× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. October 2019

MGTOOLS may spoof IP addresses

I suggest after using MGTOOLS that you sign off and on again. I suspect it spoofs being a particular IP address in order to send data to IBM. Then again, if they can do that, why can't us muggles do that and royally mess up the system audit journals?

<FromIBMTicket>
I logged into a 5250 session to test logging. This session:
Job . . . . . . . . : 202780/ROB/ROBHQ1
Earlier on that session I had sent some MGTOOLS data to IBM.

I ran this command
CHGUSRPRF USRPRF(ADOPT) SPCAUT(*JOBCTL *SECADM)
Followed by
CHGUSRPRF USRPRF(ADOPT) SPCAUT(*JOBCTL)

The first one created the entry:
Journal . . . . . . : QAUDJRN
Sequence . . . . . . : 342197716
Code . . . . . . . . : T - Audit trail entry
Type . . . . . . . . : CP - User profile changed
Date . . . . . . . . : 10/24/19
Time . . . . . . . . : 14:05:12.158000
Flag . . . . . . . . : 0
Count/RRN . . . . . : 0
Commit cycle ID . . : 0
Nested commit level : 0
Job . . . . . . . . : 202780/ROB/ROBHQ1
User profile . . . . : ROB
Ignore APY/RMV . . . : No
Ref constraint . . . : No
Trigger . . . . . . : No
Program . . . . . . : QCMD
Library . . . . . : QSYS
ASP device . . . . : *SYSBAS
System sequence . . : 11784359632253947905
Thread identifier . : 0000000000000854
Receiver . . . . . . : ZAUDJR2959
Library . . . . . : QGPL
ASP device . . . . : *SYSBAS
Journal identifier . : X'00000000000000000000'
Remote address . . . : 170.225.15.31
Address family . . . : IPv4
Remote port . . . . : 80
System name . . . . : GDIHQ
Arm number . . . . . : 21
Logical unit of work : *OMITTED
Transaction ID . . . : *OMITTED

Notice this line in particular:
Remote address . . . : 170.225.15.31

If you go to your PC and do the following
C:\Users\rob>nslookup 170.225.15.31
Server: localhost
Address: 127.0.0.1

Name: testcase.boulder.ibm.com<http://testcase.boulder.ibm.com/>
Address: 170.225.15.31

Now, I really doubt that IBM connected in from 'testcase', took control of my job and issued a CHGUSRPRF.

Perhaps some really weird stuff in MGTOOLS told it to spoof being that IP address in order to get data to IBM and that session should always be signed off/on again after using MGTOOLS?

</FromIBMTicket>


Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1
Group Dekko
Dept 1600
Mail to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com


As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.