Skip to main content

One thing puzzled me slightly over the last couple of days. Watching the auth logs I see login attempts with the following user IDs:

2024-11-30 SSH ALLIN1MAIL
2024-11-30 SSH PDP11
2024-11-30 SSH PDP8
2024-11-30 SSH TELEDEMO
2024-11-30 SSH DECMAIL
2024-11-30 SSH DECNET
2024-11-30 SSH SYSMAINT
2024-12-01 SSH SYSTEST_CLIG

which to this #oldfart #greybeard sounds very #DEC #VAX-like.

Anyone else seeing this? Or is somebody out there actually running an Internet-accessible VAX somewhere?

#dec #oldfart #vax #greybeard

reshared this

in reply to Peter N. M. Hansteen

Peter N. M. Hansteen
Peter N. M. Hansteen
and yes, actual log entries can be dug out if someone is interested in finding out where this particular weirdness originates
in reply to Peter N. M. Hansteen

ltning
ltning
Someone came across a really old list of passwords and/or exploits on some resurrected BBS somewhere, and thought they'd struck gold?
in reply to Garrett Wollman

Peter N. M. Hansteen
Peter N. M. Hansteen

@wollman @ltning Yes, and I only really notice new ones (as in not already in the local parts of spamtraps here).

So I was understandably surprised that relics of the past turn up like that *now* instead of way back when I started collecting imaginary friends for them.

@ltning @Garrett Wollman
in reply to Peter N. M. Hansteen

Doktor Overcomma
Doktor Overcomma
Last 8 weeks of /var/log/auth.log on cromwell-intl.com and toilet-guru.com show very few of those. I feel somewhat overlooked.
This entry was edited (1 month ago)
in reply to Doktor Overcomma

Doktor Overcomma
Doktor Overcomma
# bzcat /var/log/auth.log.* > /tmp/auth.log
# cat /var/log/auth.log >> /tmp/auth.log
# awk '/closed by invalid user/ {print $11, $12}' /tmp/auth.log | sort | egrep -i 'allin1mail|pdp11|pdp8|teledemo|decmail|decnet|sysmaint|systest_clig'
ALLIN1MAIL 92.255.57.132
DECMAIL 92.255.57.132
DECNET 92.255.57.132
DECNET 92.255.57.132
PDP11 92.255.57.132
PDP8 92.255.57.132
SYSMAINT 92.255.57.132
SYSMAINT 92.255.57.132
SYSMAINT 92.255.57.132
SYSTEST_CLIG 92.255.57.132
TELEDEMO 92.255.57.132
in reply to Peter N. M. Hansteen

christian mock
christian mock
@bobcromwell same here, on two exposed ssh servers, both got those requests at the same dates and with the same usernames, plus some more. The IP address has been brute-forcing since 2024-11-21 with "modern" usernames and only switched to historical stuff on 2024-11-30...
@Doktor Overcomma
in reply to Peter N. M. Hansteen

slash
slash
Hmm. Not SYSTEM/MANAGER? Or maybe someone's been reading "Out of the Inner Circle" and wants to see of those hacks still work? ;)