| T.R | Title | User | Personal
Name | Date | Lines |
|---|
| 402.1 | try BUSY | VIDEO::OSMAN | and silos to fill before I feep, and silos to fill before I feep | Thu Feb 05 1987 22:09 | 12 |
| Try copying:
video::user$7:[osman.busy]busy.exe
If you run it on another terminal, or in a batch job, it will announce
most programs as they are run by anyone on the system (well not
ANYONE, it depends on whether you have WORLD privilege)
Run it, and as soon as you get the wierd message, go look at busy's
output stream and see if it announced who done it.
/Eric
|
| 402.2 | NEED HELP ALSO PLEASE... | BIGHOG::CHARRON | Stardate 280187...Capt's Log were under attack | Thu Feb 05 1987 23:11 | 33 |
| Hi
Just to let you know that I got the below error when login in today.
Hadn't done anything to any of my files....so don't know what it is, unless
something on the system was changed ? They said nothing was changed on the
system. It's not this sytem Iam on right now.
Any guess where I might let them know where to look ?
Thanks for any help,
Al.
**********************
%RSX-F-NOMBX, unable to initialize passback/RCVD mailbox
-SYSTEM-F-NOPRIV, no privilege for attempted operation
**********************
|
| 402.3 | PHONE hacks uses DECnet | CRVAX1::LAMPSON | ALL-IN-1 bumpercar bumper | Thu Feb 05 1987 23:38 | 9 |
| RE: .0
Assuming the perpetrator is using one of the command
files which hacks the phone protocol, why not look for a network
connection to your system's PHONE DECnet object at about the
same time you was it. To do this, look at the NETSERVER.LOG
files in the default DECnet account.
_Mike
|
| 402.4 | More detail | FROST::HARRIMAN | Workin' in the Code Mines | Fri Feb 06 1987 10:38 | 30 |
| re: .0
Depending on the format of the message you are receiving, the
messages are coming from the PHONE hack, someone broadcasting over
LAT (DECserver) ports (if you have them), the SEND utility from
the toolshed, or a privileged user who is using $BRKTHRU to give
you grief.
The latter two utilities leave unmistakable signatures - SEND
leaves the process name of the caller, $BRKTHRU sends a pretty official
looking message. The LAT port broadcast is characterized by the
"Local: message" format. the PHONE hacks unfortunately don't have
any of these characteristics and therefore are harder to trace.
This does not mean they are untracable; we have been able to accurately
trace them to particular systems/account names.
.-1 refers to NETSERVER.LOGs which normally reside in the default
DECNET area. This must be done quickly; the DECNET account usually
has a version limit on those and they tend to purge. the name of
the perpetrator will always show up there.
If you have LATS and the idiot actually broadcasts to you, the port
number usually appears on the broadcast message. That's pretty simple
to trace if you have hardwired ports.
The easiest thing to do is $ SET NOBROADCAST or SET BROADCAST=NOPHONE
which will discourage the hack pretty effectively - unfortunately
you lose bona fide PHONE callers also. Ah well, such is...
/pjh
|
| 402.5 | can you trace $BRKTHRUs ? | TOLEDO::VENNER | | Fri Feb 06 1987 10:55 | 6 |
| re: .4
$BRKTHRU does not send a pretty official looking message. you can
send anything, including escape sequences, and it just shows up
on the other terminal without any indication of where it came from.
|
| 402.6 | | TOLEDO::VENNER | | Fri Feb 06 1987 11:08 | 12 |
| re: .1
i couldn't resist copying over the BUSY.EXE program mentioned in
the first reply, and it works very nice. is that something from
the toolshed or did eric osman write it himself? if so, are you
willing to part with the sources? if not, could you give just a
quick few sentence description of what method you used to write
the program ...
thanks,
marty venner
|
| 402.7 | On Affecting another process | VAXWRK::NORDLINGER | There's no notes like good notes | Sun Feb 08 1987 16:02 | 15 |
| Perhaps the program uses the $GETJPI system service,
however this would imply two weaknesses:
1) It doesn't work well over a cluster
2) It inswapped every process on the system because it
needs to queue an AST to get the process's context.
