• Subject: invalid signon attempts...
  • From: "Chuck Bower" <cbower@xxxxxxxxxxxx>
  • Date: Mon, 15 Jan 2001 14:01:54 -0500

Help!
 
I have a user (lets call her XXXXX) who has the following logged into the QHST log:
 
                         Additional Message Information                        
                                                                               
 Message ID . . . . . . :   CPIAD0B       Severity . . . . . . . :   00        
 Message type . . . . . :   Information                                        
 Date sent  . . . . . . :   01/13/01      Time sent  . . . . . . :   19:02:54  
                                                                               
 Message . . . . :   *SIGNON server job 243473/QUSER/QZSOSIGN processing       
   request for user XXXXX on 01/13/01 19:02:54 in subsystem QUSRWRK in QSYS.  
 Cause . . . . . :   The *SIGNON server is processing request 1 for user        
   XXXXX.  The types of requests supported are as follows:                    
     1 -- Retrieve Signon Information                                          
     2 -- Change Password                                                      
     3 -- Generate Authentication Token                                         
                                                                                
Now, it happens I was speaking with user XXXXX at a party at just the time this message occurred.  I have been trying to find out where this request came from.  I cannot find an IP address from this message, nor can I located anything else in the log that would indicate the origin of the request. 
 
The next day (yesterday), the same message occurred, followed by an automatic disabling of the user's profile.  I do not care, of course, that the profile was disabled, (I know why it was disabled, too many incorrect signon attempts-because of my system value settings).  What is WANT TO KNOW IS, WHERE THE HECK IS THE IP ADDRESS!!!
 
Because without that, I cannot track down the perpetrator that may be attempting to break into the system with XXXXX's authority.  (which is quite significant).
 
I am even running the system auditing journal.  When I look at password failures, the device name associated with the device for the journal entry is "COMMUNICATIONS DEVICE".  Uh, yeah!
 
Anybody's help would be GREATLY appreciated...
 
Chuck

This thread ...

Follow-Ups:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2020 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].