× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. June 2016

Re: Determine how pwrdwnsys was executed

is there an attention-key program ?

On June 7, 2016 at 2:44 PM Jim Franz <franz9000@xxxxxxxxx> wrote:


Entire user job log - I need to clarify, the image catalogs are images for
applications, not PTFS. User is an application user, not Operations.
User's menu only had options to view several different outqs. No option to
even go to another menu. No options to deal with images (we do have green
screen app that launches a browser to display images, or more often, user
may have a IBM Content Manager client which views and works images, but has
no control over catalogs.

Right now I'm looking for evidence of remote command execution..



MSGID TYPE SEV DATE TIME FROM
PGM LIBRARY INST TO PGM LIBRARY INST
CPF1124 Information 00 06/07/16 11:00:50.569956
QWTPIIPP QSYS 04C0 *EXT *N
Message . . . . : Job
477963/TATUMTO/BS7515C started on 06/07/16 at 11:00:50
in subsystem QINTER in QSYS. Job
entered system on 06/07/16 at 11:00:50.
CPCBC11 Completion 00 06/07/16 11:01:37.737273
QVOIIPL QSYS 056E QWCCSDSC QSYS 046F
Message . . . . : Image catalog
IMGCLG01 unloaded from device OPTVLB01.
CPCBC11 Completion 00 06/07/16 11:01:41.756522
QVOIIPL QSYS 056E QWCCSDSC QSYS 046F
Message . . . . : Image catalog
IMGCLG02 unloaded from device OPTVLB02.
CPCBC11 Completion 00 06/07/16 11:01:43.801236
QVOIIPL QSYS 056E QWCCSDSC QSYS 046F
Message . . . . : Image catalog
IMGCLG03 unloaded from device OPTVLB03.
CPF0901 Information 00 06/07/16 11:01:49.451961
QWCCSDSC QSYS 003E QMNPRDWN QSYS 004B
Message . . . . : PWRDWNSYS command
issued by user TATUMTO and is being

processed.

Cause . . . . . : Because the Power
Down System (PWRDWNSYS) command was
issued, all jobs will be ended, and
the machine will be powered off.
CPC1207 Completion 50 06/07/16 11:01:49.530759
QWTMMTRS QSYS 0247 *EXT *N

Jim


On Tue, Jun 7, 2016 at 2:32 PM, John McKee <jmmckee3@xxxxxxxxx> wrote:

Was a job log produced for the use?

John McKee

On Tue, Jun 7, 2016 at 1:25 PM, Charles Wilt <charles.wilt@xxxxxxxxx>
wrote:

My QHST shows 3 lines...

PWRDWNSYS command issued with parameters specified.
PWRDWNSYS command issued by user WILTA and is being processed.
PWRDWNSYS command in progress.



On Tue, Jun 7, 2016 at 2:23 PM, Paul Getz <PGetz@xxxxxxxx> wrote:

Hi Jim,

What was the user doing prior to this power down activity? The reason
I
ask, were they performing any type of maintenance (backups)or
installing
PTFs?


Regards,
Paul

-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of
Jim Franz
Sent: Tuesday, June 7, 2016 2:19 PM
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
Subject: Determine how pwrdwnsys was executed

Looking for clues to determine what happened.
V7R1 development system cume 15142
IBM iAccess for windows 7.1 latest svc pack

What we know so far is that a user logged onto a development system (to
do
some testing.
1 minute later QHST log indicates PWRDWNSYS initiated by the user, but
users log (with 4 00 *seclvl and log CL *YES in jobd ) shows no command
line entry of any command. Her story is no menu options executed...

No menu source shows pwrdwnsys or endsys (have searched for an api but
not
found one). Aware of GO POWER menu but not found a menu to connect to
this.

Message ID . . . . . . : CPI0995 Severity . . . . . . . :
00
Message type . . . . . :
Information
Date sent . . . . . . : 06/07/16 Time sent . . . . . . :
11:01:49


Message . . . . : PWRDWNSYS command issued with parameters
specified.
Cause . . . . . : The Power Down System (PWRDWNSYS) command was
requested
by
job 477963/XXXXX/BS7515C with the following parameters
specified:
-- How to end
*IMMED
-- Delay time
3600
-- Restart options
*NO
-- IPL source
*PANEL
-- End subsystem option
*DFT
-- Timeout option
*CONTINUE
-- Confirm
*ENVVAR
-- Image catalog

From job . . . . . . . . . . . : QSYSARB4
User . . . . . . . . . . . . : QSYS
Number . . . . . . . . . . . : 390670

From program . . . . . . . . . : QWCASDSM


Only other odd item is in user's job log, Image Catalogs on system
unloaded
(CPCBC11) in 12 seconds prior to message about PWRDWNSYS (CPF0901) - I
would have expected "after".

No packaged exit programs (have recommended previously..) QAUDJRN is
active - not sure how to see remote command...

Auditing
options
*ATNEVT
*SECURITY
*PGMFAIL
*SAVRST
*AUTFAIL
*SERVICE
PC has been scanned

Jim
--

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related questions.
Paul Therrien
Andeco Software, LLC
paultherrien@xxxxxxxxxxxxxxxxxx

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.