• Subject: Re: Mystery jobs
  • From: "Jim Franz" <franz400@xxxxxxxxxxxx>
  • Date: Mon, 23 Apr 2001 19:52:11 -0400

Neil - would you say the 400, with it's level of error trapping is fairly
impervious to these kind of ip related attacks?
jim

----- Original Message -----
From: "Neil Palmer" <neilp@dpslink.com>
To: <MIDRANGE-L@midrange.com>
Sent: Monday, April 23, 2001 6:27 PM
Subject: Re: Mystery jobs


> Bonnie,
>
> I believe some l0zer is trying to hack your system, thinking it's a Linux
> box, using a known remote root LPD exploit.  I believe Red Hat Linux is
> one of the most vulnerable.
> http://archives.neohapsis.com/archives/vuln-dev/2000-q4/0554.html
>
> Once they locate a box running LPD they pass the IP address on to all
> their "don't have a life and can't get a girlfriend" loser buddies, and
> you'll probably get several attacks over a period of a few days.
> Eventually they'll realize they can't get in, give up, and go bother
> someone else's system.
>
> You can try to track the IP address via tracert on a PC (or whois - try
> http://www.networksolutions.com/cgi-bin/whois/whois ) and see if you can
> identify their ISP.  If it's in North America or Western Europe, etc. you
> could try emailing a compaint to the ISP at "abuse@name_of_ISP.com/net".
> Some ISP's will cancel the account of any customer abusing the terms of
> their agreement, then the pimply faced little twerp will have to amuse
> himself down at the mall terrorizing the WalMart greeter for a while until
> gets signed up with a new ISP.  If the ISP is outside of North America,
> Western Europe, Australia/NewZealand/Japan etc. you would probably be
> wasting your time sending a complaint email to an ISP in Taiwan. Korea,
> Brazil, Hong King, India, Russia, China, etc.
>
> ...Neil
>
>
>
>
>
> "Bonnie Williams" <WilliamB@ccsd15.k12.il.us>
> Sent by: owner-midrange-l@midrange.com
> 2001/04/23 16:31
> Please respond to MIDRANGE-L
>
>
>         To:     <MIDRANGE-L@midrange.com>
>         cc:
>         Subject:        Mystery jobs
>
>
> Every now and then, I see many job logs (sometimes as many as 800) on our
> system that are all identical and have a date/time stamp within a few
> minutes time.  I am trying to find out what kind of jobs these are and who
> is submitting them.
>
> I am copying one of the job logs below.  Does anyone know what kind of job
> this user is trying to run?  (I can see that the job is trying to call the
> LPD.)  Are they really trying to submit 800 different jobs?  Or is this
> something coming from the internet and I am getting a job log for each
> line of a print job that is trying to print?
>
> Also, I don't have a clue who belongs to the IP address listed in the job
> logs. The last time (a couple of weeks ago) that I saw these job logs, the
> IP address was different. Is there any way to tell who this is?
>
> We are at V4R4 and using Websphere Advanced Edition 3.02.
>
>
> Job name . . . . . . . . . . :   QTLPD00057      User  . . . . . . : QTCP
>       Number . . . . . . . . . . . :   025150
>   Job description  . . . . . . :   QTMPLPD         Library . . . . . :
> QTCP
> MSGID      TYPE                    SEV   DATE       TIME       FROM PGM
> LIBRARY     INST     TO PGM       LIBRARY      INST
> CPF1124    Information             00    04/20/01   16:07:36   QWTPIIPP
> QSYS        05E5     *EXT                      *N
>                                      Message . . . . :   Job
> 025150/QTCP/QTLPD00057 started on 04/20/01 at 16:07:36
>                                        in subsystem QSYSWRK in QSYS. Job
> entered system on 04/20/01 at 16:07:36.
> CPI1125    Information             00    04/20/01   16:07:36   QWTPIIPP
> QSYS        029F     *EXT                      *N
>                                      Message . . . . :   Job
> 025150/QTCP/QTLPD00057 submitted.
>                                      Cause . . . . . :   Job
> 025150/QTCP/QTLPD00057 submitted to job queue
>                                        QSYSNOMAX in QSYS from job
> 025148/QTCP/QTLPD00056. Job
>                                        025150/QTCP/QTLPD00057 was started
> using the Submit Job (SBMJOB) command
>                                        with the following job attributes:
> JOBPTY(5) OUTPTY(5) PRTTXT()
>                                        RTGDTA(LPDSERVE) SYSLIBL(QGPL QSYS
>     QSYS2      QHLPSYS
>                                        QUSRSYS) CURLIB(QTCP) INLLIBL()
> LOG(4 00 *SECLVL) LOGCLPGM(*NO)
>                                        INQMSGRPY(*RQD) OUTQ(/*DEV)
> PRTDEV(PRT01) HOLD(*NO) DATE(*SYSVAL)
>                                        SWS(00000000) MSGQ(QUSRSYS/QTCP)
> CCSID(65535) SRTSEQ(*N/*HEX) LANGID(ENU)
>                                        CNTRYID(US) ALWMLTTHD(*NO).
> CPC1221    Completion              00    04/20/01   16:07:38   QWTCCSBJ
> QSYS        0162     QTMPJOBS     QTCP         *STMT
>                                      To module . . . . . . . . . :
> QTMPLPDS
>                                      To procedure  . . . . . . . :
> DoCLCommand
>                                      Statement . . . . . . . . . :   167
>                                      Message . . . . :   Job
> 025152/QTCP/QTLPD00058 submitted to job queue
