Another year and another great performance by my programming students. They have already solved two problems and still have an hour left to go. Come on “Team Red C”! Hard work and dedication (we had to leave Samford at 5:30AM this morning and won’t get back until 10:30PM - 17 hours!)

Viva Las Vegas! After a three day drive that included quick visits to friends and family along the way in Texas and Arizona as well as brief visits to the Grand Canyon, Hoover Dam at night (very cool!), and finally to Las Vegas, I arrived just in time to showcase my Ajax Performance Monitor Toolkit. The kids love the pools here at the hotel including a wave pool and lazy river.

My presentation went well, and there seemed to be interest in the toolkit and porting it to work with other server-side scripting languages. Download the powerpoint slides (3.28MB). If you are interested in trying it out, you may also download a preliminary version of the toolkit (644KB) with a very limited amount of documentation.

• A method for semantics-based conceptual expansion of ontology. Liping Zhou, Dezheng Zhang, Xin Chen, and Chengcui Zhang, University of Alabama at Birmingham.
• Design and fabrication of a research flight simulator. Harold Zallen, and James J. Baird, Jr., Joint Research Project with Malone Group International and Auburn University.
• Extracting coexpression relations between genes using grammatical parsing. Richa Tiwari, University of Alabama at Birmingham.
• Jibu: a tool for efficient and reliable concurrent programming. Srinivasarao Krishnaprasad, Jacksonville State University.
• Kinematic structure and evolution of the 9 march 2006 Mississippi/Alabama bow echo. Calvin M Elkins, University of Alabama in Huntsville.
• Metamodel recovery system using grammar inference. Qichao Liu, University of Alabama at Birmingham.

Today I discovered VirtualBox while working on a cluster computing project. VirtualBox isn’t directly related to cluster computing, but it can be used to run multiple compute nodes for testing. VirtualBox is an open-source equivalent to VMWare’s popular VMWare Workstation product. With the performance of today’s hardware, the ability to run multiple operating systems simultaneously on a single machine is becoming a reality for more and more people.

The basic idea is that by installing VirtualBox you install an application and a small set of services that allow you to create virtual machines for running an entirely different operating system in a window on your host operating system. I have just completed an install of the latest version of the Debian OS into a virtual machine. The entire process (including the several hundred megabyte download) took less than one hour to complete. Now I can boot up a Linux operating system whenever I want to run an application only available in Linux ( e.g., Kmines ).

The screenshots below give you a glimpse into how it works. The first screenshot shows the virtual machine configuration options, which represents everything you would find on a real machine. The second shows Linux running in a window on my Windows Vista host operating system.

Welcome to another exciting semester at Samford University! Here is a quick summary list of the exciting classes and work just around the corner!

• COSC325 - emphasizing web languages to demonstrate concepts of programming languages
• COSC495 - senior seminar - details of student projects to be posted soon!
• SUVS - Samford University Virtual Supercomputer

This may not be news to many of you, but my new home development machine is under attack! This isn’t your typical script kiddie HTTP attack, but rather a full-blown SSHD password guessing attack. Unfortunately, I did not take screenshots of everything as I detected the attack (which has been going on for about two weeks now) but I do have a few screenshots to help describe the timeline of events:

1 - I opened process explorer (an excellent replacement for the Windows Task Manager) to investigate my current cpu usage and running processes. The screenshot above doesn’t show it because I didn’t take a screenshot at the time, but what drew my attention to a possible attack was multiple sshd.exe processes appearing and then disappearing (brightly colored in red to indicate that the process was marked for destruction). My immediate instinct was that somebody was making connections and attempting to guess a password!

2 - I then instinctively (i.e., immediately and as fast as I could) opened a command prompt and typed the command netstat -a which shows the list of active TCP connections. Sure enough, there was a number of connections to static-217-133-194-98.clienti.tiscali.it

3 - Next I decided to see if the event viewer had recorded any activity. Wow! Over 30,000 events relating to sshd activity. The screenshot above shows the very first event recording a break-in attempt. On the evening of November 25, I switched my hardware firewall to redirect all port 22 SSH requests to my new computer. The next morning at 11:55:19 AM, the first attack commenced and proceeded to send a new username/password login attempt every 8 seconds for just over 1.5 hours ending at 1:19:19 PM. The attack sequence generated 2489 entries in the event viewer. You can see that the entry records a failed password guess for non-existent user root. The attacking computer then tried a different password before switching to a new user account ftp. Again, this is a non-existent user account. Then the user tried a second time with this user account before switching to another account: sales.

The first ten user names attempted are shown below in order:

Then the attacks suddenly cease. The next day at 11/27 9:25:01AM, I received this message:
sshd: PID 4688: Did not receive identification string from 65.164.104.70
followed 8 hours later by a successful remote login from my grandmother’s computer in Indiana where we were visiting for the holidays: sshd: PID 2736: Accepted password for HIDDEN from VALID IP ADDRESS port 29287 ssh2. Seventeen minutes later I received another identification string message: sshd: PID 2164: Did not receive identification string from 89.248.104.36 followed another six hours later by: sshd: PID 2164: Did not receive identification string from 89.248.104.36

A little over 3 hours later, the next attack began at 11/28 2:30:44AM with this message:
sshd: PID 2880: Did not receive identification string from 148.245.173.248 followed by a series of password guesses lasting 23 minutes ending at 11/28 2:53:28AM. This series of attack had one additional message not recorded in the first attack sequence: sshd: PID 4068: reverse mapping checking getaddrinfo for na-173-248.na.avantel.net.mx [148.245.173.248] failed - POSSIBLE BREAK-IN ATTEMPT! This is evidence of an IP address spoofing attempt whereby the request reported that it was originating from a local address when the request actually originated (and was detected as originating) from an external address [148.245.173.248].

