Passing thought - if you are having trouble with looking at the logs, go to the green screen, type "NETSTAT", then I try option 3. That should show activity based on FROM and TO IP address and port number. That can help track this kind of thing down.
Good luck.
________________________________________
From: WEB400 [web400-bounces@xxxxxxxxxxxx] on behalf of Jim Oberholtzer [midrangel@xxxxxxxxxxxxxxxxx]
Sent: Friday, September 12, 2014 9:12 AM
To: 'Web Enabling the IBM i (AS/400 and iSeries)'
Subject: Re: [WEB400] Experience with Qualys Guard (cross posted on web400 as well)
We do have the logs Scott and will be following up on your suggestions, but
we know the Qualys Guard scan is running during the time the "attack"
happens so there is a strong link there.
Analysis starts in earnest today.
--
Jim Oberholtzer
Chief Technical Architect
Agile Technology Architects
-----Original Message-----
From: WEB400 [mailto:web400-bounces@xxxxxxxxxxxx] On Behalf Of Scott
Sent: Thursday, September 11, 2014 8:30 PM
To: Web Enabling the IBM i (AS/400 and iSeries); 'Midrange L'
Subject: Re: [WEB400] Experience with Qualys Guard (cross posted on web400
as well)
Do you have access to the logs (access.log/php.log/error.log)? That would
tell you where the requests are coming from (which can be spoofed) and what
they are requesting, then you could use that as backup to ask them why it is
doing what it is doing, or it might show you that the requests aren't coming
from where you think they are.
Scott
On 9/11/2014 8:22 AM, Jim Oberholtzer wrote:
Folks:
I got a call yesterday from a customer that is having trouble with a
Qualys Guard scan. Apparently it scans systems for vulnerabilities
but when it comes to a port that has a PHP server on it (in this case
Zend Server), it starts sending over 1000 transactions a second at it, so
it becomes a DOS
attack. Qualys firmly denies doing a DOS but I can't understand why the
burst of transactions. Any thoughts?
--
Jim Oberholtzer
Chief Technical Architect
Agile Technology Architects
--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400) mailing
list To post a message email: WEB400@xxxxxxxxxxxx To subscribe, unsubscribe,
or change list options,
visit:
http://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives at
http://archive.midrange.com/web400.
--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400) mailing list
To post a message email: WEB400@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit:
http://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at
http://archive.midrange.com/web400.
This message has been scanned for viruses by MailControl - www.mailcontrol.com
Click
https://www.mailcontrol.com/sr/MZbqvYs5QwJvpeaetUwhCQ== to report this email as spam
If the reader of this email is not the intended recipient(s), please be advised that any dissemination, distribution or copying of this information is strictly prohibited. Johnson Matthey PLC has its main place of business at 5th Floor, 25 Farringdon Street, London (020 7269 8400).
Johnson Matthey Public Limited Company
Registered Office: 5th Floor, 25 Farringdon Street, London EC4A 4AB
Registered in England No 33774
Whilst Johnson Matthey aims to keep its network free from viruses you should note that we are unable to scan certain emails, particularly if any part is encrypted or password-protected, and accordingly you are strongly advised to check this email and any attachments for viruses. The company shall NOT ACCEPT any liability with regard to computer viruses transferred by way of email.
Please note that your communication may be monitored in accordance with Johnson Matthey internal policy documentation.
This message has been scanned for viruses by MailControl - www.mailcontrol.com
midrange.com
