|
So ? Now that the problem is in the day light, what have you discovered ?? JMS... ------ Jeffrey M. Silberberg Independent Consultant CompuDesigns, Inc. Atlanta, GA. AS SOON AS I KNOW THE ANSWERS THEY CHANGE THE QUESTIONS ----- Original Message ----- From: srichter <srichter@mail.autocoder.com> To: <midrange-l@midrange.com> Sent: Wednesday, August 15, 2001 11:54 PM Subject: Re: system under attack? > Jeffrey, > > The branch/site that is the source of the trouble only has win95 pc's. Only 1 pc shows up with activity in NetStat right now. NetStat shows the local port as 139, 449, 8470 and 8473. Mostly 449 ( as-svrmap ). The remote port keeps on incrementing by 2 within the range of 1500 to 4000. > > Steve Richter > > > ---------- Original Message ---------------------------------- > From: "Jeffrey Silberberg" <jsilberberg@mindspring.com> > Reply-To: midrange-l@midrange.com > Date: Wed, 15 Aug 2001 23:36:50 -0400 > > >Steve, > > > > I would look for a Windoze or UNIX/SMB server that is down, that > >normally supplies a mount to the systems on this segment. I think you are > >seeing a client attempting to re-mount a shared disk partition somewhere, > >and your iSeries box is seeing the requests. NOTE: There is a major change > >to these messages in V4R5 documented in the Memo to users. You could/should > >look at your routers to see what ports are being passed, and if you are not > >mounting any of the IFS stuff close off these requests with a deny rule. > > > > Also, you could do an Exit program to drop theseon the floor, but > >depending on the volume this could busy the connection to the point of > >becoming a Denial-of-service storm so I would rather see you block it on the > >router.. > > > > From the Web Site Document : http://www.faqs.org/faqs/firewalls-faq/ > >For example, a web server running on NT might be vulnerable to a number of > >denial-of-service attacks against such services as RPC, NetBIOS and SMB. > >These services are not required for the operation of a web server, so > >blocking TCP connections to ports 135, 137, 138, and 139 on that host will > >reduce the exposure to a denial-of-service attack. > > > >HUM: Second night in a row of I quoted from here !! > > > >Jeffrey M. Silberberg > >Independent Consultant > >CompuDesigns, Inc. > > > >AS SOON AS I KNOW THE ANSWERS > >THEY CHANGE THE QUESTIONS > > > > > > > > > > > >----- Original Message ----- > >From: srichter <srichter@mail.autocoder.com> > >To: <midrange-l@midrange.com> > >Sent: Wednesday, August 15, 2001 10:21 PM > >Subject: Re: system under attack? > > > > > >> >Depending on your version of OS/400, there may be PTFs to fix your > >> >problem. See, for example, PTF SF60551. What version of OS/400 are you > >> > >> v4r4. > >> ptf sf60551 is perm applied. > >> > >> Its pretty wild. > >> With all the msgs, the system is creating an 800k history log file every > >15 minutes. > >> I asked the night person at the branch to power off all the pc's. And the > >NetStat activity continues. He must have missed a pc. > >> I vary off all the devices and controllers, no chg. ( pc must be ip > >connected instead of netsoft ) > >> When I hold the "QPWFSERVSO" job, the NetStat activity stops. But we > >released it again because we dont know what the job does and the impact of > >holding it. > >> > >> The plan is to call ibm in the morning. > >> > >> Thanks Gary, > >> > >> Steve Richter > >> > >> > >> _______________________________________________ > >> This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing > >list > >> To post a message email: MIDRANGE-L@midrange.com > >> To subscribe, unsubscribe, or change list options, > >> visit: http://lists.midrange.com/cgi-bin/listinfo/midrange-l > >> or email: MIDRANGE-L-request@midrange.com > >> > > > > > >_______________________________________________ > >This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list > >To post a message email: MIDRANGE-L@midrange.com > >To subscribe, unsubscribe, or change list options, > >visit: http://lists.midrange.com/cgi-bin/listinfo/midrange-l > >or email: MIDRANGE-L-request@midrange.com > > > > > _______________________________________________ > This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list > To post a message email: MIDRANGE-L@midrange.com > To subscribe, unsubscribe, or change list options, > visit: http://lists.midrange.com/cgi-bin/listinfo/midrange-l > or email: MIDRANGE-L-request@midrange.com >
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.