Grex Helpers Conference

Item 115: Grex System Problems Item

249 new of 251 responses total.

You're fat.

Re #1:  You don't know how to use "sort"?

I don't know if this is expected behavior or not, but as I hadn't logged
on grex regularly in some time, I figured I'd report it.  I probably
haven't logged on interactively (ssh/telnet) in over a year, but when I
just attempted to do so, ssh rejected my password.  I finally tried
telnet and found that my password had expired so it required me to
change it.  Now, if grex at some point drops telnet (as I'm sure is
eventually bound to happen, though probably not remotely soon), this
could be a problem.  I guess that apache doesn't prompt you and actually
lets you login with an expired password, and telnet tells you it's been
expired, but ssh is oblivious.  Anyway, I'm just reporting that issue.

It's known; I think it's a limit in ssh, itself.

The load average was up to 168 a few minutes ago, but it seems to be
dropping now.
  9:01am  up 26 days, 14:09,  27 users,  load average: 158.47, 159.66,
155.52

Also, this may be related, but Backtalk was just prompting me endlessly for
a password.

Currently:
  9:37am  up 26 days, 14:45,  28 users,  load average: 18.75, 33.39, 66.41
but Grex is still extremely slow.

settled down now ...
  
 1:08pm  up 26 days, 18:16,  44 users,  load average: 5.09, 4.11, 3.69
  
on the m-b0x late last night there was cgi mailbomb process
running that ran load into the high 100s also. 

apache often will not authenticate properly when the load is too high. 
I'm not sure if the password files lock or what, but it happens.

grex has been very, VERY s-l--o---w this afternoon........

No shit.

This response has been erased.

Geez.

Uh, right.  When did you become a Grex staffer, Todd?

krj is a hacker!

Why is grex denying logins?

hmm.... You logged in to enter your response, no?  So maybe the problem was
fixed?

BACKTALK!

I'm surprised that it makes a difference.

(I was surprised that it made a difference as well, but it did.)

(on the bright side, whatever "vandal maintenance" took place appears to
have worked.  Grex is humming along right now.)

What was the vandal Maintance STeve?

Its 10:10am on Jan. 1st, and when i connect to grex and login, it 
disconnects me.  What kind of System Maintance is now happening?

10:15am  up 14 mins,  2 users,  load average: 1.80, 1.85, 1.55

0 waiting, 2 remote + 1 local users; 72 max remote users

Login      Name               TTY  Idle  Login Time   Location   Work 
Phone
noot     Scott Helmke's Root   p1        Jan  1 10:14
root     Operator              p0        Jan  1 10:13

resp:20: If the webserver is up, you should be able to login and use
backtalk.  If logins are disabled, you just can't login, likely because
someone is working to clear up whatever was causing the problems that
made them reboot grex.  They'd want to make sure those scripts are gone,
logins are disabled, and possibly networks are blocked so they can
prevent the person from coming right back and starting again.

Valerie Comeing to Save GREX!!!!!!


Login      Name               TTY  Idle  Login Time   Location   Work 
Phone
noot     Scott Helmke's Root   p1        Jan  1 10:14
valerie  Valerie Mates        *s0        Jan  1 10:21      Happy 
Everything!

The Webserver is Obviously up, Or how would i be entering items, or how 
would people read them.

Really nasty vandal - but I think we've managed to deal with it.

grex is up at 10:54
appeared to be another attack early this morning!!!!!

While grex is preventing Vandals, Mnet is letting them on their 
systems, after the mailbombing cgi script
Login: kap                              Name: kap de kuk
Directory: /home/guest/kap              Shell: /bin/bash
On since Wed Jan  1 10:48 (EST) on ttypk, idle 0:08, from 203.111.194.11
No Mail.
Plan: Alternate Email: neuro@pula.com
bash-
2.05a$                                                                  
  

Thanks, Scott.

I'm not sure if the user kap is still allowed to log on.  Finger information
shows up even if the user is splatted.

resp:33   READ CLOSER
On since Wed Jan  1 10:48 (EST) on ttypk, idle 0:08, from 203.111.194.11

In the past day or so I have received five (5) copies of happy.scr from
azhar.rajput@sympatico.ca.  If other people have been receiving these, can
the filter be set to reject mail from this idiot?  Is happy.scr the
screensaver it claims to be or some virus on another machine?  The mails are
47K and I have to empty my mailbox regularly to keep it functional.

Can someone explain again, in detail, how to use procmail.  I just got a sixth
copy of the above spam, all 49K with header and message.

Would it work to create a file in my home directory called .procmailrc
and put into it the lines  :0      * ^From:azhar.rajput*      /dev/null
(These are three separate lines but I cannot type a line starting with a colon
into bbs.)

RE:37 
You might have to put something in your .forward to make it work.  You can
also put a space before the gate prompt if you are entering special
characters, like:
 !
 :

So what is .forward supposed to look like?
I think procmail should be included in something like the CHANGE program so
that all we beginners can use it more easily.  Any volunteers to do this?
I put those lines in a file .procmailrc (also * before the from address
since it comes as azhar rajput <azhar.rajput.....> and at least it is not
blocking normal mail (I sent myself a test mail).  The man page for procmail
also said to put -m somewhere, but I could not understand most of it.

