|
Bonnie, I believe some l0zer is trying to hack your system, thinking it's a Linux box, using a known remote root LPD exploit. I believe Red Hat Linux is one of the most vulnerable. http://archives.neohapsis.com/archives/vuln-dev/2000-q4/0554.html Once they locate a box running LPD they pass the IP address on to all their "don't have a life and can't get a girlfriend" loser buddies, and you'll probably get several attacks over a period of a few days. Eventually they'll realize they can't get in, give up, and go bother someone else's system. You can try to track the IP address via tracert on a PC (or whois - try http://www.networksolutions.com/cgi-bin/whois/whois ) and see if you can identify their ISP. If it's in North America or Western Europe, etc. you could try emailing a compaint to the ISP at "abuse@name_of_ISP.com/net". Some ISP's will cancel the account of any customer abusing the terms of their agreement, then the pimply faced little twerp will have to amuse himself down at the mall terrorizing the WalMart greeter for a while until gets signed up with a new ISP. If the ISP is outside of North America, Western Europe, Australia/NewZealand/Japan etc. you would probably be wasting your time sending a complaint email to an ISP in Taiwan. Korea, Brazil, Hong King, India, Russia, China, etc. ...Neil "Bonnie Williams" <WilliamB@ccsd15.k12.il.us> Sent by: owner-midrange-l@midrange.com 2001/04/23 16:31 Please respond to MIDRANGE-L To: <MIDRANGE-L@midrange.com> cc: Subject: Mystery jobs Every now and then, I see many job logs (sometimes as many as 800) on our system that are all identical and have a date/time stamp within a few minutes time. I am trying to find out what kind of jobs these are and who is submitting them. I am copying one of the job logs below. Does anyone know what kind of job this user is trying to run? (I can see that the job is trying to call the LPD.) Are they really trying to submit 800 different jobs? Or is this something coming from the internet and I am getting a job log for each line of a print job that is trying to print? Also, I don't have a clue who belongs to the IP address listed in the job logs. The last time (a couple of weeks ago) that I saw these job logs, the IP address was different. Is there any way to tell who this is? We are at V4R4 and using Websphere Advanced Edition 3.02. Job name . . . . . . . . . . : QTLPD00057 User . . . . . . : QTCP Number . . . . . . . . . . . : 025150 Job description . . . . . . : QTMPLPD Library . . . . . : QTCP MSGID TYPE SEV DATE TIME FROM PGM LIBRARY INST TO PGM LIBRARY INST CPF1124 Information 00 04/20/01 16:07:36 QWTPIIPP QSYS 05E5 *EXT *N Message . . . . : Job 025150/QTCP/QTLPD00057 started on 04/20/01 at 16:07:36 in subsystem QSYSWRK in QSYS. Job entered system on 04/20/01 at 16:07:36. CPI1125 Information 00 04/20/01 16:07:36 QWTPIIPP QSYS 029F *EXT *N Message . . . . : Job 025150/QTCP/QTLPD00057 submitted. Cause . . . . . : Job 025150/QTCP/QTLPD00057 submitted to job queue QSYSNOMAX in QSYS from job 025148/QTCP/QTLPD00056. Job 025150/QTCP/QTLPD00057 was started using the Submit Job (SBMJOB) command with the following job attributes: JOBPTY(5) OUTPTY(5) PRTTXT() RTGDTA(LPDSERVE) SYSLIBL(QGPL QSYS QSYS2 QHLPSYS QUSRSYS) CURLIB(QTCP) INLLIBL() LOG(4 00 *SECLVL) LOGCLPGM(*NO) INQMSGRPY(*RQD) OUTQ(/*DEV) PRTDEV(PRT01) HOLD(*NO) DATE(*SYSVAL) SWS(00000000) MSGQ(QUSRSYS/QTCP) CCSID(65535) SRTSEQ(*N/*HEX) LANGID(ENU) CNTRYID(US) ALWMLTTHD(*NO). CPC1221 Completion 00 04/20/01 16:07:38 QWTCCSBJ QSYS 0162 QTMPJOBS QTCP *STMT To module . . . . . . . . . : QTMPLPDS To procedure . . . . . . . : DoCLCommand Statement . . . . . . . . . : 167 Message . . . . : Job 025152/QTCP/QTLPD00058 submitted to job queue QSYSNOMAX in library QSYS. TCP3711 Information 40 04/20/01 16:07:38 QTMPLPDC QTCP *STMT QTMPLPDC QTCP *STMT From module . . . . . . . . : QTMPLPDS From procedure . . . . . . : SendProgramMsg Statement . . . . . . . . . : 1414 To module . . . . . . . . . : QTMPLPDS To procedure . . . . . . . : SendProgramMsg Statement . . . . . . . . . : 1414 Message . . . . : Unsupported TCP/IP LPD server function requested. Cause . . . . . : The TCP/IP line printer daemon (LPD) server job received a request for an unsupported function from remote system 24.78.39.171 . The command received was X'42', the sub-command was X'00'. The request was ignored. Recovery . . . : The AS/400 LPD only supports the Receive a Printer Job (X'02') command and its sub-commands. Command codes: Sub-Command codes: ------------------------------- ------------------------------------ X'01' - Print any Waiting Jobs X'01' - Abort Job X'02' - Receive a Printer Job X'02' - Receive Control File X'03' - Send Queue State Short X'03' - Receive Data File X'04' - Send Queue State Long X'04' - Receive Control File First X'05' - Remove Jobs X'05' - Receive Data File Unspecified Length Technical description . . . . . . . . : See the Request For Comments 1179 (RFC1179) issued by the Internet Network Printer Working Group, for details on all possible commands and options. CPC2191 Completion 00 04/20/01 16:07:38 QLIDLOBJ QSYS 040E QLICLLIB QSYS 02A4 Message . . . . : Object LPDMSGS in QTEMP type *USRSPC deleted. CPF1164 Completion 00 04/20/01 16:07:38 QWTMCEOJ QSYS 00AA *EXT *N Message . . . . : Job 025150/QTCP/QTLPD00057 ended on 04/20/01 at 16:07:38; 1 seconds used; end code 0 . Cause . . . . . : Job 025150/QTCP/QTLPD00057 completed on 04/20/01 at 16:07:38 after it used 1 seconds processing unit time. The job had ending code 0. The job ended after 1 routing steps with a secondary ending code of 0. The job ending codes and their meanings are as follows: 0 - The job completed normally. 10 - The job completed normally during controlled ending 5769SS1 V4R4M0 990521 Job Log S1055D4M 04/20/01 16:07:38 Page 2 Job name . . . . . . . . . . : QTLPD00057 User . . . . . . : QTCP Number . . . . . . . . . . . : 025150 Job description . . . . . . : QTMPLPD Library . . . . . : QTCP MSGID TYPE SEV DATE TIME FROM PGM LIBRARY INST TO PGM LIBRARY INST or controlled subsystem ending. 20 - The job exceeded end severity (ENDSEV job attribute). 30 - The job ended abnormally. 40 - The job ended before becoming active. 50 - The job ended while the job was active. 60 - The subsystem ended abnormally while the job was active. 70 - The system ended abnormally while the job was active. 80 - The job ended (ENDJOBABN command). 90 - The job was forced to end after the time limit ended (ENDJOBABN command). Recovery . . . : For more information, see the Work Management book, SC41-5306. +--- | This is the Midrange System Mailing List! | To submit a new message, send your mail to MIDRANGE-L@midrange.com. | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com. | To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com. | Questions should be directed to the list owner/operator: david@midrange.com +---
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
