|
Neil - would you say the 400, with it's level of error trapping is fairly impervious to these kind of ip related attacks? jim ----- Original Message ----- From: "Neil Palmer" <neilp@dpslink.com> To: <MIDRANGE-L@midrange.com> Sent: Monday, April 23, 2001 6:27 PM Subject: Re: Mystery jobs > Bonnie, > > I believe some l0zer is trying to hack your system, thinking it's a Linux > box, using a known remote root LPD exploit. I believe Red Hat Linux is > one of the most vulnerable. > http://archives.neohapsis.com/archives/vuln-dev/2000-q4/0554.html > > Once they locate a box running LPD they pass the IP address on to all > their "don't have a life and can't get a girlfriend" loser buddies, and > you'll probably get several attacks over a period of a few days. > Eventually they'll realize they can't get in, give up, and go bother > someone else's system. > > You can try to track the IP address via tracert on a PC (or whois - try > http://www.networksolutions.com/cgi-bin/whois/whois ) and see if you can > identify their ISP. If it's in North America or Western Europe, etc. you > could try emailing a compaint to the ISP at "abuse@name_of_ISP.com/net". > Some ISP's will cancel the account of any customer abusing the terms of > their agreement, then the pimply faced little twerp will have to amuse > himself down at the mall terrorizing the WalMart greeter for a while until > gets signed up with a new ISP. If the ISP is outside of North America, > Western Europe, Australia/NewZealand/Japan etc. you would probably be > wasting your time sending a complaint email to an ISP in Taiwan. Korea, > Brazil, Hong King, India, Russia, China, etc. > > ...Neil > > > > > > "Bonnie Williams" <WilliamB@ccsd15.k12.il.us> > Sent by: owner-midrange-l@midrange.com > 2001/04/23 16:31 > Please respond to MIDRANGE-L > > > To: <MIDRANGE-L@midrange.com> > cc: > Subject: Mystery jobs > > > Every now and then, I see many job logs (sometimes as many as 800) on our > system that are all identical and have a date/time stamp within a few > minutes time. I am trying to find out what kind of jobs these are and who > is submitting them. > > I am copying one of the job logs below. Does anyone know what kind of job > this user is trying to run? (I can see that the job is trying to call the > LPD.) Are they really trying to submit 800 different jobs? Or is this > something coming from the internet and I am getting a job log for each > line of a print job that is trying to print? > > Also, I don't have a clue who belongs to the IP address listed in the job > logs. The last time (a couple of weeks ago) that I saw these job logs, the > IP address was different. Is there any way to tell who this is? > > We are at V4R4 and using Websphere Advanced Edition 3.02. > > > Job name . . . . . . . . . . : QTLPD00057 User . . . . . . : QTCP > Number . . . . . . . . . . . : 025150 > Job description . . . . . . : QTMPLPD Library . . . . . : > QTCP > MSGID TYPE SEV DATE TIME FROM PGM > LIBRARY INST TO PGM LIBRARY INST > CPF1124 Information 00 04/20/01 16:07:36 QWTPIIPP > QSYS 05E5 *EXT *N > Message . . . . : Job > 025150/QTCP/QTLPD00057 started on 04/20/01 at 16:07:36 > in subsystem QSYSWRK in QSYS. Job > entered system on 04/20/01 at 16:07:36. > CPI1125 Information 00 04/20/01 16:07:36 QWTPIIPP > QSYS 029F *EXT *N > Message . . . . : Job > 025150/QTCP/QTLPD00057 submitted. > Cause . . . . . : Job > 025150/QTCP/QTLPD00057 submitted to job queue > QSYSNOMAX in QSYS from job > 025148/QTCP/QTLPD00056. Job > 025150/QTCP/QTLPD00057 was started > using the Submit Job (SBMJOB) command > with the following job attributes: > JOBPTY(5) OUTPTY(5) PRTTXT() > RTGDTA(LPDSERVE) SYSLIBL(QGPL QSYS > QSYS2 QHLPSYS > QUSRSYS) CURLIB(QTCP) INLLIBL() > LOG(4 00 *SECLVL) LOGCLPGM(*NO) > INQMSGRPY(*RQD) OUTQ(/*DEV) > PRTDEV(PRT01) HOLD(*NO) DATE(*SYSVAL) > SWS(00000000) MSGQ(QUSRSYS/QTCP) > CCSID(65535) SRTSEQ(*N/*HEX) LANGID(ENU) > CNTRYID(US) ALWMLTTHD(*NO). > CPC1221 Completion 00 04/20/01 