• Subject: Re: invalid signon attempts...
  • From: "Chuck Bower" <cbower@xxxxxxxxxxxx>
  • Date: Mon, 15 Jan 2001 16:19:08 -0500

Sean

I have reviewed all of the QZSCSRVS that I have.  I have not found
anything-possibly because there is no job logs left for jobs not active now,
and in the existing jobs, I see IP connections.  But not for the time
periods in question.  I am wondering if I would not have that anyway, as
each of these connection attempts have apparently been unsuccessful.  It
appears that the successful attempts log the user id and the IP address...

> You might try WRKJOB QZSCSRVS
>
> Although you may have to look in a bunch to find the right one.  On our
> system, the job log shows user and IP address.

I have not found ANY CPIAD12 messages logged.  I see from the message text
that this would appear to be a message that occurs when an IP connection is
made, thus I should see some of those, but I do not.

Note, I just went up on V4R5 4 weeks ago.

>
> Or DSPLOG MSGID(CPIAD12) for the time period in question.
>
> HTH
>
> > Chuck Bower wrote:
> >
> > Help!
> >
> > I have a user (lets call her XXXXX) who has the following logged into
> > the QHST log:
> >
> >                          Additional Message
> > Information
> >
> >
> >  Message ID . . . . . . :   CPIAD0B       Severity . . . . . . . :
> > 00
> >  Message type . . . . . :
> > Information
> >  Date sent  . . . . . . :   01/13/01      Time sent  . . . . . . :
> > 19:02:54
> >
> >
> >  Message . . . . :   *SIGNON server job 243473/QUSER/QZSOSIGN
> > processing
> >    request for user XXXXX on 01/13/01 19:02:54 in subsystem QUSRWRK in
> > QSYS.
> >  Cause . . . . . :   The *SIGNON server is processing request 1 for
> > user
> >    XXXXX.  The types of requests supported are as
> > follows:
> >      1 -- Retrieve Signon
> > Information
> >      2 -- Change
> > Password
> >      3 -- Generate Authentication
> > Token
> >
> > Now, it happens I was speaking with user XXXXX at a party at just the
> > time this message occurred.  I have been trying to find out where this
> > request came from.  I cannot find an IP address from this message, nor
> > can I located anything else in the log that would indicate the origin
> > of the request.
> >
> > The next day (yesterday), the same message occurred, followed by an
> > automatic disabling of the user's profile.  I do not care, of course,
> > that the profile was disabled, (I know why it was disabled, too many
> > incorrect signon attempts-because of my system value settings).  What
> > is WANT TO KNOW IS, WHERE THE HECK IS THE IP ADDRESS!!!
> >
> > Because without that, I cannot track down the perpetrator that may be
> > attempting to break into the system with XXXXX's authority.  (which is
> > quite significant).
> >
> > I am even running the system auditing journal.  When I look at
> > password failures, the device name associated with the device for the
> > journal entry is "COMMUNICATIONS DEVICE".  Uh, yeah!
> >
> > Anybody's help would be GREATLY appreciated...
> >
> > Chuck
> +---
> | This is the Midrange System Mailing List!
> | To submit a new message, send your mail to MIDRANGE-L@midrange.com.
> | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
> | To unsubscribe from this list send email to
MIDRANGE-L-UNSUB@midrange.com.
> | Questions should be directed to the list owner/operator:
david@midrange.com
> +---
>

+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2019 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].