Attacks like this continued off and on sometimes with 24 hours elapsing between break-in attempts until I detected today’s attack as described above. I was suspicious that attacks had also been launched on my old development computer prior to the switchover. Sure enough, I looked at the event viewer and there were thousands of entries dating back to November 12.

Initial Response
In addition to what I have already described above, I took the following actions within the first hour of detecting the attacks:

• Stopped and disabled the cygwin sshd service
• Disabled the Vista user account under which the sshd server runs
• Began auditing to see if any of the break-in attempts had been successful. Specifically I was looking for sshd messages containing the string password accepted, which is what is recorded in the event viewer whenever I successfully login from a remote computer
• I haven’t changed anything with the Windows firewall since I had already disabled the SSHD service, but on my hardware firewall I decided to make myself at least a tiny bit more invisible by unchecking “respond to ping”
• With my paranoia level raised, I made a small change on my public web server to change the directory under which phpmyadmin runs … I already had .htaccess Apache basic authentication enabled, but I felt like throwing a little security-by-obscurity in wouldn’t hurt other than having to remember the new directory name.

Next Steps

• Continue auditing to verify that no break-ins were successful
• Notify the Internet service provider for each offending IP address of the break-in attempts along with a screenshot and/or event log
• Update the port forwarding service on my hardware firewall to point to my nonstandard port as well as updating the port on which the cygwin sshd service runs
• Update the built-in Windows Vista firewall to include a rule that allows connections to the sshd service only from Samford IP addresses, which is the only place where I connect from when not traveling
• Update the built-in Windows Vista firewall with a rule (disabled initally) that will allow connections from all IP addresses - I will enable this rule only when I am going on a trip or when I know ahead of time that I may be connecting from any other non-Samford IP address

• Ajax Performance Toolkit - I am in the final stages of getting ready to release this to web developers under the GNU General Public License (GPL). This “plug-and-play-and-configure” software allows a web developer to insert a small segment of code onto any web page to monitor the performance of Ajax requests being generated and the responses being received from a web server as well as the current load on the web server. Click on the screenshot below to see a larger image showing the toolkit applied to a page that retrieves the elevation under the cursor by sending an Ajax request to the server every time the mouse moves.
  
• Overclocked Q9550 processor - back up to 3.78GHz running at 1.38 core voltage. I invested the money on a nice processor, nice motherboard, why not use its full potential? A color-coded shaded relief map of the entire state of Colorado can be generated over 20% faster with the overclocked processor as opposed to the stock setup. Here is the updated PC Mark Vantage results.

1. Overheating - raising the processor core temp above its thermal specification rating for extended periods of time
2. Overvolting - operating the processor at a voltage exceeding the maximum end of the VID Voltage Range

The other potentially bad thing that can happen with overclocking your processor is that your processor can stop operating correctly even while still being able to boot and load an entire operating system. This can trick you into thinking that your overclocked setup is working correctly when it really isn’t. A typical CPU can execute literally billions of instructions per second so if one or two or even twenty of those instructions executes incorrectly, the result may not even be noticable to a typical operating system or typical software applications that you run.

My architecture students should be able to tell you what happens if the clock rate is too high — signals do not have enough time to propagate to their final destination so an incorrect value will be written into memory or into a register before the newly calculated correct value arrives there.

That is why overclockers know that you can’t trust your setup until you run a few good benchmarks and at least one torture test. Two common torture tests that you can download and run for free are prime95 and Intel Burn Test.

I downloaded and installed prime95 and started to run it on what I thought was a stable 3.6 GHz overclock. It lasted less than a minute before crashing with a hardware failure. The way prime95 works is to perform a series of calculations and compare the results with known correct answers that are part of the data distributed with the program. If the calculated answer doesn’t match the known correct answer, then the only explanation is faulty hardware. Also, my CPU core temp started to approach the Intel thermal specification of 71deg celsius very quickly after raising the core voltage to increase stability. This is why overclockers need intricate cooling setups!

So I resolved to scale back my overclocked setup to 3.4 GHz, 800MHz memory speed, which is still a 20% overclock from the stock 2.83Ghz setting. With a core voltage setting of 1.26V, prime95 was able to run for 1 hour before I stopped it with temps just making it to 65deg celsius. I am using a cheap aftermarket air cooler so I am hesitant to let it run for longer without manually keeping an eye on the temp and shutting it down if it makes it up above 71deg celsius.

Prime95 run - just over 5.5 hours with a CPU temp warning
As you can see in the screenshot, Prime95 has made it just over 5.5 hours without error after I left it running overnight. The ASUS software PC Probe II has popped up the temperature warning. By stealing CPU cycles from Prime95 and then idling the CPU during the ensuing context switch, the temperature warning also acts a very minor temperature governor.