16:07:38 QWTCCSBJ > QSYS 0162 QTMPJOBS QTCP *STMT > To module . . . . . . . . . : > QTMPLPDS > To procedure . . . . . . . : > DoCLCommand > Statement . . . . . . . . . : 167 > Message . . . . : Job > 025152/QTCP/QTLPD00058 submitted to job queue > QSYSNOMAX in library QSYS. > TCP3711 Information 40 04/20/01 16:07:38 QTMPLPDC > QTCP *STMT QTMPLPDC QTCP *STMT > From module . . . . . . . . : > QTMPLPDS > From procedure . . . . . . : > SendProgramMsg > Statement . . . . . . . . . : 1414 > To module . . . . . . . . . : > QTMPLPDS > To procedure . . . . . . . : > SendProgramMsg > Statement . . . . . . . . . : 1414 > Message . . . . : Unsupported > TCP/IP LPD server function requested. > Cause . . . . . : The TCP/IP line > printer daemon (LPD) server job received a > request for an unsupported function > from remote system > 24.78.39.171 . > The command received was X'42', the > sub-command was X'00'. The request > was ignored. Recovery . . . : The > AS/400 LPD only supports the > Receive a Printer Job (X'02') command and its > sub-commands. Command codes: > Sub-Command codes: > ------------------------------- > ------------------------------------ X'01' > - Print any Waiting Jobs X'01' - > Abort Job X'02' - Receive a Printer Job > X'02' - Receive Control File X'03' > - Send Queue State Short X'03' - > Receive Data File X'04' - Send > Queue State Long X'04' - Receive Control > File First X'05' - Remove Jobs > X'05' - Receive Data File > Unspecified Length Technical > description . . . . . . . . : See the Request > For Comments 1179 (RFC1179) issued > by the Internet Network Printer Working > Group, for details on all possible > commands and options. > CPC2191 Completion 00 04/20/01 16:07:38 QLIDLOBJ > QSYS 040E QLICLLIB QSYS 02A4 > Message . . . . : Object LPDMSGS in > QTEMP type *USRSPC deleted. > CPF1164 Completion 00 04/20/01 16:07:38 QWTMCEOJ > QSYS 00AA *EXT *N > Message . . . . : Job > 025150/QTCP/QTLPD00057 ended on 04/20/01 at 16:07:38; > 1 seconds used; end code 0 . > Cause . . . . . : Job > 025150/QTCP/QTLPD00057 completed on 04/20/01 at > 16:07:38 after it used 1 seconds > processing unit time. The job had ending > code 0. The job ended after 1 > routing steps with a secondary ending code of > 0. The job ending codes and their > meanings are as follows: 0 - The job > completed normally. 10 - The job > completed normally during controlled ending > 5769SS1 V4R4M0 990521 Job Log S1055D4M > 04/20/01 16:07:38 Page 2 > Job name . . . . . . . . . . : QTLPD00057 User . . . . . . : > QTCP Number . . . . . . . . . . . : 025150 > Job description . . . . . . : QTMPLPD Library . . . . . : > QTCP > MSGID TYPE SEV DATE TIME FROM PGM > LIBRARY INST TO PGM LIBRARY INST > or controlled subsystem ending. 20 > - The job exceeded end severity (ENDSEV > job attribute). 30 - The job ended > abnormally. 40 - The job ended before > becoming active. 50 - The job ended > while the job was active. 60 - The > subsystem ended abnormally while > the job was active. 70 - The system ended > abnormally while the job was > active. 80 - The job ended (ENDJOBABN command). > 90 - The job was forced to end > after the time limit ended (ENDJOBABN > command). Recovery . . . : For > more information, see the Work Management > book, SC41-5306. > > > > +--- > | This is the Midrange System Mailing List! > | To submit a new message, send your mail to MIDRANGE-L@midrange.com. > | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com. > | To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com. > | Questions should be directed to the list owner/operator: david@midrange.com > +--- +--- | This is the Midrange System Mailing List! | To submit a new message, send your mail to MIDRANGE-L@midrange.com. | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com. | To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com. | Questions should be directed to the list owner/operator: david@midrange.com +---
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
