• JH (unregistered)

    OK, but why did the log say "Virrus attacking system"

    "Attacking"!?!

  • sadwings (unregistered)

    After this close-call, did they at least purchase the anti-virus software for the VAX.

  • Anon (unregistered)

    So why was this in the log?

    "Virrus attacking system"

  • (cs)

    Huh? Some part of the mainframe that had been designed without any expectations of viruses was searching for the word virus - misspelt - and sending out an alert if it found it.

    Or did I completely misunderstand?

  • Scott (unregistered)

    I'm lost. The system prints out a "Username attacking system" message to all admins every time someone tries to log in? Or it freaks out at that particular username?

  • Telemachos (unregistered)

    This is a 78% comment

  • Virrus (unregistered)

    muahha ha haa1

  • Andrew (unregistered) in reply to Scott
    Scott:
    I'm lost. The system prints out a "Username attacking system" message to all admins every time someone tries to log in? Or it freaks out at that particular username?

    It was probably freaking out because Virrus tried logging in over and over and over while he didn't yet have access.

  • EvenMoreAnonymous (unregistered)

    This makes no sense at all. So if somebody types the wrong password the Vax sends out alerts to all the admins, but supposedly this happens so rarely that the admins don't even recognize the "Username attacks system" message structure?

  • Migala (unregistered)

    TheRealWTF is that a helpdesk operator helped to solve a problem.

  • sym (unregistered) in reply to Andrew
    Andrew:
    It was probably freaking out because Virrus tried logging in over and over and over while he didn't yet have access.
    That seems like a very plausible explanation. Thanks for the hint :)
  • (cs)

    PHB Crits the system for over 9000! System is dead!

  • Andy P (unregistered)

    This story is only 78% complete. Why would it say "attacking system"? Why would nobody have ever seen the phrase "attacking system" before or know what it meant? Why would anyone panic about their anti-virus complaining about a virus attack if they didn't have a virus installed?

    Can we have the other 12% of the story next time? Or maybe an actual WTF.

  • rjmx (unregistered) in reply to EvenMoreAnonymous
    EvenMoreAnonymous:
    This makes no sense at all. So if somebody types the wrong password the Vax sends out alerts to all the admins, but supposedly this happens so rarely that the admins don't even recognize the "Username attacks system" message structure?

    ... and, worse, DEC didn't recognise it?

  • Matt Westwood (unregistered) in reply to Andy P
    Andy P:
    This story is only 78% complete. Why would it say "attacking system"? Why would nobody have ever seen the phrase "attacking system" before or know what it meant? Why would anyone panic about their anti-virus complaining about a virus attack if they didn't have a virus installed?

    Can we have the other 12% of the story next time? Or maybe an actual WTF.

    ... and for the other 10% we'll have unicorns.

  • Amar (unregistered)

    Virrus continuously tried to login without any success, and the server thought it was a DoS attack - amirite?

  • (cs)

    Usually when someone cries "Bogus!" on a story here, I chuckle and think, no, these things really happen. However, as a long-time VMS programmer and sysadmin (since 1982), I'm having a very hard time with this one. Where is this "attacking" message coming from? That's certainly not even remotely standard. Where was it appearing? As an OPCOM entry (which I'm assuming from the words "alert log") it would clearly be flagged as a failed login. Why panic if that's the only sign? Why does no one recognize the recently created username? Why does a company running VMS shut it down, you just don't do that.

    I can easily see why Digital was confused when they were "roped in": no decent %SYSTEM-E-WHATEVER message, the system is down, no other clues . . . and most of all, THERE ARE NO VIRUSES FOR VMS. I highly doubt they thought it could be "a new virus in the wild" because THERE WERE NO VIRUSES FOR VMS.

    VMS is the greatest OS ever developed.

    This is true. And thank you for not writing "OpenVMS".

    ok dpm

  • Remy Porter (unregistered)

    I now present you another unlikely and probably-made-up story.