This is explained much better in the V3 _IDSM_ chapter 12.
and nicer still
in the V4 _IDSM_ chapter 12, which can be ordered as a
buffer supplement #EY-5398E-01-0002). This is the second
installment the first is #EY-5398E-01-0001.
|
| 402.8 | Go get it.... | 50689::COURTS | Edwin Courts, DCC/ACT Munich | Mon Feb 09 1987 08:28 | 20 |
| Re: .6
Any hacker worth his salt would've looked at .1 and copied BUSY.*,
to see what he/she got. Try it....you might suddenly find yourself
with the source (hope you comprendez Bliss though !!).
I looked, the program does use GETJPI, scans all (not just interactive)
process in the system, print's out all the images they are running,
then stores them all away, continuously scanning, noting any change
to the stored data, and updating it accordingly.
Effective, but perhaps not efficient (as per .7). I did the same thing
(for the same reason!) in DCL a couple of years ago.
I suppose you could extend it to a cluster wide hunt using the SYSAP
(midnight project) (CUDRIVER) stuff, suitably modified to get
cross-cluster process image names.
All interesting stuff.....
Edwin.
|
| 402.9 | | CAFEIN::PFAU | You can't get there from here | Mon Feb 09 1987 09:16 | 9 |
| I wrote a program quite a while ago to display various items of
information about processes on the system. It got it's information
with two calls to $GETJPI. The first call retrieved information
from the PCB and the JIB. Before issuing the second call which
returned PHD information, I would check the STS bits to determine
whether the process and it's header were resident. If not, I displayed
*Swapped* instead.
tom_p
|
| 402.10 | We're Digital Equipment and you're not | MAY20::MINOW | Martin Minow, MSD A/D, THUNDR::MINOW | Mon Feb 09 1987 12:37 | 7 |
| The person in 402.9 just got bit by an RSX (contemptability mode) feature:
if the RSX emulator doesn't like your process name, it refuses to run
your program. Try changing your process name to FUBAR and trying the
program again.
Martin
|
| 402.11 | how do I use CUDRIVER and SYSAP | VIDEO::OSMAN | and silos to fill before I feep, and silos to fill before I feep | Tue Feb 10 1987 11:31 | 7 |
| Someone just mentioned CUDRIVER and SYSAP. Where are these documented?
Better yet, can someone summarize what calls one makes, and what
information is available ? For instance, can I get general $GETJPI
info cluster-wide ?
/Eric
|
| 402.12 | cudriver ... | TOLEDO::VENNER | | Tue Feb 10 1987 12:37 | 9 |
| i had assumed that the program BUSY.EXE was scanning the I/O database
instead of just using GETJPI. but in answer to note 402.11, i looked
through the sources to the CUDRIVER once and although i didn't understand
all of it i believe the driver is only capable of retrieving info
that is permanently resident in system space like process headers
and such. so you can't get information like the current image running
in all of the process. unfortunate!
- marty
|
| 402.13 | CUDRIVER! | FROST::HARRIMAN | Talk? It's only talk! | Tue Feb 10 1987 13:11 | 14 |
| You DON'T know about CUDRIVER?
CUDRIVER is a very neat cluster-wide SYSAP which was written
by Nick Carr et.al. (ECCLES::CARR)...
It has a number of nifty functions like cluster wide show system,
show users, show error, show login... Also makes a device CUA0 which
you may QIO to to get information from other nodes in the system.
It is in the toolshed, or you can send mail to Nick. I know
the latest version is in the Toolshed.
/pjh
|
| 402.14 | Be fast | PLDVAX::ZARLENGA | Bigger they are, Harder they hit | Tue Feb 10 1987 19:47 | 43 |
| Before you get your hopes up, waiting for a message to
pop up, try $TYPE SYS$SYSDEVICE:[DECNET]NETSERVER.LOG;*
and make sure you don't get "insufficient privilege" msg.
If that's the case I hope you system manager is within
voice range or your system doesn't get a lot of PHONE and
MAIL traffic or the NETSERVER.LOGs last about 3 minutes.
If you can, when the message appears, do a SHOW TIME.
This is IMPORTANT. You'll need to know to within 1 or 2
seconds when that message arrived. Then as fast as possible,
type the TYPE command above. Look at the connects to PHONE.
Write down the NODE and USER. Once they go off the screen
it may be too late because when you do TYPE again that file
may have been purged away.
This is how I "revenged" some people who had copies of
SEND.COM This is the cause of most of those messages.
If they're coming from $BRKTHRU, forget it. It's up to
you to play Columbo, find the perpetrator, be the judge and
jury, then strike when it will cause the loudest reaction.
