- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
OK, but why did the log say "Virrus attacking system"
"Attacking"!?!
Admin
After this close-call, did they at least purchase the anti-virus software for the VAX.
Admin
So why was this in the log?
"Virrus attacking system"
Admin
Huh? Some part of the mainframe that had been designed without any expectations of viruses was searching for the word virus - misspelt - and sending out an alert if it found it.
Or did I completely misunderstand?
Admin
I'm lost. The system prints out a "Username attacking system" message to all admins every time someone tries to log in? Or it freaks out at that particular username?
Admin
This is a 78% comment
Admin
muahha ha haa1
Admin
It was probably freaking out because Virrus tried logging in over and over and over while he didn't yet have access.
Admin
This makes no sense at all. So if somebody types the wrong password the Vax sends out alerts to all the admins, but supposedly this happens so rarely that the admins don't even recognize the "Username attacks system" message structure?
Admin
TheRealWTF is that a helpdesk operator helped to solve a problem.
Admin
Admin
PHB Crits the system for over 9000! System is dead!
Admin
This story is only 78% complete. Why would it say "attacking system"? Why would nobody have ever seen the phrase "attacking system" before or know what it meant? Why would anyone panic about their anti-virus complaining about a virus attack if they didn't have a virus installed?
Can we have the other 12% of the story next time? Or maybe an actual WTF.
Admin
... and, worse, DEC didn't recognise it?
Admin
... and for the other 10% we'll have unicorns.
Admin
Virruscontinuously tried to login without any success, and the server thought it was a DoS attack - amirite?Admin
Usually when someone cries "Bogus!" on a story here, I chuckle and think, no, these things really happen. However, as a long-time VMS programmer and sysadmin (since 1982), I'm having a very hard time with this one. Where is this "attacking" message coming from? That's certainly not even remotely standard. Where was it appearing? As an OPCOM entry (which I'm assuming from the words "alert log") it would clearly be flagged as a failed login. Why panic if that's the only sign? Why does no one recognize the recently created username? Why does a company running VMS shut it down, you just don't do that.
I can easily see why Digital was confused when they were "roped in": no decent %SYSTEM-E-WHATEVER message, the system is down, no other clues . . . and most of all, THERE ARE NO VIRUSES FOR VMS. I highly doubt they thought it could be "a new virus in the wild" because THERE WERE NO VIRUSES FOR VMS.
This is true. And thank you for not writing "OpenVMS".
ok dpm
Admin
I now present you another unlikely and probably-made-up story.
Admin
Admin
It's a long, long time since I did anything on the VAX, but I think there was a setting for warning of an attempted attack if anyone entered an incorrect password more than N times, where N defaulted to something like 10. So one would see it very rarely.
That sounds like what happened here. (But user name "Virrus" - really? That sounds just a little too good to be true. Still, stranger things have happened.)
Admin
Admin
I have certain amount of familiarity with VAX systems. Delightful machines, they were, in their day.
What usually happens is that if a user tries three unsuccessful times to log in, an alert is issued and it can be programmed to notify the admins. The details of this behaviour is completely controllable.
What probably happened is that this behaviour was put in by an early system admin (who is long gone) and forgotten about because this situation has never happened before.
Enter Virrus stage left with a wrong password ...
Admin
There should have been a plan for things like this. To fix ISO-900x compliance, I have documented the procedure:
Admin
Oh, and 'dpm' has a good point that if it was this there would have been a clear identifying code, which DEC at least would have immediately recognised.
Admin
Only if someone had customized one of the command procedures in SYS$MANAGER: or SYS$SYSTEM: could this have occurred as written, which, while possible, is not even remotely mentioned in the article.
ok dpm
Admin
"Out customer, Mr. Horsepom, wondered what happened to his files..."
Admin
Admin
Isn't it obvious? Mr. Virrus' fullname was "Attacking System Virrus". His cousins with Bobby Tables. The log entry is misquoted, it was actually:
Admin
a) Do you usually have a virus installed on your computer? b) Who ever said that it would be their anti-virus complaining? Displaying a message like "Virrus attacking system" sounds exactly like a thing the early viruses would do. So I would assume it is the virus talking.
Admin
Fucking fiper.
...and this completes the circle of the Anglo-German phonetic shifts.
Admin
No viruses for VMS?
Obviously you guys are all noobs and don't remember the WANK worm:
http://en.wikipedia.org/wiki/WANK_%28computer_worm%29
or Father Christmas:
http://en.wikipedia.org/wiki/Father_Christmas_%28computer_worm%29
Admin
I bet the original submission was:
"This one time, a guy named 'Virrus' created an account on our mainframe, and the IT guy freaked because he thought it said 'Virus'. Haha! It was hilarious!"
Admin
on a plane
Admin
In a DEC environment, you could login or attach, so perhaps the message was "attaching". But then it should have been "attaching to", of course, and so this sounds more like a VMS operator joke gone apocryphal.
Admin
This is the worst filler story ever. Sorry work has been so hard on you, Alex.
Admin
ok dpm
Admin
Their password-authentication software probably assumed that a certain number of consecutive password failures constituted a brute-force password-guessing attack. Depending on how you've got such a feature configured, it can be pretty common for normal users who've forgotten (or have fat-fingered) their passwords to put an attack-detected line in the logs. Normally, you'd want a more explicit error message than "$user attacking system", but I can certainly imagine a message like that being used in older software.
Admin
I hope the PHB's approved the purchase of a VMS "Virrus Scanner" so that this could never happen again.
Admin
Comments that say this is the weakest story of an increasingly poor batch seem to be disappearing. The worst possible WTF you can ever do is ignore your users (in this case people visting your site) and keep your head in the sand saying everything is fine!
Admin
My favorite 'name that caused problem' story is the one in which a woman's last name was Null (seriously-- "Null")
No great harm done, since it just meant that an excel spreadsheet that was exported out had a field erased to nothing when I did a search and replace (Change 'Null' to '')
Admin
People keep complaining about the "Virrus attacking system" message, but so far nobody has stopped to consider that maybe that message wasn't generated by the system. It said "alert log". Who says a human can't type and dispatch an alert so that others can read it?
Captcha: "caecus". Latin for "blind". Ooh, you mean these captchas are Latin words and not humorously mangled English?
Admin
Consider that maybe the log didn't specifically say "Virrus attacking system". Perhaps it said something different, but the username "Virrus" caught the attention of an easily-startled admin. I know it's hard to accept, but not all dialogues/error messages/program output/settings/order-of-events/etc. on this site are 100% accurate all the time.
Admin
Having once submitted a story only to see it "edited" (i.e. mangled) to the point that it made me look like a bigger idiot than the wtf involved, I have a lot of sympathy for our anonymous submitter. [sigh]
Admin
I hate my job.
Admin
As you can see, any entry logged by the system contains a large amount of explicit information. If it doesn't, it's not a valid entry and would immediately cause suspicion in itself. So I'm still unable to believe this story as published, and I'd be very interested in seeing the story as submitted.
ok dpm
Admin
Yeah, I can cut some unplausible entries some slack, but this one seems like it's written as a movie treatment. Starring Antonio Banderas as Mr. Attacking System Virrus.
Admin
I'm not saying such a solution would be sane, just asking if it is possible.
Admin
Admin
Any site which had that deep a customization would not forget about it and would certainly not shutdown at the slightest cause for alarm. It's a MAINFRAME, not a desktop, and shutting it down would usually be grounds for dismissal at most companies.
ok dpm
Admin