  • (cs) in reply to Matt Westwood
    Matt Westwood:
    ... and for the other 10% we'll have unicorns.
    Sorry, but no unicorns are available today. You'll have to make do with vipers.
  • Dazed (unregistered)

    It's a long, long time since I did anything on the VAX, but I think there was a setting for warning of an attempted attack if anyone entered an incorrect password more than N times, where N defaulted to something like 10. So one would see it very rarely.

    That sounds like what happened here. (But user name "Virrus" - really? That sounds just a little too good to be true. Still, stranger things have happened.)

  • Matt Westwood (unregistered) in reply to dkf
    dkf:
    Matt Westwood:
    ... and for the other 10% we'll have unicorns.
    Sorry, but no unicorns are available today. You'll have to make do with vipers.
    Right, because if anything says "I'm a homosexual" better than unicorns, it's snakes.
  • Matt Westwood (unregistered) in reply to Andrew
    Andrew:
    Scott:
    I'm lost. The system prints out a "Username attacking system" message to all admins every time someone tries to log in? Or it freaks out at that particular username?

    It was probably freaking out because Virrus tried logging in over and over and over while he didn't yet have access.

    I have certain amount of familiarity with VAX systems. Delightful machines, they were, in their day.

    What usually happens is that if a user tries three unsuccessful times to log in, an alert is issued and it can be programmed to notify the admins. The details of this behaviour is completely controllable.

    What probably happened is that this behaviour was put in by an early system admin (who is long gone) and forgotten about because this situation has never happened before.

    Enter Virrus stage left with a wrong password ...

  • Migala (unregistered)

    There should have been a plan for things like this. To fix ISO-900x compliance, I have documented the procedure:

    1. PANIC!!
    2. Call Vendor
    3. If problem not solved, repeat from 1
  • Dazed (unregistered) in reply to Dazed
    Dazed:
    That sounds just a little too good to be true.

    Oh, and 'dpm' has a good point that if it was this there would have been a clear identifying code, which DEC at least would have immediately recognised.

  • (cs) in reply to Amar
    Amar:
    `Virrus` continuously tried to login without any success, and the server thought it was a DoS attack - amirite?
    Possibly, but if so, a very large amount of detail has been omitted in the story as published. Also, it must have involved a huge degree of human conclusion-jumping, because the operating system (did not really call them "servers" back then) had no concept of DoS and would simply have flagged a failed login for too-many-attempts within a certain amount of time, producing an obvious message and CERTAINLY not including the word "attacking".

    Only if someone had customized one of the command procedures in SYS$MANAGER: or SYS$SYSTEM: could this have occurred as written, which, while possible, is not even remotely mentioned in the article.

    ok dpm

  • Gnubeutel (unregistered)

    "Out customer, Mr. Horsepom, wondered what happened to his files..."

  • icebrain (unregistered) in reply to Dazed
    Dazed:
    (But user name "Virrus" - really? That sounds just a little too good to be true. Still, stranger things have happened.)
    http://www.dontstayin.com/members/virrus
  • Anon (unregistered) in reply to Anon
    Anon:
    So why was this in the log?

    "Virrus attacking system"

    Isn't it obvious? Mr. Virrus' fullname was "Attacking System Virrus". His cousins with Bobby Tables. The log entry is misquoted, it was actually:

    Virrus, Attacking System
  • Coyote (unregistered) in reply to Andy P
    Andy P:
    Why would anyone panic about their anti-virus complaining about a virus attack if they didn't have a virus installed?

    a) Do you usually have a virus installed on your computer? b) Who ever said that it would be their anti-virus complaining? Displaying a message like "Virrus attacking system" sounds exactly like a thing the early viruses would do. So I would assume it is the virus talking.

  • (cs)

    Fucking fiper.

    ...and this completes the circle of the Anglo-German phonetic shifts.

  • Valdis (unregistered)

    No viruses for VMS?

    Obviously you guys are all noobs and don't remember the WANK worm:

    http://en.wikipedia.org/wiki/WANK_%28computer_worm%29

    or Father Christmas:

    http://en.wikipedia.org/wiki/Father_Christmas_%28computer_worm%29

  • whiskeyjack (unregistered)

    I bet the original submission was:

    "This one time, a guy named 'Virrus' created an account on our mainframe, and the IT guy freaked because he thought it said 'Virus'. Haha! It was hilarious!"

