• Subject: Re: invalid signon attempts...
  • From: "Chuck Bower" <cbower@xxxxxxxxxxxx>
  • Date: Mon, 15 Jan 2001 16:27:34 -0500

Sean

By the way, when I do get a successful connection, my QHST log shows an
additional message:

 Message ID . . . . . . :   CPIAD09       Severity . . . . . . . :   00
 Message type . . . . . :   Information
 Date sent  . . . . . . :   01/15/01      Time sent  . . . . . . :
16:10:49

 Message . . . . :   User XXXXX from client XXX.XXX.XXX.XXX connected to job
   250934/QUSER/QZSCSRVS in subsystem QUSRWRK in QSYS on 01/15/01 16:10:49.

But when the authentication fails, the above message is NOT logged into
QHST.

You would think that authentications could be tracked back to an IP address
on TCPIP connection attempts.  I wonder if the software just doesn't grab
enough info when the request is made.

> You might try WRKJOB QZSCSRVS
>
> Although you may have to look in a bunch to find the right one.  On our
> system, the job log shows user and IP address.
>
> Or DSPLOG MSGID(CPIAD12) for the time period in question.
>
> HTH
>
> > Chuck Bower wrote:
> >
> > Help!
> >
> > I have a user (lets call her XXXXX) who has the following logged into
> > the QHST log:
> >
> >                          Additional Message
> > Information
> >
> >
> >  Message ID . . . . . . :   CPIAD0B       Severity . . . . . . . :
> > 00
> >  Message type . . . . . :
> > Information
> >  Date sent  . . . . . . :   01/13/01      Time sent  . . . . . . :
> > 19:02:54
> >
> >
> >  Message . . . . :   *SIGNON server job 243473/QUSER/QZSOSIGN
> > processing
> >    request for user XXXXX on 01/13/01 19:02:54 in subsystem QUSRWRK in
> > QSYS.
> >  Cause . . . . . :   The *SIGNON server is processing request 1 for
> > user
> >    XXXXX.  The types of requests supported are as
> > follows:
> >      1 -- Retrieve Signon
> > Information
> >      2 -- Change
> > Password
> >      3 -- Generate Authentication
> > Token
> >
> > Now, it happens I was speaking with user XXXXX at a party at just the
> > time this message occurred.  I have been trying to find out where this
> > request came from.  I cannot find an IP address from this message, nor
> > can I located anything else in the log that would indicate the origin
> > of the request.
> >
> > The next day (yesterday), the same message occurred, followed by an
> > automatic disabling of the user's profile.  I do not care, of course,
> > that the profile was disabled, (I know why it was disabled, too many
> > incorrect signon attempts-because of my system value settings).  What
> > is WANT TO KNOW IS, WHERE THE HECK IS THE IP ADDRESS!!!
> >
> > Because without that, I cannot track down the perpetrator that may be
> > attempting to break into the system with XXXXX's authority.  (which is
> > quite significant).
> >
> > I am even running the system auditing journal.  When I look at
> > password failures, the device name associated with the device for the
> > journal entry is "COMMUNICATIONS DEVICE".  Uh, yeah!
> >
> > Anybody's help would be GREATLY appreciated...
> >
> > Chuck
> +---
> | This is the Midrange System Mailing List!
> | To submit a new message, send your mail to MIDRANGE-L@midrange.com.
> | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
> | To unsubscribe from this list send email to
MIDRANGE-L-UNSUB@midrange.com.
> | Questions should be directed to the list owner/operator:
david@midrange.com
> +---
>

+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2020 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].