• Subject: Re: Mystery jobs
  • From: "Jim Franz" <franz400@xxxxxxxxxxxx>
  • Date: Mon, 23 Apr 2001 13:07:46 -0400

i would treat this like a denial of service attempt.
800 print jobs from an unknown address, with
unsupported hex? the 400 i beleive is compliant
with standard lpd. there are some lpd attacks
described at www.sans.org
the fact the 400 throws the bad packets away
is what makes it so strong. some other servers
might have rolled over.
since u may have been "probed" i would suggest
a review of you security. websphere has come under
attack in the last 6 months, in fact was part of a hacker
contest (don't know if ibm was aware till later-it was testing
some security products on NT/Unix).
jim

----- Original Message -----
From: "Bonnie Williams" <WilliamB@ccsd15.k12.il.us>
To: <MIDRANGE-L@midrange.com>
Sent: Monday, April 23, 2001 4:31 PM
Subject: Mystery jobs


> Every now and then, I see many job logs (sometimes as many as 800) on our
system that are all identical and have a date/time stamp within a few
minutes time.  I am trying to find out what kind of jobs these are and who
is submitting them.
>
> I am copying one of the job logs below.  Does anyone know what kind of job
this user is trying to run?  (I can see that the job is trying to call the
LPD.)  Are they really trying to submit 800 different jobs?  Or is this
something coming from the internet and I am getting a job log for each line
of a print job that is trying to print?
>
> Also, I don't have a clue who belongs to the IP address listed in the job
logs. The last time (a couple of weeks ago) that I saw these job logs, the
IP address was different. Is there any way to tell who this is?
>
> We are at V4R4 and using Websphere Advanced Edition 3.02.
>
>
> Job name . . . . . . . . . . :   QTLPD00057      User  . . . . . . :
QTCP         Number . . . . . . . . . . . :   025150
>   Job description  . . . . . . :   QTMPLPD         Library . . . . . :
QTCP
> MSGID      TYPE                    SEV   DATE       TIME       FROM PGM
LIBRARY     INST     TO PGM       LIBRARY      INST
> CPF1124    Information             00    04/20/01   16:07:36   QWTPIIPP
QSYS        05E5     *EXT                      *N
>                                      Message . . . . :   Job
025150/QTCP/QTLPD00057 started on 04/20/01 at 16:07:36
>                                        in subsystem QSYSWRK in QSYS. Job
entered system on 04/20/01 at 16:07:36.
> CPI1125    Information             00    04/20/01   16:07:36   QWTPIIPP
QSYS        029F     *EXT                      *N
>                                      Message . . . . :   Job
025150/QTCP/QTLPD00057 submitted.
>                                      Cause . . . . . :   Job
025150/QTCP/QTLPD00057 submitted to job queue
>                                        QSYSNOMAX in QSYS from job
025148/QTCP/QTLPD00056. Job
>                                        025150/QTCP/QTLPD00057 was started
using the Submit Job (SBMJOB) command
>                                        with the following job attributes:
JOBPTY(5) OUTPTY(5) PRTTXT()
>                                        RTGDTA(LPDSERVE) SYSLIBL(QGPL
QSYS       QSYS2      QHLPSYS
>                                        QUSRSYS) CURLIB(QTCP) INLLIBL()
LOG(4 00 *SECLVL) LOGCLPGM(*NO)
>                                        INQMSGRPY(*RQD) OUTQ(/*DEV)
PRTDEV(PRT01) HOLD(*NO) DATE(*SYSVAL)
>                                        SWS(00000000) MSGQ(QUSRSYS/QTCP)
CCSID(65535) SRTSEQ(*N/*HEX) LANGID(ENU)
>                                        CNTRYID(US) ALWMLTTHD(*NO).
> CPC1221    Completion              00    04/20/01   16:07:38   QWTCCSBJ
QSYS        0162     QTMPJOBS     QTCP         *STMT
>                                      To module . . . . . . . . . :
QTMPLPDS
>                                      To procedure  . . . . . . . :
DoCLCommand
>                                      Statement . . . . . . . . . :   167
>                                      Message . . . . :   Job
025152/QTCP/QTLPD00058 submitted to job queue
>                                        QSYSNOMAX in library QSYS.
> TCP3711    Information             40    04/20/01   16:07:38   QTMPLPDC
QTCP        *STMT    QTMPLPDC     QTCP         *STMT
>                                      From module . . . . . . . . :
QTMPLPDS
>                                      From procedure  . . . . . . :
SendProgramMsg
>                                      Statement . . . . . . . . . :   1414
>                                      To module . . . . . . . . . :
QTMPLPDS
>                                      To procedure  . . . . . . . :