Of course, the punishment should fit the crime.
Escape sequences through $BRKTHRU must be fun. Send a few
^S's to terminals every now and then ...
Oh, revenge. Let's see. These "funny people" used to access
a .COM file in my directory to do some SET COMMANDS. I put a few
hooks in it ... check the user ... if it's one the fun bunch,
SPAWN a subprocess with a .COM file for input. What was in the
SPAWNed .COM file? Well here it is ...
$ pid = f$getj(f$getj(0,"pid"),"master_pid")
$ wate:
$ wait 00:00:30
$ set proc/id='pid'/susp
$ wait 00:00:10
$ set proc/id='pid'/resu
$ goto wate
Every 30 seconds their main process would die for 10 seconds.
Of course it took them more than 2 weeks to figure out how this
was happenning. They thought it was ^S but resetting the terminal
doesn't help!! And there was more CPU idle time for me!!
-mike
|
| 402.15 | Help setting Prompt... | POGO::CHARRON | Stardate 280187...Capt's Log were under attack | Wed Feb 11 1987 19:32 | 19 |
| $! prompt = "<�[1m" + f$trnlnm("SYS$NODE") + "�[m>$ "
$! SET PROMPT = 'prompt'
Help, what am I doing wrong.....when trying to use it all
I get is >$. When I was expecting <Nodename>$ in Bold .
I commented out the above two lines not sure what it would do
here...I am not a Hacker... The esc sequence is generated from edt using
pf1 27 pf1 kpd(3).
Any help would be appreciated....:-)
Thanks,
Al.
|
| 402.16 | Try this | IDLEWD::LENZMEIER | Chuck, DECwest Engineering | Wed Feb 11 1987 20:11 | 11 |
| I would suggest something like this:
$ esc[0,8] = 27
$ node = f$trnlnm("sys$node") - "::"
$ prompt = esc + "[1m<" + node + ">$ " + esc + "[0m"
$ set prompt = "''prompt'"
I also put esc+"<" in my prompt to get the terminal into ANSI
mode, and esc+"=" to enable application keypad mode.
Chuck
|
| 402.17 | thanks, it worked.... | POGO::CHARRON | Stardate 280187...Capt's Log were under attack | Wed Feb 11 1987 21:09 | 22 |
|
> I would suggest something like this:
> $ esc[0,8] = 27
> $ node = f$trnlnm("sys$node") - "::"
> $ prompt = esc + "[1m<" + node + ">$ " + esc + "[0m"
> $ set prompt = "''prompt'"
> I also put esc+"<" in my prompt to get the terminal into ANSI
> mode, and esc+"=" to enable application keypad mode.
Chuck,
Thanks, it worked just fine....the only thing I wasn't sure
of doing the last two lines so didn't try it....I tried to send you
mail at Idlewld::....but my system didn't recognize the node. If you
care to be more specific as to where to place the esc+"<" etc...sorry
if I am dense about that.... :-)
Al.
|
| 402.18 | set prompt to node name | MTBLUE::MACKAY_RANDY | | Fri Feb 13 1987 13:17 | 6 |
|
Here's how to do it in one line .
$ set prompt = "''f$getsyi("nodename")'>> "
randy
|
| 402.19 | Make it "Yali" please | YALI::LASTOVICA | Norm Lastovica | Sat Feb 14 1987 12:48 | 6 |
| But I wanted it in upper and lower case! And did this:
$ system_name = f$getsyi("NODENAME")
$ system_name = f$extract(0,1,system_name) -
+ f$edit(f$extract(1,99,system_name),"lowercase")
$ set prompt="''system_name'> "
|
| 402.20 | get flashy....:-) | BASHER::IBL | stick with me kid, we'll go places... | Mon Feb 16 1987 10:46 | 17 |
| ...and...if you want to make it a bit prettier......
$ B="> "
$ C=F$Getsyi("NODENAME")
$ D=F$Extract(0,1,C)
$ M=F$extract(1,1,C)
$ N=F$Extract(2,1,C)
$ O=F$Extract(3,1,C)
$ P=F$Extract(4,1,C)
$ Q=F$Extract(5,1,C)
$ E="�[m"+M+"�[1m"+N+"�[m"+O+"�[1m"+P+"�[m"+Q
$ F="�[1m"+D+F$Edit(E,"Lowercase")+B
$ Set Prompt="''F'"
Ian!
|