  • attack! (unregistered) in reply to Matt Westwood
    Matt Westwood:
    dkf:
    Matt Westwood:
    ... and for the other 10% we'll have unicorns.
    Sorry, but no unicorns are available today. You'll have to make do with vipers.
    Right, because if anything says "I'm a homosexual" better than unicorns, it's snakes.

    on a plane

  • TGVish (unregistered)

    In a DEC environment, you could login or attach, so perhaps the message was "attaching". But then it should have been "attaching to", of course, and so this sounds more like a VMS operator joke gone apocryphal.

  • charlie (unregistered)

    This is the worst filler story ever. Sorry work has been so hard on you, Alex.

  • (cs) in reply to Valdis
    Valdis:
    No viruses for VMS?
    That's right.
    Valdis:
    Obviously you guys are all noobs and don't remember the WANK or Father Christmas worms
    Those are worms, not viruses --- there's a reason why there are two different terms.

    ok dpm

  • JB (unregistered) in reply to JH
    JH:
    OK, but why did the log say "Virrus attacking system"

    "Attacking"!?!

    Their password-authentication software probably assumed that a certain number of consecutive password failures constituted a brute-force password-guessing attack. Depending on how you've got such a feature configured, it can be pretty common for normal users who've forgotten (or have fat-fingered) their passwords to put an attack-detected line in the logs. Normally, you'd want a more explicit error message than "$user attacking system", but I can certainly imagine a message like that being used in older software.

  • Rottweiler (unregistered)

    I hope the PHB's approved the purchase of a VMS "Virrus Scanner" so that this could never happen again.

  • Paul (unregistered)

    Comments that say this is the weakest story of an increasingly poor batch seem to be disappearing. The worst possible WTF you can ever do is ignore your users (in this case people visting your site) and keep your head in the sand saying everything is fine!

  • JMM (unregistered) in reply to Dazed

    My favorite 'name that caused problem' story is the one in which a woman's last name was Null (seriously-- "Null")

    No great harm done, since it just meant that an excel spreadsheet that was exported out had a field erased to nothing when I did a search and replace (Change 'Null' to '')

  • Kef Schecter (unregistered)

    People keep complaining about the "Virrus attacking system" message, but so far nobody has stopped to consider that maybe that message wasn't generated by the system. It said "alert log". Who says a human can't type and dispatch an alert so that others can read it?

    Captcha: "caecus". Latin for "blind". Ooh, you mean these captchas are Latin words and not humorously mangled English?

  • (cs) in reply to JH
    JH:
    OK, but why did the log say "Virrus attacking system"

    "Attacking"!?!

    As several people pointed out, it was probably due to authentication; several failed attempts resulted in a message about an attack. While that's probably correct, let me take a different approach.

    Consider that maybe the log didn't specifically say "Virrus attacking system". Perhaps it said something different, but the username "Virrus" caught the attention of an easily-startled admin. I know it's hard to accept, but not all dialogues/error messages/program output/settings/order-of-events/etc. on this site are 100% accurate all the time.

  • Todd Lewis (unregistered) in reply to whiskeyjack
    whiskeyjack:
    I bet the original submission was:

    "This one time, a guy named 'Virrus' created an account on our mainframe, and the IT guy freaked because he thought it said 'Virus'. Haha! It was hilarious!"

    Having once submitted a story only to see it "edited" (i.e. mangled) to the point that it made me look like a bigger idiot than the wtf involved, I have a lot of sympathy for our anonymous submitter. [sigh]

  • Helldesk imp (unregistered)

    I hate my job.