You might want to post something in JellyWare about this, i dont think 
the item gets much traffic

Procmail's not trivial to set up using just the man page.

I know, can you help me to figure it out?  All I want to do is block mail from
azhar.rajput@sympatico.ca (send it to /dev/null), but I suppose it would also
be helpful to block other mail with subject line 'urgent business proposal',
and other people probably would want to learn procmail.  Should I start an
agora item on this?

resp:42 you should start an item on procmail, i would like to know how 
to block spam from many different places i get them from 

Re #42:  No, because I haven't taken the time to learn it myself.

 !man 5 procmailrc

I've been using procmail for a while, so I'll make a stab at a procmail
quickstart.  Your .forward file should have one line, that looks like this:

        "|IFS=' '&&exec /usr/local/bin/procmail -f-||exit 75 #USER"

where in place of USER you put your own login id.  The .foward file must
be publicly readable.  Then every time a mail message is received,
procmail will be run and consult your .procmailrc file to decide what
to do with the message.

The first line of .procmailrc should be this:

        MAIL=PATH-TO-YOUR-INBOX

where in place of PATH-TO-YOUR-INBOX you put the full path of your mail
inbox.  For keesan, this would be /var/spool/mail/k/e/keesan .

Subsequent lines of .procmailrc are filter rules.  Lines that begin with
a # are comments.  A filter rule that will will send all messages from
azhar.rajput@sympatico.ca to /dev/null would be this:

        # Toss all mail from azhar.rajput
        :0:
        * ^From:.*azhar\.rajput@sympatico\.ca
        /dev/null

The characters '.' and '*' are wildcards that match any single character
and any run of 0 or more characters, respectively.  The purpose of the
the '.*' in the above rule is to skip over blanks between the From: header
and the email address.  The purpose of the '\' preceding the periods in
the email address is to cause the periods to be interpreted literally
rather than as wildcard characters.  The '^' character means "beginning
of line".

You can filter on "From:", "To:", "Subject:", or any other header, as well
as body content.  For example, this rule tosses all mail with the phrase
"free sex site" in the subject line:

        :0:
        * ^Subject:.*free *sex *site
        /dev/null

Here, the ' *' sequences match any number of blanks between the words, so
that this rule will catch the phrase even if the words are separated by
multiple spaces.  Procmail does case-independent pattern matching, so the
rule will also filter "FREE SEX SITE", "Free Sex Site", etc.

The above examples are pretty simple.  Procmail rules can be quite elaborate;
see "man procmailrc" and "man procmailex" for complete discussion and more
examples.

I actually don't use procmail rules to filter spam -- the spamassassin
program (not installed on Grex) is much more effective for this purpose.
My main use of procmail is to pre-sort mailing list messages into separate
folders.

(That should probably be a separate item so it's easier to find it.
Thanks John!)

what are teh various pros/cons between procmail and mh. or does mh
also use procmail for a filter?

Rather than responding further, let's start a new item for mail-processing.
If one hasn't been started by the time I finish reading currently new
responses, I'll start one.

Mh is just a mail reading/composing application.  If it has any
filtering capabilities, they aren't very extensive.  It's possible
to use procmail in conjuction with mh, or any other mail program
for that matter.

I'll copy my procmail quickstart to its own item.

Joe's $49 slipped in.  I've already posted a mail processing item
and copied my procmail response over to it.

damn joe, why'd you throw $49 into an item ?

'cause it was all I had on me at the time.

Grex's network connection seems really laggy right now.  I gave up and
dialed in because I kept getting 3 to 5 minute pauses.

Still really slow now.

traceroute indicates a network problem; uptime says load is fine.

        peppy now

Everything going over the Internet is extremely slow tonight.

I am getting spam bounces, a coulple of samples of which I've saved in
/a/d/r/drew/spambounce. Apparantly someone is putting my login in the
"Return mail to:" line of their spam.

I am getting a bunch of them as well.  Mine are all home mortage and
refinancing type spams being bounced.  Steve says it sounds like someone has
Klez and it picked my address out of their address book to attach to the from.

Damn.  *Please* save them all.  If you get a bunch, please send mail to
"abuse@cyberspace.org".  I know of 8 other IDs with the same problem.
In 6 of the 8 cases, the users ended up abandoning the accounts which
had then gotten reaped.  In the other 2, the mailbox had filled up.  In
some some of those cases, I saw bounces as often as once every 10
seconds.  (I'm not looking forward to this.  Yuck.)

I've already suggested to the board that we may need to consider pursing
legal or other action against this - this isn't just ordinary spam, this
is spam that could easily wipe our network connection out without
blinking, and without the real spammers even noticing or caring.  I mean
to enter an item in coop talking about this (& perhaps one in garage to
deal with the inevitable "why can't we solve this technically" (which we
can't because we don't get involved until the bounce at which point
there's no way for us to duck the network/CPU hit.)) I haven't had time
to do this yet - got involved in dealing with another unrelated problem.

