[daip] strange messages

Patrick P Murphy pmurphy at nrao.edu
Tue Mar 20 15:26:47 EDT 2012 

On Tue, 20 Mar 2012 11:31:47 -0600, Eric Greisen <egreisen at nrao.edu> said:

(I think quoting Pat Palmer; Hi Pat!)

>> I installed the latest Aips a few days ago.  I don't think the
>> midnight job is running because I have not got any messages.  I think
>> you have a way to tell.  If so please let me know.

>> I left aips running since Friday, I think.  When I looked at the screen 
>> today, I found this strange message in my message server:

>> MSGserver: cannot determine originating host: Success
>> ??????> GET http://www.hep.phys.soton.ac.uk/hepwww/staff/K.Barnes/ HTTP/1.1
>> Accept: text/*
>> User-Agent: HttpClient
>> Host: www.hep.phys.soton.ac.uk
>> Pragma: no-cache

>> In the aips running I found:
>> ZVTPO3 cannot get remote host info: Success
>> ZVTPO3 cannot get remote host info: Success
>> ZVTPO3 cannot get remote host info: Success
>> ZVTPO3 cannot get remote host info: Success
>> XAS: ReadLink read data error - shutdown?

>> What is this?

> It looks like there was some sort of event in your local internet 
> leading to all the servers losing the ability to gethostbyaddr.

It more looks like the results of a port scan of your machine to me.  A
fairly aggressive one if they are hitting the high number ports that
AIPS uses (5000-5012 or so).

However, the use of Ken Barnes' web page is... bizarre.  But I think
it's worth notifying him (perhaps by phone, early tomorrow; too late
today; his email there may be compromised) that you saw some odd
behaviour.

> The message server messages are more curious and suggest an
> unauthorized attempt to get into your machine presumably (but not
> likely actually) from the phys.soton.ac.uk address.  I wonder if
> someone is trying to use the aips standard sockets for break ins.!!  

As I said, it's more likely someone could have hacked into the
Southampton machine and is using that as a staging area to launch
attacks on other systems.  The relevant security and system people at
Southampton should be notified; and Pat may want to check with his
(U. Chicago) admins and IT Security people as well in case the bad guys
actually found a way in.

I seriously doubt they'd ever figure a way of burrowing in via the
msgserver, xas, or the tekserver.

> guess it is not a good idea to leave it running with inet sockets -

You (Pat) may want to talk to your department admins about blocking
those ports to and from the local network.  Then you wouldn't have to
worry about it as much.

> say aips tv=local to avoid inet sockets.

That works too!  Can't connect if nothing is listening.

 - Pat

More information about the Daip mailing list