This morning I noticed a lot of activity on the front panel of my PiDP11 (PDP/11 replica). This is not normal, so I had a quick peek.
The machine is a Raspberry Pi (3) running Raspbien and hosting SIMH which then simulates a PDP/11. The PiDP11 consists of circuitry, switches and LEDs that simulate the front panel of a PDP11. The LEDs show activity of the simulation similar to the actual front panel of a real PDP11, so it’s a decent snapshot of actual system activity.
There is a specific LED pattern to system ‘idle’, and other patterns when the system is active. In this case, the ‘active’ pattern was continuous for several minutes.
This is unusual because the only program running on the PiDP11 besides the BSD 2.11 operating system is a small C Program ‘httpd.c’ which runs a simple HTTP web server. The actual web page served is a simple HTML page of text and one photo. Normal access shows activity for several seconds (less than 10) and then the idle pattern returns.
In this case the active pattern continued for several minutes. There is no need to ‘hit’ the web page repeatedly unless mischief is afoot.
I logged on to the R-Pi and then to the SIMH-PDP system. Using ‘ps’ I could see unexpected programs running, so I exited to SIMH and ended the simulation. I then rebooted the R-Pi.
While the R-Pi was rebooting, I checked my firewall rules to confirm the machine/port was open to the world. I edited the config file to remove this connection and reset the firewall. After reset I confirmed the port was no longer open.
Later I checked the firewall logs, and confirmed that the attack was a simple DOS (denial of service) attack from a foreign country (in the ‘far east’). Fortunately I caught it very early and killed it immediately.
However, the BSD 2.11 web server is no longer accessible from outside my home. Such is the price exacted by ‘bad actors’ seeking to cause mischief.