I have contacted the state AG about filing a complaint against the 
perpetrators of the more extreme of these cases for Denial of Service 
attacks.

I will post the relevant information in the item Marcus enters.

Sorry for the drift, but can someone explain to me what seems to be the idiocy
of using someone else's From: address on SPAM?  For the minute percentage of
recipients that might actually be interested in finding out more about
whatever product / service is being hawked in the SPAM, how are they supposed
to get that info with a bogus From: address?

Spammers don't want a *reply* to their messages, they want to you to *buy*
something, which is available elsewhere.  Further, they especially don't
want to deal with rejection notices and complaints.  So directing that kind
of stuff to the great bit bucket in the sky, or to someone else's mailbox
(which, to the spammer, is the same thing) makes perfect sense.

Then why don't they just select a bogus address?  Why "pick on" an actual
someone, or is being a *total* asshole a perk of spamming?

Faking the originating address so that "bounces" go to the
intended spam recipient is another nasty (but old) spammer trick.

It's getting to the point that there are *no* bogus addresses.

They probably *are* selecting what they think of as a "bogus" address.
Unfortunately, since most mailers check for a real domain on retrun
addresses, spammers have to pick a "real" sounding domain, with "real"
looking names, in order to get their spam delivered.  We just so happen
to have the bad luck to be "in the way".  I believe spammers are
"*total* assholes" by definition.

re #5:  why would grex get rid of telnet?  (it would be foolish to do
so.)  the ssh configuration isn't such that it can do the whole login
thing, i.e., it wasn't patched to handle expiry so you had to use telnet
which used login which does the right thing.

Presumably if we got rid of telnet, everybody would already be using ssh
and there would be universal agreement that it was time to get rid of
the insecure protocol with plaintext passwords sent in the clear.

At least in terms of use, we could probably justify getting rid of
rlogin today - we actually do still support it (but not .rhosts
authentication) and I think it even implements waiting on the waitlist
which is beats sshd, but of course there is no real advantage over using
telnet and not very many people at all use it today.

I use telnet every time that I don't dial in.  Kermit or CUTCP or even Windows
telnet programs.  I would have no idea how to use ssh and probably don't have
any DOS versions of it.  

I think the final clause of #70, "but of course there is no real advantage
over using telnet and not very many people at all use it today," referred
to rlogin.  We _know_ lots of people are still using telnet; we wont' turn
off telnet any time soon.  (And I'd like to see us go to kerberised telnet
instead of turning it off, when we do switch.)

What is rlogin?

I received the following bounced mail report today for mail that I apparently
sent Friday morning from a Czech free webmail site.  Grex is rejecting
some incoming mail.

     From:        [14]postmaster@email.cz 
     To:          keesan@email.cz
     Subject:     Cannot deliver (nelze dorucit)
     Date:        10.01.2003 08:45:12

[See full header below with time zone info.]

   Vasi zpravu nebylo mozne dorucit nasledujicim prijemcum:
   I can't deliver Your message to:

   [20]keesan@grex.org

   Duvod (reason): Nelze se spojit se serverem
[Cannot connect with server]

   ATTACHMENTS:
   [21]   zprava  [message]   5.82 kB

----------
[The full header:  message was rejected Friday Jan 10 8:44 am +0100 (CET) 
(Central European time - about 7 hours later than here)]

   Received: from 10.0.0.1 [10.0.0.1] by smtp.email.cz
   (ATCO SMTP server v3.0); Fri, 10 Jan 2003 08:45:05 +0100
   X-atco-email: [1]postmaster@email.cz
   MIME-Version: 1.0
   Message-Id: <3E1E79F4.000001.11368@file1>
   Content-Type: Multipart/Mixed;
   boundary="------------Boundary-00=_SUMH40MWKGMMYJ0CCJD0"
   To: [2]keesan@email.cz
   From: [3]postmaster@email.cz
   Subject: Cannot deliver (nelze dorucit)
   Date: Fri, 10 Jan 2003 08:44:52 +0100 (CET)

[Should I be deleting all of these lines except the date/time line when
making these reports or is any of the other info pertinent?]

RE:71  You are wrong.  I use SSH for DOS, and I believe there is a SSH
implementation for WIndows 3.1 aswell

ssh was compiled for dos/windows in cygwin.  It's not difficult to 
obtain.  Eventually, telnet will go away everywhere.  Most places are 
getting rid of it because of what was said above, it's insecure.  
Passwords are sent as plaintext.  Making it kerberized won't fix that.  
I'm not saying it'll go away anytime soon.  But eventually, you can bet 
it'll go away.

Within the last year I've used a DOS version of ssh.  Don't recall
where I got it.

it was very likely a cygwin build.

The 'cannot deliver' was for a mail sent to keesan@grex.org Friday - I seem
to have deleted that info.  Are other people not receiving mail sent to them
at grex on Friday?

(Kerberised telnet *does* fix the "password is sent in plaintext" problem:
the telnet connection is encrypted end to end, before the "login" prompt
is sent, usually.  The password _may_ have to be decrypted at the other
end, just as it is in ssh, but that's a local configuration issue: with
ticket forwarding, the password isn't needed at the far end.)

