• Subject: Re: invalid signon attempts...
  • From: Sean Porterfield <sporter@xxxxxxxxxxxx>
  • Date: Mon, 15 Jan 2001 15:31:05 -0500
  • Organization: Best Distributing Co.

You might try WRKJOB QZSCSRVS

Although you may have to look in a bunch to find the right one.  On our
system, the job log shows user and IP address.

Or DSPLOG MSGID(CPIAD12) for the time period in question.

HTH

> Chuck Bower wrote:
> 
> Help!
> 
> I have a user (lets call her XXXXX) who has the following logged into
> the QHST log:
> 
>                          Additional Message
> Information
> 
> 
>  Message ID . . . . . . :   CPIAD0B       Severity . . . . . . . :
> 00
>  Message type . . . . . :
> Information
>  Date sent  . . . . . . :   01/13/01      Time sent  . . . . . . :
> 19:02:54
> 
> 
>  Message . . . . :   *SIGNON server job 243473/QUSER/QZSOSIGN
> processing
>    request for user XXXXX on 01/13/01 19:02:54 in subsystem QUSRWRK in
> QSYS.
>  Cause . . . . . :   The *SIGNON server is processing request 1 for
> user
>    XXXXX.  The types of requests supported are as
> follows:
>      1 -- Retrieve Signon
> Information
>      2 -- Change
> Password
>      3 -- Generate Authentication
> Token
> 
> Now, it happens I was speaking with user XXXXX at a party at just the
> time this message occurred.  I have been trying to find out where this
> request came from.  I cannot find an IP address from this message, nor
> can I located anything else in the log that would indicate the origin
> of the request.
> 
> The next day (yesterday), the same message occurred, followed by an
> automatic disabling of the user's profile.  I do not care, of course,
> that the profile was disabled, (I know why it was disabled, too many
> incorrect signon attempts-because of my system value settings).  What
> is WANT TO KNOW IS, WHERE THE HECK IS THE IP ADDRESS!!!
> 
> Because without that, I cannot track down the perpetrator that may be
> attempting to break into the system with XXXXX's authority.  (which is
> quite significant).
> 
> I am even running the system auditing journal.  When I look at
> password failures, the device name associated with the device for the
> journal entry is "COMMUNICATIONS DEVICE".  Uh, yeah!
> 
> Anybody's help would be GREATLY appreciated...
> 
> Chuck
+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2019 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].