× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



I took it as a given from Rob's question that HELLO is not one of his
"normal" users.

I don't know how to track it down, but I remember a snippet posted years ago
of a hacker conversation in which one had connected to an iSeries and gotten
a sign-on screen and wanted to know what to do next. The reply from another
hacker, as I remember, was to try QPGMR/QPGMR or one of the other 'Q' users
since many sites never changed the default passwords.

Starting at V5R3, I think, IBM requires that QSECOFR's password be changed
when setting up the system, but it doesn't require that any of the other 'Q'
users be reset. The ANZDFTPWD command can be used to identify these
vulnerabilities; I run it as one of my first steps when taking a new job.
I'm always surprised that the default passwords are still active.

Jerry C. Adams
IBM i Programmer/Analyst
To be sure of hitting the target, shoot first and call whatever you hit the
target.
--
A&K Wholesale
Murfreesboro, TN
615-867-5070


-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of sjl
Sent: Tuesday, January 03, 2012 8:29 AM
To: midrange-l@xxxxxxxxxxxx
Subject: Re: User HELLO?

Rob -

Do you actually have a User ID named 'HELLO' ?

When I had my AS/400 exposed to the internet, I saw lots of telnet logon
attempts for user names like 'CISCO' which eventually caused the device to
be varied off after the maximum # of sign on attempts.

- sjl



Rob wrote in message
news:mailman.1601.1325596715.2619.midrange-l@xxxxxxxxxxxx...

DSPMSG QSYSMSG
CPF1397-Subsystem QINTER varied off work station QPADEV0002 for user
HELLO.
Date sent . . . . . . : 01/02/12 Time sent . . . . . . : 03:05:45

DSPJRN JRN(QAUDJRN) RCVRNG(*CURCHAIN) FROMTIME(010212 030545)
Lots of entries from jobs QYPSJSVR and QZOSIGN
Then
Sequence Code Type Object Library Job Time
6736807 T PW QINTER 3:05:45
Entry specific data
*...+....1....+....2.
UHELLO QPADEV0002

Sequence . . . . . . : 6736807
Code . . . . . . . . : T - Audit trail entry
Type . . . . . . . . : PW - Invalid password or user ID

Remote port . . . . : 35289
System name . . . . : GDISYS
Arm number . . . . . : 16
Logical unit of work : *OMITTED
Transaction ID . . . : *OMITTED

DSPDEVD QPADEV0002
Device class . . . . . . . . . . . : *VRT
Device type . . . . . . . . . . . : V100
Device model . . . . . . . . . . . : *ASCII
Emulated twinaxial device . . . . : 3196A2
Online at IPL . . . . . . . . . . : *NO
Attached controller . . . . . . . : QPACTL01
Keyboard language type . . . . . . : USB
Print device . . . . . . . . . . . : *SYSVAL
Output queue . . . . . . . . . . . : *DEV
Printer file . . . . . . . . . . . : QSYSPRT
Library . . . . . . . . . . . . : *LIBL
Dependent location name . . . . . : *NONE
Allocated to:
Job name . . . . . . . . . . . . . : QCMNARB02
User . . . . . . . . . . . . . . : QSYS
Number . . . . . . . . . . . . . : 301800
Current message queue . . . . . . : QSYSOPR
Library . . . . . . . . . . . . : QSYS
Last activity date . . . . . . . . : 01/02/12
Text . . . . . . . . . . . . . . . : Device created for GDISYS.
NOTE: No IP address.

How do I hunt this down further?



Rob Berendt

As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.