Before we could turn off telnet we'd have to fix the password expiry problem
(doesn't work with ssh -- you simply can't log in) and either eliminate the
queue or make it work with ssh.  Making ssh set the MAIL variable correctly
would be nice, too.

When is an upgrade of SSH from the insecure protocol of version 1 to version
2 planned?  Also, I get this from my OpenSSH:

caladan$ ssh -1 grex.cyberspace.org
Warning: Server lies about size of server public key: actual size is 767 bits
vs. announced 768.
Warning: This may be due to an old implementation of ssh.

Is this a problem?  My session on the agora ended with this message.  The
interrupt command didn't work.
________________________________________


#3 of 14: by The Accidental Purist (other) on Thu, Jan  9, 2003 (18:46):
 He's translating for his friends, the literacy-impaired.

#4 of 14: by S M (mynxcat) on Thu, Jan  9, 2003 (18:59):
 aaah. That makes sense

Press Spacebar for more, q to quitshTerminated
: 2726 Terminated

> 
>  

RE:76 You can use SSHDOS for DOS, of sourceforge.net

Pine bombed out on me earlier with this message:
ld.so: call to undefined procedure _sigpause from 0xef785528

I get that as many as three times a day when I try to send with Pine.

Today someone phoned and asked if I had received email sent yesterday (way
under 70K) and I had not, nor have I ever received two test emails sent from
myself at a free webmail account to keesan@grex.org and keesan@cyberspace.org
two days ago.  I asked them both to change their settings to wait longer
before timing out - what is the proper terminology for this?

Dialin doesn't seem to be working - I get fast, funny-sounding busy signals.
Dialing 5041, for what it's worth.

I'm dialed in now, and it seems OK.

is someone going to answer the question about SSH Protocol Version 2?
I too am wondering why grex is still using version 1 only.

Sometimes when logging in and typing ahead, login tells me
"You cannot change L$0" and gets my loginid wrong.

I think this happens to me if I backspace one too many times at the
login prompt.

and to me if i accidentally pinky the tabkey

Polytarp, and other ids originating from the same address as polytarp,
is flooding crap into party and rendering it unusable. 

Other ids include "tabs" and "jimt".

"Rendering it unusable"?  Assuming it doesn't crash party (which I doubt it
would) haven't you heard of the :ignore command?

This response has been erased.

The fact that there are defenses against rudeness is no excuse for
rudeness.

        Good line, John.  It should be on a bumper sticker or coffee cup.

This response has been erased.

Wow.  You are a major asshole!  Happy?

If polytarp is causing problems, why not drop packets from
his ISP's netblock and/or complain to his ISP?

other, if that bored you, remember that the only ones who get bored are those
who are boring.

Re #98: That was pointless.

Re #100: Blocking anyone's netblock should be a last resort, since it
can affect innocent parties who happen to use the same ISP.

If the problems do not cease, I suggest we pursue civil or criminal
penalties against polytarp.  See this:

http://www.cleveland.com/tech/plaindealer/index.ssf?%2Fbase%2Fbusiness%2F10
4288693631280.xml

Polytarp is in Canada.  Even if he was in Washtenaw County, Grex 
doesn't have the resources to sue him.  Ignore him.

why does nooone do anything to prevent people from being affected by 
polytarps shit?  Block his IP!  You don't need to block his netblock.  
scribble that stupid response above with the contents of 
the /etc/passwd file.  Why waste the bandwidth to download all that 
shit when you're using backtalk or picospan?  I really don't understand 
why grex staff lets it continue.  Grex is slow enough as it is.

fag.

Re #102:  It would only be necessary to block the netblock until
the ISP or criminal authorities had taken action against the abuser.

 re #105:  Staff could block his IP but if he's determined to be an obnoxious
 twit (and all evidence indicates that he is..) he'd just come in from another
 IP.  And they could scribble his response, but that will just encourage him
 to post it again, and again..  

fag.

resp:108: Then scribble it again.  after a few hours, he'll stop.  
he'll also quickly run out of IP's to access grex from.

If you ignore him (which you are not, thus he gets the attention he so
desires) he may eventually stop and/ or go away.  Think of him as a
misbehaving 2 year old.

hehe.  look at yourself, jiffer.

Frankly, I think of a misbehaving 2 year old as having more intelligence.

Lynx won't access sites - just keeps waiting for something to happen.

I was dialed in a while ago, and it looked like Grex's internet 
connection died when most of the users simultaneously ceased to be logged 
in.

I am unable to telnet in from work, which I have done in the past.

Right now, I'm telnetting to m-nut, then here from there.  I have been
able to telnet here directly in the past, but this is the first time
I have tried in probably a month or more.

Lynx works again now.

This response has been erased.

I think it's still a network problem.  Although there is a bit of a load right
now:

} Respond, pass, forget, quit, or ? for more options? !uptime
}   5:33pm  up 28 days,  7:32,  37 users,  load average: 12.98, 11.40, 11.11

Possible DNS problem:  a correspondent reports that he cannot
reach grex.org.  I have no difficulty, but maybe parts of the
network discriminate against Dotster-registered domains.