>                                        QSYSNOMAX in library QSYS.
> TCP3711    Information             40    04/20/01   16:07:38   QTMPLPDC
> QTCP        *STMT    QTMPLPDC     QTCP         *STMT
>                                      From module . . . . . . . . :
> QTMPLPDS
>                                      From procedure  . . . . . . :
> SendProgramMsg
>                                      Statement . . . . . . . . . :   1414
>                                      To module . . . . . . . . . :
> QTMPLPDS
>                                      To procedure  . . . . . . . :
> SendProgramMsg
>                                      Statement . . . . . . . . . :   1414
>                                      Message . . . . :   Unsupported
> TCP/IP LPD server function requested.
>                                      Cause . . . . . :   The TCP/IP line
> printer daemon (LPD) server job received a
>                                        request for an unsupported function
> from remote system
>                                        24.78.39.171                   .
> The command received was X'42', the
>                                        sub-command was X'00'. The request
> was ignored. Recovery  . . . :   The
>                                        AS/400 LPD only supports the
> Receive a Printer Job (X'02') command and its
>                                        sub-commands. Command codes:
> Sub-Command codes:
>                                        -------------------------------
> ------------------------------------ X'01'
>                                        - Print any Waiting Jobs   X'01' -
> Abort Job X'02' - Receive a Printer Job
>                                         X'02' - Receive Control File X'03'
> - Send Queue State Short   X'03' -
>                                        Receive Data File X'04' - Send
> Queue State Long    X'04' - Receive Control
>                                        File First X'05' - Remove Jobs
> X'05' - Receive Data File
>                                        Unspecified Length Technical
> description . . . . . . . . :   See the Request
>                                        For Comments 1179 (RFC1179) issued
> by the Internet Network Printer Working
>                                        Group, for details on all possible
> commands and options.
> CPC2191    Completion              00    04/20/01   16:07:38   QLIDLOBJ
> QSYS        040E     QLICLLIB     QSYS         02A4
>                                      Message . . . . :   Object LPDMSGS in
> QTEMP type *USRSPC deleted.
> CPF1164    Completion              00    04/20/01   16:07:38   QWTMCEOJ
> QSYS        00AA     *EXT                      *N
>                                      Message . . . . :   Job
> 025150/QTCP/QTLPD00057 ended on 04/20/01 at 16:07:38;
>                                        1 seconds used; end code 0 .
>                                      Cause . . . . . :   Job
> 025150/QTCP/QTLPD00057 completed on 04/20/01 at
>                                        16:07:38 after it used 1 seconds
> processing unit time.  The job had ending
>                                        code 0. The job ended after 1
> routing steps with a secondary ending code of
>                                        0.  The job ending codes and their
> meanings are as follows:  0 - The job
>                                        completed normally. 10 - The job
> completed normally during controlled ending
>  5769SS1 V4R4M0 990521                           Job Log  S1055D4M
> 04/20/01 16:07:38          Page    2
>   Job name . . . . . . . . . . :   QTLPD00057      User  . . . . . . :
> QTCP         Number . . . . . . . . . . . :   025150
>   Job description  . . . . . . :   QTMPLPD         Library . . . . . :
> QTCP
> MSGID      TYPE                    SEV   DATE       TIME       FROM PGM
> LIBRARY     INST     TO PGM       LIBRARY      INST
>                                        or controlled subsystem ending. 20
> - The job exceeded end severity (ENDSEV
>                                        job attribute). 30 - The job ended
> abnormally. 40 - The job ended before
>                                        becoming active. 50 - The job ended
> while the job was active. 60 - The
>                                        subsystem ended abnormally while
> the job was active. 70 - The system ended
>                                        abnormally while the job was
> active. 80 - The job ended (ENDJOBABN command).
>                                        90 - The job was forced to end
> after the time limit ended (ENDJOBABN
>                                        command). Recovery  . . . :   For
> more information, see the Work Management
>                                        book, SC41-5306.
>
>
>
> +---
> | This is the Midrange System Mailing List!
> | To submit a new message, send your mail to MIDRANGE-L@midrange.com.
> | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
> | To unsubscribe from this list send email to
MIDRANGE-L-UNSUB@midrange.com.
> | Questions should be directed to the list owner/operator:
david@midrange.com
> +---

+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2020 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].