SendProgramMsg
>                                      Statement . . . . . . . . . :   1414
>                                      Message . . . . :   Unsupported
TCP/IP LPD server function requested.
>                                      Cause . . . . . :   The TCP/IP line
printer daemon (LPD) server job received a
>                                        request for an unsupported function
from remote system
>                                        24.78.39.171                   .
The command received was X'42', the
>                                        sub-command was X'00'. The request
was ignored. Recovery  . . . :   The
>                                        AS/400 LPD only supports the
Receive a Printer Job (X'02') command and its
>                                        sub-commands. Command codes:
Sub-Command codes:
>                                        -------------------------------  --
---------------------------------- X'01'
>                                        - Print any Waiting Jobs   X'01' -
Abort Job X'02' - Receive a Printer Job
>                                         X'02' - Receive Control File
X'03' - Send Queue State Short   X'03' -
>                                        Receive Data File X'04' - Send
Queue State Long    X'04' - Receive Control
>                                        File First X'05' - Remove Jobs
X'05' - Receive Data File
>                                        Unspecified Length Technical
description . . . . . . . . :   See the Request
>                                        For Comments 1179 (RFC1179) issued
by the Internet Network Printer Working
>                                        Group, for details on all possible
commands and options.
> CPC2191    Completion              00    04/20/01   16:07:38   QLIDLOBJ
QSYS        040E     QLICLLIB     QSYS         02A4
>                                      Message . . . . :   Object LPDMSGS in
QTEMP type *USRSPC deleted.
> CPF1164    Completion              00    04/20/01   16:07:38   QWTMCEOJ
QSYS        00AA     *EXT                      *N
>                                      Message . . . . :   Job
025150/QTCP/QTLPD00057 ended on 04/20/01 at 16:07:38;
>                                        1 seconds used; end code 0 .
>                                      Cause . . . . . :   Job
025150/QTCP/QTLPD00057 completed on 04/20/01 at
>                                        16:07:38 after it used 1 seconds
processing unit time.  The job had ending
>                                        code 0. The job ended after 1
routing steps with a secondary ending code of
>                                        0.  The job ending codes and their
meanings are as follows:  0 - The job
>                                        completed normally. 10 - The job
completed normally during controlled ending
>  5769SS1 V4R4M0 990521                           Job Log
S1055D4M 04/20/01 16:07:38          Page    2
>   Job name . . . . . . . . . . :   QTLPD00057      User  . . . . . . :
QTCP         Number . . . . . . . . . . . :   025150
>   Job description  . . . . . . :   QTMPLPD         Library . . . . . :
QTCP
> MSGID      TYPE                    SEV   DATE       TIME       FROM PGM
LIBRARY     INST     TO PGM       LIBRARY      INST
>                                        or controlled subsystem ending.
20 - The job exceeded end severity (ENDSEV
>                                        job attribute). 30 - The job ended
abnormally. 40 - The job ended before
>                                        becoming active. 50 - The job ended
while the job was active. 60 - The
>                                        subsystem ended abnormally while
the job was active. 70 - The system ended
>                                        abnormally while the job was
active. 80 - The job ended (ENDJOBABN command).
>                                        90 - The job was forced to end
after the time limit ended (ENDJOBABN
>                                        command). Recovery  . . . :   For
more information, see the Work Management
>                                        book, SC41-5306.
>
> +---
> | This is the Midrange System Mailing List!
> | To submit a new message, send your mail to MIDRANGE-L@midrange.com.
> | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
> | To unsubscribe from this list send email to
MIDRANGE-L-UNSUB@midrange.com.
> | Questions should be directed to the list owner/operator:
david@midrange.com
> +---

+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2019 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].