|
Jeffrey, The branch/site that is the source of the trouble only has win95 pc's. Only 1 pc shows up with activity in NetStat right now. NetStat shows the local port as 139, 449, 8470 and 8473. Mostly 449 ( as-svrmap ). The remote port keeps on incrementing by 2 within the range of 1500 to 4000. Steve Richter ---------- Original Message ---------------------------------- From: "Jeffrey Silberberg" <jsilberberg@mindspring.com> Reply-To: midrange-l@midrange.com Date: Wed, 15 Aug 2001 23:36:50 -0400 >Steve, > > I would look for a Windoze or UNIX/SMB server that is down, that >normally supplies a mount to the systems on this segment. I think you are >seeing a client attempting to re-mount a shared disk partition somewhere, >and your iSeries box is seeing the requests. NOTE: There is a major change >to these messages in V4R5 documented in the Memo to users. You could/should >look at your routers to see what ports are being passed, and if you are not >mounting any of the IFS stuff close off these requests with a deny rule. > > Also, you could do an Exit program to drop theseon the floor, but >depending on the volume this could busy the connection to the point of >becoming a Denial-of-service storm so I would rather see you block it on the >router.. > > From the Web Site Document : http://www.faqs.org/faqs/firewalls-faq/ >For example, a web server running on NT might be vulnerable to a number of >denial-of-service attacks against such services as RPC, NetBIOS and SMB. >These services are not required for the operation of a web server, so >blocking TCP connections to ports 135, 137, 138, and 139 on that host will >reduce the exposure to a denial-of-service attack. > >HUM: Second night in a row of I quoted from here !! > >Jeffrey M. Silberberg >Independent Consultant >CompuDesigns, Inc. > >AS SOON AS I KNOW THE ANSWERS >THEY CHANGE THE QUESTIONS > > > > > >----- Original Message ----- >From: srichter <srichter@mail.autocoder.com> >To: <midrange-l@midrange.com> >Sent: Wednesday, August 15, 2001 10:21 PM >Subject: Re: system under attack? > > >> >Depending on your version of OS/400, there may be PTFs to fix your >> >problem. See, for example, PTF SF60551. What version of OS/400 are you >> >> v4r4. >> ptf sf60551 is perm applied. >> >> Its pretty wild. >> With all the msgs, the system is creating an 800k history log file every >15 minutes. >> I asked the night person at the branch to power off all the pc's. And the >NetStat activity continues. He must have missed a pc. >> I vary off all the devices and controllers, no chg. ( pc must be ip >connected instead of netsoft ) >> When I hold the "QPWFSERVSO" job, the NetStat activity stops. But we >released it again because we dont know what the job does and the impact of >holding it. >> >> The plan is to call ibm in the morning. >> >> Thanks Gary, >> >> Steve Richter >> >> >> _______________________________________________ >> This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing >list >> To post a message email: MIDRANGE-L@midrange.com >> To subscribe, unsubscribe, or change list options, >> visit: http://lists.midrange.com/cgi-bin/listinfo/midrange-l >> or email: MIDRANGE-L-request@midrange.com >> > > >_______________________________________________ >This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list >To post a message email: MIDRANGE-L@midrange.com >To subscribe, unsubscribe, or change list options, >visit: http://lists.midrange.com/cgi-bin/listinfo/midrange-l >or email: MIDRANGE-L-request@midrange.com > >
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