Could also be that the .org registry is moving from Networking Solutions
to Public Interest Registry (PIR).  Things were supposed to be up and
stable by last night, but who knows?

I tried telnetting from work, directly to the IP.  that didn't work.

In that case, use traceroute to find out where the packets are dropping.
We've been seeing network problems off and on for a while.

More info I was sent by my correspondent (though he does say
that he can *ping* grex.org):

whois grex.org @whois.crsnic.net
[whois.crsnic.net]

Whois Server Version 1.3

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

No match for "GREX.ORG".

>>> Last update of whois database: Wed, 29 Jan 2003 17:32:40 EST <<<

Well, "whois -h whois.networksolutions.com grex.org" returns the right
information.

Well, I tried a whois against whois.crsnic.net and discovered that your
correspondent missed some vital information.  Here is what I got:

} coll% \whois -h whois.crsnic.net grex.org
} 
} Whois Server Version 1.3
} 
} Domain names in the .com and .net domains can now be registered
} with many different competing registrars. Go to http://www.internic.net
} for detailed information.
} 
} No match for "GREX.ORG".
} 
} >>> Last update of whois database: Wed, 29 Jan 2003 17:32:40 EST <<<
} 
} The Registry database contains ONLY .COM, .NET, .EDU domains and
} Registrars.
} 
} coll%

That last little bit explains a lot.

no   .orgs

Heh.

If someone has trouble accessing grex.org, have them try cyberspace.org
instead and report if that works.  Since they're on different registrars,
that will tell us if it's a registrar problem or something else.

control of all .orgs has moved to a central source... no?

The database was always maintained by a central source, but that central
source just changed.

This doesn't affect the fact that there are multiple *registrars* you can
buy .org domains from.

(one of the ttys appears to be stuck.)

  4:49pm  up 30 days,  6:48,  57 users,  load average: 5.51, 6.03, 7.08
User     tty       login@  idle   JCPU   PCPU  what
dimitar  ttyp0     3:14pm  1:30     15      2  -bash 
jackv20  ttyp0     1:02am  1:30     15      2  -bash 

I mentioned this in the 'bummed' item, but maybe it belongs here, too:

ssh doesn't get the 'birthday' part of the motd.

JUST USE TELNET!

I have used the Change program (a few months ago) to put polytarp on my do
not write/tel/chat/talk list but I still get tels.  Why?

It was a talk request, keesan.

The change program said it was changing my .login file.  I don't see polytarp
anywhere in the file.

Then the change program misspoke.  What it changes is your .cfonce
file.

"whois" doesn't know about "cyberspace.org" either; the message at the
end does not mention .ORG (as noted in #126).  DNS does know about grex.org.
This also works:
        whois -h whois.pir.org grex.org
(but it's amazingly slow.  Too many spammers harvesting contact info?)

Re: 133
  I think if you put "cat /usr/local/lib/motd.birthday" into your
.login file (assuming csh) then you will see the motd.birthday file
even when sshing in.  However, you'll then probably see it twice when
telnetting in.

Is there a way I can see the "You have New Mail" message when using ssh?

"whois.geektools.com" works as a whois host for almost all registrars and
TLDs. (Not *quite* all -- there are a few that they can't support for one
reason or another.)

After reading mail with Pine (today and yesterday) I was told No conf. when
I typed bbs or even bbs agora.  I then typed q, bbs (same message) and then
j agora.  Is this a new feature or did I do something odd?

Also before getting into bbs 'I don't understand mart. Type HELP for help.'
(This was before the (no conf) appeared onscreen.  Confusing and possibly
other people are completely lost.  

My twit filter is no longer working now.  I checked .cfonce and polytarp is
still listed there.  I would suspect my own fault except for the no conf
problem at the same time.  Or is some other file of mine messed up too?

Might I have messed up .cfonce when I was removing all the redundant copies
of a twit filter?  Anyone want to look at it for me, please? 

HAHA!  I can talk to you keesan!

Re #146:  Yes, you need to fix your .cfonce, where you apparently got some
inappropriate line-wrapping when you edited it.  The following two lines
should be just one:

  # responses entered by users: jp2 polytarp realpoly gizmo sarkhel loperbd
  mart

The fact that "mart" is by itself on a line explains the message about it.
The following two lines should also be one:

  define pager "twit jp2 polytarp realpoly gizmo sarkhel loperbd mart | less
  -dE -P 'Press Spacebar for more, or q to quit'

(The first of those pairs is just a comment, but for the second you need (in
joining them) a blank between "less" and "-dE".)

Thanks, this explains the 'I don't understand mart'.  It still does not
explain why my twit filter is not eliminating tels from people on the twit
list.

I tried to edit .cfonce with pico.  I put things on one line but pico wraps
them onto two.  Can I disable line wrap with pico?  Do I need to learn vi to
fix .cfonce?  I could put a # in front of mart but that does not fix the
problem o f the line starting with -dE.

