• Subject: Re: invalid signon attempts...
  • From: Sean Porterfield <sporter@xxxxxxxxxxxx>
  • Date: Wed, 17 Jan 2001 17:13:41 -0500
  • Organization: Best Distributing Co.

I don't use Client Access anymore, so it took me a while to get to a
machine to test this.  I used an invalid password numerous times and got
the following logged in QHST:

 *SIGNON server job 449172/QUSER/QZSOSIGN processing request for user
SPORTER
Message ID . . . . . . :   CPIAD0B

The good news is that it's logged (but you already knew that, since it's
where you started).  The bad news is that it didn't stop me from trying
over and over, and I can't find an IP address either.

OTOH, if user XXXXX has the default USERID stored in Client Access, this
would mean that someone was using user XXXXX's PC but not necessarily
trying to hack in.

Sorry I couldn't be more help.  Perhaps there's a way to use an exit
program?  (That's beyond me.)

Sean

Chuck Bower wrote:
> 
> Sean
> 
> By the way, when I do get a successful connection, my QHST log shows an
> additional message:
> 
>  Message ID . . . . . . :   CPIAD09       Severity . . . . . . . :   00
>  Message type . . . . . :   Information
>  Date sent  . . . . . . :   01/15/01      Time sent  . . . . . . :
> 16:10:49
> 
>  Message . . . . :   User XXXXX from client XXX.XXX.XXX.XXX connected to job
>    250934/QUSER/QZSCSRVS in subsystem QUSRWRK in QSYS on 01/15/01 16:10:49.
> 
> But when the authentication fails, the above message is NOT logged into
> QHST.
> 
> You would think that authentications could be tracked back to an IP address
> on TCPIP connection attempts.  I wonder if the software just doesn't grab
> enough info when the request is made.
> 
> > You might try WRKJOB QZSCSRVS
> >
> > Although you may have to look in a bunch to find the right one.  On our
> > system, the job log shows user and IP address.
> >
> > Or DSPLOG MSGID(CPIAD12) for the time period in question.
> >
> > HTH
> >
> > > Chuck Bower wrote:
> > >
> > > Help!
> > >
> > > I have a user (lets call her XXXXX) who has the following logged into
> > > the QHST log:
> > >
> > >                          Additional Message
> > > Information
> > >
> > >
> > >  Message ID . . . . . . :   CPIAD0B       Severity . . . . . . . :
> > > 00
> > >  Message type . . . . . :
> > > Information
> > >  Date sent  . . . . . . :   01/13/01      Time sent  . . . . . . :
> > > 19:02:54
> > >
> > >
> > >  Message . . . . :   *SIGNON server job 243473/QUSER/QZSOSIGN
> > > processing
> > >    request for user XXXXX on 01/13/01 19:02:54 in subsystem QUSRWRK in
> > > QSYS.
> > >  Cause . . . . . :   The *SIGNON server is processing request 1 for
> > > user
> > >    XXXXX.  The types of requests supported are as
> > > follows:
> > >      1 -- Retrieve Signon
> > > Information
> > >      2 -- Change
> > > Password
> > >      3 -- Generate Authentication
> > > Token
> > >
> > > Now, it happens I was speaking with user XXXXX at a party at just the
> > > time this message occurred.  I have been trying to find out where this
> > > request came from.  I cannot find an IP address from this message, nor
> > > can I located anything else in the log that would indicate the origin
> > > of the request.
> > >
> > > The next day (yesterday), the same message occurred, followed by an
> > > automatic disabling of the user's profile.  I do not care, of course,
> > > that the profile was disabled, (I know why it was disabled, too many
> > > incorrect signon attempts-because of my system value settings).  What
> > > is WANT TO KNOW IS, WHERE THE HECK IS THE IP ADDRESS!!!
> > >
> > > Because without that, I cannot track down the perpetrator that may be
> > > attempting to break into the system with XXXXX's authority.  (which is
> > > quite significant).
> > >
> > > I am even running the system auditing journal.  When I look at
> > > password failures, the device name associated with the device for the
> > > journal entry is "COMMUNICATIONS DEVICE".  Uh, yeah!
> > >
> > > Anybody's help would be GREATLY appreciated...
> > >
> > > Chuck
+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2019 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].