Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

AS400 QSYSOPR Message - TCP/IP connection to remote system closed message

Posted on 2009-04-02
6
Medium Priority
?
3,306 Views
Last Modified: 2013-12-06
I have an AS400 - 9405/520 that is logging some strange messages in the QYSOPR message queue. This particular machine is our disaster revovery machine and is not used in a production environment. We have it at an offsite location and we just do daily restores from a backup tape (from the production) to keep it current (within a day). I don't monitor it a whole lot because I am busy and it it does not do anything. I do try my best to make sure the restore job happens and I try to verify this daily.

Recently I noticed an the QYSOPR message queue a lot of messages indicating TCP connections closed. There are really a lot of these in the the message queue and I do not recognize the IP addresses. I looked some of them up and they are coming from Pakistan and Islmabad and Turkey etc. I find this odd and don't know if I should be concerned or paranoid or what.

This machine is connected to the Network. It has no public IP address, not a web server or anything like that. We have T1's + MPLS that connect the branches and the only way out is via an Internet connection that is shared across the T1 MPLS.

I am attaching an image file showing some of the messages.

Anyone have some good knowledge of what this all means?
400log.JPG
0
Comment
Question by:Razorking
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
6 Comments
 
LVL 27

Accepted Solution

by:
tliotta earned 1000 total points
ID: 24055363
Razorking:

Technically, it means either that your AS/400 has programs that are connecting to those addresses or that those address are connecting to your AS/400, and also that either the R2 retry threshold (reason code 2) or the keepalive timeout (reason code 3) was reached.

There is essentially no doubt that that AS/400 is being probed for access from the outside.

Tom
0
 
LVL 27

Expert Comment

by:tliotta
ID: 24055379
Razorking:

Please show the <F1> extended help details for one of those messages. It will indicate what service is being requested.

Tom
0
 

Author Comment

by:Razorking
ID: 24055537
tliotta,
Thanks for the replies. I am sure your assessmnent is correct. It's hard for me to imaging how or why they would target this machine, but I guess that is not relevant to the situation. I have attached an image of the F1.

Obviously I need to examine my firewall. Beyond that, any suggestions for things I can do on the 400 itself to discourage this type of activity?
F1.JPG
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 27

Expert Comment

by:tliotta
ID: 24055947
Razorking:

Not surprisingly, that shows port 23 being accessed, which is telnet by default. You might want to watch for disabled profiles.

Numerous things can be done. I'm a little restricted by employment contract on what I should say (<disclaimer> my employer markets network security products </disclaimer>), but one obvious thing to do would be to set up 'Packet Rules' to filter out such requests from any IP addresses outside of your desired address ranges or subnets.

In iNav, expand your system down through Network-> IP Policies-> Packet Rules. Create a set of filters that blocks in-bound packets from addresses that you don't connecting to your system.

Creating packet filters can be a little tricky -- I had no trouble locking myself out during my first tests a number of years ago; once locked out, it can be fun getting access to unlock things again. Start by reviewing everything about any 'sample .I3P file' that's available in the Rules Editor. Read and pay attention to the comments, especially warnings about the default DENY all traffic filter.

Create a test filter that allows everything from your local subnets and save it. Use it to create more restrictive test filters until you feel comfortable. Personally, before I activate a new IP packet filter, I usually add a RMVTCPTBL *IPFTR command to the job scheduler, scheduled to run a few minutes in the future, just in case.

Tom
0
 
LVL 35

Assisted Solution

by:Gary Patterson
Gary Patterson earned 1000 total points
ID: 24094365
As far as "how", there are lots of tools available to allow attackers to scan an address or range of addresses, probe the systems and services found, enumerate network devices, and attempt various exploits to gain access to (or at least to identify) vulnerable systems.

As far as "why":

1) Someone may be targeting your company in particular, seeking to gain access to your systems and data and obtain confidential information (financials, price lists, customer lists, credit cards, etc.)

2) The system may have been detected in a routine scan.  The company that I work for provides security consulting and monitoring serives to our clients, and we see constant scanning activity.  Now the attacker is attempting to gain access to the system (or has gained access and is seeking to elevate privileges).  Attackers routinely attempt to gain access to internet-connected systems in order to use those systems for a variety of purposes:
  • A jumping-off point to attack other systems within the service provider or corporate network.
  • A jumping-off point to attack other systems on the internet
  • To host files (warez, audio, video, etc) or services (ftp, http, proxies, spambots, DDOS clients)
  • Gain access to confidential information
  • Disrupt the operations of businesses or organizations
  • For sport
Of course, if one system/service is exposed, it means that other systems and/or services may also be similarly exposed.  This could be due to a problem with your network security, or it could be a problem with the service provider that hosts the system for you - I've seen both.

Your EE profile shows Pacific Daylight Time.  If you are based in the US, and if your system has been breached, and there is the possibility that any individual's private information was accessed, you may have a legal obligation to report the breach to the affected individuals.  Penalties for failure to comply can be stiff.  Other countries have breach disclosure laws in place, too.

Since this is apparently a series of unauthorized access attempts, you should bring this potential breach to the attention of your management team, and take immediate measures to secure the system and determine the extent of the breach of system and network security.

Breach disclosure laws by state: http://www.ncsl.org/programs/lis/cip/priv/breachlaws.htm

- Gary Patterson
0
 
LVL 27

Expert Comment

by:tliotta
ID: 24101860
Gary's comments are worth following up on. One comment in particular may be most important:

> Of course, if one system/service is exposed, it means that other systems and/or services may also be similarly exposed.

If it's really true that there is no "public" IP address -- e.g., only non-routable addresses are pointing at that system and no port-forwarding, etc., is happening -- then there is a very significant chance that some other system _has_ been compromised and is involved in your QSYSOPR messages.

Finding the compromised system(s?) will be important, to say the least.

Tom
0

Featured Post

Ask an Anonymous Question!

Don't feel intimidated by what you don't know. Ask your question anonymously. It's easy! Learn more and upgrade.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes a user will call me frantically, explaining that something has gone wrong and they have tried everything (read - they have messed it up more and now need someone to clean up) and it still does no good, can I help them?!  Usually the standa…
In this article we will discuss all things related to StageFright bug, the most vulnerable bug of android devices.
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question