I'm not a pico user, so I don't know if linewrap can be disabled.

Re #150:  Twit lists in .cfonce control only what Picospan shows you.
They have nothing to do with tels.  For that, you need to enable
a .nowrite file.  See !man write.

To disable word-wrap in pico, use "pico -w -t".  Well, probably you just
need the w, but I use both and it works.

-t is nice because it puts pico in 'tool' mode which is better for novice
users.

The change program which modified .cfonce (but said it was modifying .login)
also said it was changing write permissions for tel talk etc.  Someone might
want to modify the change program.  I will check out pico -w -t.

My .cfonce has been fixed with pico -w -t.  What did the -t do?  I was able
to remove the CR/LF or whatever it was that was breaking up one line into two.

I wonder if a quotation mark is also missing from that last line.

If so where should I restore it to?  Everything seems to work anyway.

Probably at the very end of the line, as in the lines just before it.

In general, quotation marks come in pairs.

(ttyp0 appears to still be stuck in wtmp.)

  7:04am  up 33 days, 21:03,  44 users,  load average: 11.46, 12.04, 12.16
User     tty       login@  idle   JCPU   PCPU  what
carson   ttyp0     7:04am            9      3  w 
mullen   ttyp0     1:51am            9      3  w 

Re #159:  Picospan is forgiving about a missing close-quote at the end
of a line.

I will refrain from fixing what works even if it is not perfect.  I am afraid
of causing more problems by adding back the quotation mark.

I believe -t makes pico exit and save when you hit ^X, whereas without it
you get those two annoying prompts asking if you *really* want to save and
if you *really* want to exit.

That's right.  Except s/annoying/outrageously annoying & confusing/

When connecting with ssh, the screen clears itself after motd, doesn't
display the Last login or mail status, and starts the cleared screen
with the Erase info.

This response has been erased.

It still happens when I use PuTTY.

That happens to me with TeraTerm, regardless of how I connect.  I think
Grex sends a terminal reset command right before doing the Erase stuff.

I have .hushlogin set anyway, because I prefer to diff the motd so I
only have to read the changes, not the whole thing every time.

I'm using putty for my ssh sessions, and NetTerm for telnet sessions.
I have no prolbems when using NetTerm.  I guess I'll have to see how
I can get Grex to stop sending a reset, if that's what it's doing.

The whole systems seems to be having issues, or is at least losing
most/all connections.

My ssh connection has been dropped several times today, ditto for telnet.
Generally within a few minutes of my connecting, the session will seem to
freeze, with characters I type evidently not reaching whatever program I'm
in at the time.  About a minute or so later my ssh client (putty) gives up
the ghost and declares the connection terminated.

If I ping grex from a command prompt window while my putty session is
frozen, packets seem to be getting through at least as far as grex.org.
Is anyone else experiencing this or should I be looking for explanations
on my end first?

ssh and web access has been very erratic for me today.  I'm dialed in right
now, but earlier that wasn't working, either.

I've had problems with telnet and ssh in the past couple hours.

I could not dial or telnet in just now.  Using backtalk (6 pm).

I'm in via SSH right now.

Now I was able to telnet (17 min after my first five attempts).

I got dumped earlier today too.

Generally, I use traceroute when I notice problems like those described
above, and, generally, I see that packets are being dropped between
voyager and grex.  Here is an excerpt from the results of a such test
from right now:

} 10  rback0.flnt.mi.voyager.net (216.93.15.210)  56 ms  51 ms  51 ms
} 11  cyberspacecomm.flnt.mi.voyager.net (216.93.107.238)  113 ms  63 ms  65 ms
} 12  grex.cyberspace.org (216.93.104.34)  65 ms  59 ms  67 ms

It's right after hop 10 I see trouble.

Earlier today, I noticed such things, when I was logged in (via ssh)
between 14:56 and 15:38.  I guess my ssh client was more tolerant,
because I did not lose my connection.

Earlier, I was dialed in & telnetted out (Grex is the only ISP I've got),
and kept getting hung up (um, frozen, not disconnected - if I pressed ^]
I got immediate response from telnet).  A bit later, Jon was on (dialed in)
and kept getting disconnected.  The fact that dialins were disconnected
at that point suggests something local to Grex, but possibly in the
network connection to the termserver.

I'm getting something similar now.
Telnet connections need 1 minute to login prompt.
Backtalk slogs rather badly too.
Normal (non-cgi) HTTP is fine.

Pine keeps dumping me when I try to send a mail (several times a week):
ld.so call to undefined procedure _sigpause from 0xef785528

Grex took over 140 seconds to give a login prompt.

DNS for grex.org isn't working.  Both dns.gibbard and grex.cyberspace
fail:

        res_send to server dns.gibbard.org  209.142.209.52: Connection
                refused

and

        res_send to server grex.cyberspace.org  216.93.104.34: Connection
                timed out

I gave up dialing in but could telnet.  Took a bit of a wait.

This time I waited a couple of minutes and could dial in.

This response has been erased.

It took over 2 minutes to get a login prompt.  Again.

