|
i would treat this like a denial of service attempt. 800 print jobs from an unknown address, with unsupported hex? the 400 i beleive is compliant with standard lpd. there are some lpd attacks described at www.sans.org the fact the 400 throws the bad packets away is what makes it so strong. some other servers might have rolled over. since u may have been "probed" i would suggest a review of you security. websphere has come under attack in the last 6 months, in fact was part of a hacker contest (don't know if ibm was aware till later-it was testing some security products on NT/Unix). jim ----- Original Message ----- From: "Bonnie Williams" <WilliamB@ccsd15.k12.il.us> To: <MIDRANGE-L@midrange.com> Sent: Monday, April 23, 2001 4:31 PM Subject: Mystery jobs > Every now and then, I see many job logs (sometimes as many as 800) on our system that are all identical and have a date/time stamp within a few minutes time. I am trying to find out what kind of jobs these are and who is submitting them. > > I am copying one of the job logs below. Does anyone know what kind of job this user is trying to run? (I can see that the job is trying to call the LPD.) Are they really trying to submit 800 different jobs? Or is this something coming from the internet and I am getting a job log for each line of a print job that is trying to print? > > Also, I don't have a clue who belongs to the IP address listed in the job logs. The last time (a couple of weeks ago) that I saw these job logs, the IP address was different. Is there any way to tell who this is? > > We are at V4R4 and using Websphere Advanced Edition 3.02. > > > Job name . . . . . . . . . . : QTLPD00057 User . . . . . . : QTCP Number . . . . . . . . . . . : 025150 > Job description . . . . . . : QTMPLPD Library . . . . . : QTCP > MSGID TYPE SEV DATE TIME FROM PGM LIBRARY INST TO PGM LIBRARY INST > CPF1124 Information 00 04/20/01 16:07:36 QWTPIIPP QSYS 05E5 *EXT *N > Message . . . . : Job 025150/QTCP/QTLPD00057 started on 04/20/01 at 16:07:36 > in subsystem QSYSWRK in QSYS. Job entered system on 04/20/01 at 16:07:36. > CPI1125 Information 00 04/20/01 16:07:36 QWTPIIPP QSYS 029F *EXT *N > Message . . . . : Job 025150/QTCP/QTLPD00057 submitted. > Cause . . . . . : Job 025150/QTCP/QTLPD00057 submitted to job queue > QSYSNOMAX in QSYS from job 025148/QTCP/QTLPD00056. Job > 025150/QTCP/QTLPD00057 was started using the Submit Job (SBMJOB) command > with the following job attributes: JOBPTY(5) OUTPTY(5) PRTTXT() > RTGDTA(LPDSERVE) SYSLIBL(QGPL QSYS QSYS2 QHLPSYS > QUSRSYS) CURLIB(QTCP) INLLIBL() LOG(4 00 *SECLVL) LOGCLPGM(*NO) > INQMSGRPY(*RQD) OUTQ(/*DEV) PRTDEV(PRT01) HOLD(*NO) DATE(*SYSVAL) > SWS(00000000) MSGQ(QUSRSYS/QTCP) CCSID(65535) SRTSEQ(*N/*HEX) LANGID(ENU) > CNTRYID(US) ALWMLTTHD(*NO). > CPC1221 Completion 00 04/20/01 16:07:38 QWTCCSBJ QSYS 0162 QTMPJOBS QTCP *STMT > To module . . . . . . . . . : QTMPLPDS > To procedure . . . . . . . : DoCLCommand > Statement . . . . . . . . . : 167 > Message . . . . : Job 025152/QTCP/QTLPD00058 submitted to job queue > QSYSNOMAX in library QSYS. > TCP3711 Information 40 04/20/01 16:07:38 QTMPLPDC QTCP *STMT QTMPLPDC QTCP *STMT > From module . . . . . . . . : QTMPLPDS > From procedure . . . . . . : SendProgramMsg > Statement . . . . . . . . . : 1414 > To module . . . . . . . . . : QTMPLPDS > To procedure . . . . . . . : SendProgramMsg > Statement . . . . . . . . . : 1414 > Message . . . . : Unsupported TCP/IP LPD server function requested. > Cause . . . . . : The TCP/IP line printer daemon (LPD) server job received a > request for an unsupported function from remote system > 24.78.39.171 . The command received was X'42', the > sub-command was X'00'. The request was ignored. Recovery . . . : The > AS/400 LPD only supports the Receive a Printer Job (X'02') command and its > sub-commands. Command codes: Sub-Command codes: > ------------------------------- -- ---------------------------------- X'01' > - Print any Waiting Jobs X'01' - Abort Job X'02' - Receive a Printer Job > X'02' - Receive Control File X'03' - Send Queue State Short X'03' - > Receive Data File X'04' - Send Queue State Long X'04' - Receive Control > File First X'05' - Remove Jobs X'05' - Receive Data File > Unspecified Length Technical description . . . . . . . . : See the Request > For Comments 1179 (RFC1179) issued by the Internet Network Printer Working > Group, for details on all possible commands and options. > CPC2191 Completion 00 04/20/01 16:07:38 QLIDLOBJ QSYS 040E QLICLLIB QSYS 02A4 > Message . . . . : Object LPDMSGS in QTEMP type *USRSPC deleted. > CPF1164 Completion 00 04/20/01 16:07:38 QWTMCEOJ QSYS 00AA *EXT *N > Message . . . . : Job 025150/QTCP/QTLPD00057 ended on 04/20/01 at 16:07:38; > 1 seconds used; end code 0 . > Cause . . . . . : Job 025150/QTCP/QTLPD00057 completed on 04/20/01 at > 16:07:38 after it used 1 seconds processing unit time. The job had ending > code 0. The job ended after 1 routing steps with a secondary ending code of > 0. The job ending codes and their meanings are as follows: 0 - The job > completed normally. 10 - The job completed normally during controlled ending > 5769SS1 V4R4M0 990521 Job Log S1055D4M 04/20/01 16:07:38 Page 2 > Job name . . . . . . . . . . : QTLPD00057 User . . . . . . : QTCP Number . . . . . . . . . . . : 025150 > Job description . . . . . . : QTMPLPD Library . . . . . : QTCP > MSGID TYPE SEV DATE TIME FROM PGM LIBRARY INST TO PGM LIBRARY INST > or controlled subsystem ending. 20 - The job exceeded end severity (ENDSEV > job attribute). 30 - The job ended abnormally. 40 - The job ended before > becoming active. 50 - The job ended while the job was active. 60 - The > subsystem ended abnormally while the job was active. 70 - The system ended > abnormally while the job was active. 80 - The job ended (ENDJOBABN command). > 90 - The job was forced to end after the time limit ended (ENDJOBABN > command). Recovery . . . : For more information, see the Work Management > book, SC41-5306. > > +--- > | This is the Midrange System Mailing List! > | To submit a new message, send your mail to MIDRANGE-L@midrange.com. > | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com. > | To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com. > | Questions should be directed to the list owner/operator: david@midrange.com > +--- +--- | This is the Midrange System Mailing List! | To submit a new message, send your mail to MIDRANGE-L@midrange.com. | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com. | To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com. | Questions should be directed to the list owner/operator: david@midrange.com +---
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
