× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. January 2001

Re: invalid signon attempts...

  • Subject: Re: invalid signon attempts...
  • From: Sean Porterfield <sporter@xxxxxxxxxxxx>
  • Date: Mon, 15 Jan 2001 15:31:05 -0500
  • Organization: Best Distributing Co.
 
You might try WRKJOB QZSCSRVS

Although you may have to look in a bunch to find the right one.  On our
system, the job log shows user and IP address.

Or DSPLOG MSGID(CPIAD12) for the time period in question.

HTH

> Chuck Bower wrote:
> 
> Help!
> 
> I have a user (lets call her XXXXX) who has the following logged into
> the QHST log:
> 
>                          Additional Message
> Information
> 
> 
>  Message ID . . . . . . :   CPIAD0B       Severity . . . . . . . :
> 00
>  Message type . . . . . :
> Information
>  Date sent  . . . . . . :   01/13/01      Time sent  . . . . . . :
> 19:02:54
> 
> 
>  Message . . . . :   *SIGNON server job 243473/QUSER/QZSOSIGN
> processing
>    request for user XXXXX on 01/13/01 19:02:54 in subsystem QUSRWRK in
> QSYS.
>  Cause . . . . . :   The *SIGNON server is processing request 1 for
> user
>    XXXXX.  The types of requests supported are as
> follows:
>      1 -- Retrieve Signon
> Information
>      2 -- Change
> Password
>      3 -- Generate Authentication
> Token
> 
> Now, it happens I was speaking with user XXXXX at a party at just the
> time this message occurred.  I have been trying to find out where this
> request came from.  I cannot find an IP address from this message, nor
> can I located anything else in the log that would indicate the origin
> of the request.
> 
> The next day (yesterday), the same message occurred, followed by an
> automatic disabling of the user's profile.  I do not care, of course,
> that the profile was disabled, (I know why it was disabled, too many
> incorrect signon attempts-because of my system value settings).  What
> is WANT TO KNOW IS, WHERE THE HECK IS THE IP ADDRESS!!!
> 
> Because without that, I cannot track down the perpetrator that may be
> attempting to break into the system with XXXXX's authority.  (which is
> quite significant).
> 
> I am even running the system auditing journal.  When I look at
> password failures, the device name associated with the device for the
> journal entry is "COMMUNICATIONS DEVICE".  Uh, yeah!
> 
> Anybody's help would be GREATLY appreciated...
> 
> Chuck
+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.