > Tom Linden wrote: > >> I guess my assertion is never-the-less correct. The CDC code generato= r = >> was written >> by a couple of guys, who moved from Boston area to Sunnyvale and was = = >> based on >> our backend, which had been written for the IBM series 1. Not sure wh= at = >> V1 was, VCG >> was certainly an independently developed original design. >> > > From the comments in the VAX Pascal V1 code generator (written in = > Pascal): > > ** PASCAL COMPILER FOR VAX-11/780 ** > ** =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D ** > ** ** > ** ** > ** VERSION V1.2 -- MAY 1980 ** > ** ** > ** ** > ** DEVELOPED BY: COMPUTER SCIENCE DEPARTMENT ** > ** UNIVERSITY OF WASHINGTON ** > ** SEATTLE, WA 98195 ** > ** ** > ** AUTHORS: MARK BAILEY, JOHN CHAN, JILL DRACOS, ** > ** HELLMUT GOLDE, JAN SANISLO, AND ** > ** JEFF SCOFIELD ** > > Is this the one you are thinking of? No, I don't recognize any of those names. This was adapted from a CDC backend? If so, that would have been a different one, and it appear= s to be also a bit later. The CG for PL/I on Cyber series was done during= 1978-79 > > > -- = PL/I for OpenVMS www.kednos.com ------------------------------ Date: Wed, 18 Jul 2007 09:52:54 +0200 From: "P. Sture" Subject: Re: What's up with Google - Groups today? Message-ID: In article <469dd97d$1@news.langstoeger.at>, peter@langstoeger.at (Peter 'EPLAN' LANGSTOeGER) wrote: > In article <469D65B3.B04872D2@spam.comcast.net>, David J Dachtera > writes: > >Neil Rieck wrote: > >> > >> What's up with Google - Groups today (07.07.17) ??? > >> http://groups.google.com/group/comp.os.vms > >> It's now been unavailable for more than 6 hours. > > > >Available and current as of 19:57 US-CDT (00:58z) > > Not here. > > Das Archiv dieser Gruppe ist momentan nicht verfügbar > > Wir entschuldigen uns für eventuell entstandene Unannehmlichkeiten. > Bitte versuchen Sie es in Kürze noch einmal. > > It is 18-JUL-2007 09:00 in Vienna (means MET-DST or nowadays CEDT - > I don't know why MET got canned and only CET seems to be used now) I've just tried with the following, and all are accessible. This is at 09:50 CET. http://groups.google.com/group/comp.os.vms http://groups.google.at/group/comp.os.vms http://groups.google.ch/group/comp.os.vms http://groups.google.de/group/comp.os.vms And I was having great trouble doing a search on Saturday, entries that should have been there weren't coming up. It was as if some of the data had become "lost". -- Paul Sture ------------------------------ Date: Wed, 18 Jul 2007 07:39:58 -0400 From: "Neil Rieck" Subject: Re: What's up with Google - Groups today? Message-ID: <469defc1$0$16362$88260bb3@free.teranews.com> "Peter 'EPLAN' LANGSTOeGER" wrote in message news:469dd97d$1@news.langstoeger.at... [...snip...] > > It is 18-JUL-2007 09:00 in Vienna (means MET-DST or nowadays CEDT - > I don't know why MET got canned and only CET seems to be used now) > It's Middle Europe vs. Central Europe isn't it? NSR -- Posted via a free Usenet account from http://www.teranews.com ------------------------------ End of INFO-VAX 2007.390 ************************