× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. August 2001

Re: system under attack?

This server is used by Client Access Express to handle mapped network
drives.  See
<http://publib.boulder.ibm.com:80/cgi-bin/bookmgr/BOOKS/qb3aux03>

The remote PC could be just about anything like opening an IFS file,
changing the files attributes, creating new files, deleting files, etc. 
It's possible that the remote site is trying to map a drive to somewhere
in the IFS and not finding it and continuously retrying.  You can
identify what's going on with an exit program that records all of the
events.  This will at least show you the file that the user is trying to
access and what they're trying to do.  This may be enough of a hint.

Depending on your version of OS/400, there may be PTFs to fix your
problem.  See, for example, PTF SF60551.  What version of OS/400 are you
on?

Gary



srichter wrote:
> 
> Hi,
> 
> The shop I work at has a central as400 720 that is completely behind a pix 
>firewall. No internet access allowed to it at all.  We also have win95/98 pc's 
>that are located in branches throughout the country. These pc's are networked 
>to each other and to the central as400 using ethernet lan and cisco routers.
> 
> The pc's have internet access thru a central T1 line.  The pc's are also 
>behind the firewall, so they can get out to the internet, but nothing can get 
>in.
> 
> The pc's, behind the firewall like the as400, have unfettered network access 
>to the central as400.
> 
> Right now, NetStat on the 720 is showing something like this:
> 
>  Remote         Remote Local
>  Address        Port   Port      Idle Time State
>  172.24.105.115 2524   as-cent > 003:23:58 Established
>  172.24.105.115 2727   as-svrmap 000:01:08 Time-wait
>  172.24.105.115 2729   as-svrmap 000:01:07 Time-wait
>  172.24.105.115 2731   as-svrmap 000:01:06 Time-wait
> 
> 7 pages worth of it. about 80 entries.  all from 172.24.105.115 ( a pc in a 
>remote branch ). We see local port entries of "netbios-san", "as-svrmap", 
>"as-central" and "as-file".  The remote port nbr increments by 2 on each line. 
> 3481, 3483, 3485, 3487, ...
> 
> A job named "QPWFSERVSO" is continuously running and is using 5% of a very 
>fast 720.
> 
> The history log has scores of CPIAD09 and CPIAD12 entries, like the 
>following: ( every second we get another msg )
>  Message ID . . . . . . :   CPIAD12      Severity . . . . . . . :   00
>  Message type . . . . . :   Information
>  Date sent  . . . . . . :   08/15/01  Time sent  . . . . . . : 19:29:29
> 
>  Message . . . . : Servicing user profile xx from client 172.24.105.115.
> 
>  Cause . . . . . :This prestart job is currently servicing requests for user 
>profile SSM from client 172.24.105.115.  The client name is either an APPC 
>remote location name, or a TCP/IP remote system name.
> 
> Any idea what is going on?
> 
> Thanks,
> 
> Steve Richter
> 
> _______________________________________________
> This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
> To post a message email: MIDRANGE-L@midrange.com
> To subscribe, unsubscribe, or change list options,
> visit: http://lists.midrange.com/cgi-bin/listinfo/midrange-l
> or email: MIDRANGE-L-request@midrange.com

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.