I've finally got the lowdown on the mail errors cited above:

> 250 grex.cyberspace.org Hello [209.142.229.137], pleased to meet you
> mail from: nobody@nowhere.net
> 250 nobody@nowhere.net... Sender ok
> rcpt to: russ@cyberspace.org
> 553 russ@cyberspace.org... One generation passeth away, and another
> generation c
> ometh: but the earth abideth for ever.
> data
> 503 Need RCPT (recipient)
> rcpt to: russ
> 553 russ... One generation passeth away, and another generation cometh: but
> the 
> earth abideth for ever.

WTF does THAT mean?

You've somehow fallen afoul of mdw's bible-quoting trouble filter.

I don't know which filter that is.  I know replies I send to a mailing list
I'm on sometimes run afoul of the 'my skin is black upon me' filter if I
don't remove excess spaces from the subject line.

 a bible filter is rather refreshing!
  
able to get through with cyberspace.org bt not with grex.org.

The Bible quotes mean that Marcus's filtering thinks it's spam.  You may be
able to get more specific info on what triggered this from him.

... though (whatever it is) I doubt you'll have any luck getting him to change
it to let your mail through; it's probably keeping lots of real spam from
people.

Hmm.  The headers you cite would suggest that there's a problem with the russ
account itself, not with other contents of the message.  ("would suggest"
meaning "suggest to me", & I'm not particularly up on this stuff.)

Re #192:  My correspondent got that last error from a telnet session
to the smtp port; that may have triggered the spam-trap.  However,
it wouldn't account for spurious mailbox-full indications (which may
actually be mail-filesystem full - I don't know).

"One generation passeth away"... indicates a failure to follow certain
basic parts of RFC 822.  I wasn't patient enough to find Russ's
attempts, but I found a spammer using
ntsaga007231.saga.nt.adsl.ppp.infoweb.ne.jp and
adsl-65-71-169-27.dsl.tpkaks.swbell.net who ran afoul of this trying to
send spam to russ.

Most of the spam checks (including this one) don't care which grex
mailbox is named.  There is one check for "generic" mailboxes -- ie,
outside machines supplying a RFC 823 To: field of "you@grex.org" and so
forth.  Note even this check isn't looking at the forward path where the
mail will actually be sent, it's looking to see if spammers have used a
generic "somewhere at the realm in question" -- and this is no longer so
common since most people have caught on to this.

The "mailbox is full" message is separate logic (well, as separate as it
can be given it's one big monolithic program).  It will be generated if
and only if your loginid is named in /var/adm/badmail .  A better way to
check to see if your mailbox is full is to say
        !umailck
In addition to seeing if you're on the list, this can actually take you
off the list if you were on it, but have managed to free up enough
mailbox space to receive more mail.  If your mailbox is full when you
log in, login will spit out a message that includes information on how
to run umailck.  There is also an automatic process that will remove you
from /var/adm/badmail if you free up space, but forget how to run
umailck .

Grex was down for several hours - apparently a power blip last night tripped
up our UPS (plans to replace the batteries are in the works).

Do you mean the UPS failed to work, Scott?

Several of our clocks were blinking '4:45' this morning around 7:00.

I don't know exactly what the UPS does, but the last few reboots have required
power-cycling the UPS because it was stuck in some kind of fault mode.  There
was some kind of power blip last night; I heard both my UPSs go off but none
of my clocks were affected.

Currently entering:

    lynx, g http://www.cyberspace.org

yields:

    Alert!: Unable to connect to remote host.

Can't connect to any remote host.  The proxy server might not be
running.  If I knew how to start it, I would.

RK, if you use Lynx frequently and want a backup for it, contact me.
This sort of proxy server problem has occurred before at grex.

Re. #201: Thank you. I'll keep your offer in mind.

This response has been erased.

Seems like apply a patch would be somewhat easier.

This response has been erased.

All versions since 5.79 are affected.  What version are we running?

        X-Force has demonstrated that this vulnerability is exploitable in 
real-world conditions on production Sendmail installations. This 
vulnerability is readily exploitable on x86 architecture systems, and may 
be exploitable on others as well.

     Protection mechanisms such as implementation of a non-executable 
stack do not  offer any protection from exploitation of this 
vulnerability. Successful exploitation of this vulnerability does not 
generate any log entries.

http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21950

Re #206: Unless they've set sendmail up to lie about its version in its
connection banner (a good idea, IMHO), you can find that out yourself
pretty easily.

This response has been erased.

Incidentally, it appears this isn't exploitable on some systems.  It
depends on how the binary is structured, so it may vary from build to build.

I've always wondered a little if postfix is really more secure, or just
less common (and hence under less scrutiny.)  I'm always a little
suspicious of claims of (in)security based on the number of *discovered*
bugs.

This response has been erased.

I'm going to get a good laugh when somebody tries to exploit that
bug against us! I don't think very many hackers can write
SunOS shellcode.

This response has been erased.

script-kiddies suck.

So is it correct to assume that the widely-reported bug
in sendmail doesn't affect us?