  • (cs) in reply to Kef Schecter
    Kef Schecter:
    Who says a human can't type and dispatch an alert so that others can read it?
    Because VMS doesn't work that way, as any system manager would know. Allow me to elucidate:
    Original Post:
    Sure enough, at the top of the alert log, was the message: Virrus attacking system.
    This is completely absurd. The top of the "alert log" --- I assume he means OPERATOR.LOG --- would look like this:
    %%%%%%%%%%%  OPCOM  25-MAY-1996 16:07:09.20  %%%%%%%%%%%  
    Message from user AUDIT$SERVER on GILMORE 
    Security alarm (SECURITY) on GILMORE, system id: 20300 
    Auditable event:          Network login failure
    Event time:               25-MAY-1996 16:07:08.77 
    PID:                      30C00119 
    Process name:             Hobbit 
    Username:                 HUBERT  
    Process owner:            [LEGAL,HUBERT] 
    Terminal name:            RTA1: 
    Image name:               $99$DUA0:[SYS0.SYSCOMMON.][SYSEXE]LOGINOUT.EXE 
    Status:                   %SYSTEM-S-NORMAL, normal successful completion 
    Target PID:               30C00126 
    Target process name:      SMISERVER 
    Target username:          SYSTEM 
    Target process owner:     [SYSTEM]
    

    As you can see, any entry logged by the system contains a large amount of explicit information. If it doesn't, it's not a valid entry and would immediately cause suspicion in itself. So I'm still unable to believe this story as published, and I'd be very interested in seeing the story as submitted.

    ok dpm

  • (cs)

    Yeah, I can cut some unplausible entries some slack, but this one seems like it's written as a movie treatment. Starring Antonio Banderas as Mr. Attacking System Virrus.

  • (cs) in reply to dpm
    dpm:
    This is completely absurd. The top of the "alert log" --- I assume he means OPERATOR.LOG --- would look like this:
    %%%%%%%%%%%  OPCOM  25-MAY-1996 16:07:09.20  %%%%%%%%%%%  
    Message from user AUDIT$SERVER on GILMORE 
    Security alarm (SECURITY) on GILMORE, system id: 20300 
    Auditable event:          Process suspended ($SUSPND) 
    Event time:               25-MAY-1996 16:07:08.77 
    
    </snip>

    As you can see, any entry logged by the system contains a large amount of explicit information. If it doesn't, it's not a valid entry and would immediately cause suspicion in itself. So I'm still unable to believe this story as published, and I'd be very interested in seeing the story as submitted.

    ok dpm

    Forgive my lack of VMS knowledge, but is it possible to have a custom process that captures such entries and publishes abbreviated messages to admins?

    I'm not saying such a solution would be sane, just asking if it is possible.

  • (cs) in reply to Spork
    Spork:
    Yeah, I can cut some unplausible entries some slack, but this one seems like it's written as a movie treatment. Starring Antonio Banderas as Mr. Attacking System Virrus.
    Please cast Peter Stormare in your movie as the undead Mr. Werner.
  • (cs) in reply to boog
    boog:
    dpm:
    This is completely absurd. The top of the "alert log" --- I assume he means OPERATOR.LOG --- would look like this:
    Forgive my lack of VMS knowledge, but is it possible to have a custom process that captures such entries and publishes abbreviated messages to admins?
    Of course. I've done something similar myself. However, that is an extremely specialized job which would rarely be considered, let alone actually implemented, for the excellent reason that you almost always *want* that information.

    Any site which had that deep a customization would not forget about it and would certainly not shutdown at the slightest cause for alarm. It's a MAINFRAME, not a desktop, and shutting it down would usually be grounds for dismissal at most companies.

    ok dpm

  • Matt Westwood (unregistered) in reply to Todd Lewis
    Todd Lewis:
    whiskeyjack:
    I bet the original submission was:

    "This one time, a guy named 'Virrus' created an account on our mainframe, and the IT guy freaked because he thought it said 'Virus'. Haha! It was hilarious!"

    Having once submitted a story only to see it "edited" (i.e. mangled) to the point that it made me look like a bigger idiot than the wtf involved, I have a lot of sympathy for our anonymous submitter. [sigh]

    Remy is great at that, but that's only when he's been drinking (which is every morning).

Leave a comment on “Virrus Attack!”

Log In or post as a guest

Replying to comment #:

« Return to Article