This response has been erased.

i am trying to work with centering but it seems i need the glib library 1.2
or more new... Some body could renove it? it's very important for me.
Saizen

Dan, I drew my conclusion because no staff has said otherwise,
and because staff has already hacked sendmail.  Plus, no outside
crazies have seized root.  I hope.   8-)

This response has been erased.

It hasn't been patched with the 'official' patch yet, at very least.  So
it's probably vulnerable.

AFAIK there's no working exploit for this on SunOS (or any other OS)
yet, not that anyone should be reassured much by that.

Backtalk isn't responding but telnet is working fine.

This response has been erased.

Web server was probably down for some reason.

Incidentally, if you haven't already, you might want to email staff about
the sendmail thing.  They tend to read email a lot more often than they read
this item.

I tried the Backtalk interface today, and could not get the Abelone(sp?)
one to work, it just sat there.

They all just sit there for a while. Be patient. This screen took
2min to come up.

This response has been erased.

Re #228:  That may not be Grex, it might be your browser (or web
proxy server) timing out more quickly than Grex responds.

This response has been erased.

Almost no mail has been delivered today.  Something's wrong.

I've gotten a fair amount of mail.  About as much as I normally expect,
anyway.

Same here.

The putty screen is still clearing, right after motd.  Hence, I can't
ready motd, nor the new mail alert.

No mail here today either.

krokus, take a look at your termtype.  I've seen something like that with
vs100, I think it is.  I have to set my xterm's termtype to vt100 when
connecting to grex.

My screen has always cleared after login.

One could make 'motd' the last line of one's .login or .profile.

re 236
I can't change the emulation, as such. PuTTY only allows you to change
certain aspects of the intereaction.

re 238
That was something I tried, but motd is displayed by the system, along
with the new mail status, prior to the .login or .profile.  (I know,
it can be displayed again.)

Re #234:  I believe that some tset or other commands clear the screen;
check your .login file for things you don't need.

I have .hushlogin set to prevent the motd from being displayed during
login.  The reason is I have a script in my .profile that diffs the motd
against what it was last time I logged in and displays just the changes.

By the way, are you aware that the motd displayed by the system
on login, and by the motd command, displays more than just the
contents of the file /etc/motd?

I wasn't.  Why is that?

(are you aware that, if using a ssh client, the system does *not*
display more than the contents of /etc/motd?)  ;)

(Yeah, I recently became aware of that.  I'm hoping that's
a problem that magically goes away when Grex moves to new
hardware and a modern, well-supported OS.)

Re #243:  I imagine it's so that parts of the login message
can be generated automatically without collisions.  For
example, the birthday part of the motd is in
/usr/local/lib/motd.birthday.  This file is regenerated
daily by a program that scans the birthday database and
selects people whose birthday matches the current date.
It would be unfortunate if the program wrote directly to
/etc/motd at the same time somebody was editing /etc/motd
manually.

For what it's worth, yesterday morning my IDS at work logged what
appeared to be an attempt to exploit the sendmail vulnerability
mentioned earlier in this message.  Unfortunately I didn't have full
logging turned on, so I can't say whether it had any shellcode attached
or whether the goal was just to crash sendmail on vulnerable servers.

I dialed in and was told (twice)  Unable to find your tty (ttyu1) in uutmp
file.  What does this mean and what stupid thing did I do that caused it?
Bbs works anyway.

Mail still cannot be sent from wwnet.com to Grex.

It appears that Grex is applying an unreasonably strict definition
of what constitutes "legitimate conduct".  Shutting off spammers
is one thing; cutting ourselves off from major ISPs is quite another.

The ssh daemon must have died.  I can telnet in, but not ssh.

$ ps -ax | grep sshd
 1045 ?  IW    0:05 /usr/local/libexec/sshd
 1293 ?  S     1:44 /usr/local/libexec/sshd
 2212 ?  IW    0:04 /usr/local/libexec/sshd
 2763 ?  IW    0:05 /usr/local/libexec/sshd
 3372 ?  IW    0:03 /usr/local/libexec/sshd
 3569 ?  IW    0:02 /usr/local/libexec/sshd
 3664 ?  IW    0:02 /usr/local/libexec/sshd
 3989 ?  S     0:05 /usr/local/libexec/sshd
23951 ?  S     2:08 /usr/local/libexec/sshd
26686 ?  IW    0:26 /usr/local/libexec/sshd
27290 ?  IW    0:08 /usr/local/libexec/sshd
27652 ?  IW    0:12 /usr/local/libexec/sshd
28254 ?  IW    0:21 /usr/local/libexec/sshd
28434 ?  S     0:08 /usr/local/libexec/sshd
28706 ?  IW    0:09 /usr/local/libexec/sshd
 4292 qc S     0:00 grep sshd
$

It is running now.

resp:250: not necessarily.  That output doesn't tell me if the main sshd
daemon is running or not.  All of those could very well just be user
sessions, and the main daemon could be dead so no new sessions could
start.

You have several choices:

• Redisplay, showing the entire item
• Go to the menu of items for the Helpers conference
• Go to the list of conferences
• Go to the opening screen