Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

AS400 QSYSOPR Message - TCP/IP connection to remote system closed message

Posted on 2009-04-02
Last Modified: 2013-12-06
I have an AS400 - 9405/520 that is logging some strange messages in the QYSOPR message queue. This particular machine is our disaster revovery machine and is not used in a production environment. We have it at an offsite location and we just do daily restores from a backup tape (from the production) to keep it current (within a day). I don't monitor it a whole lot because I am busy and it it does not do anything. I do try my best to make sure the restore job happens and I try to verify this daily.

Recently I noticed an the QYSOPR message queue a lot of messages indicating TCP connections closed. There are really a lot of these in the the message queue and I do not recognize the IP addresses. I looked some of them up and they are coming from Pakistan and Islmabad and Turkey etc. I find this odd and don't know if I should be concerned or paranoid or what.

This machine is connected to the Network. It has no public IP address, not a web server or anything like that. We have T1's + MPLS that connect the branches and the only way out is via an Internet connection that is shared across the T1 MPLS.

I am attaching an image file showing some of the messages.

Anyone have some good knowledge of what this all means?
Question by:Razorking
  • 4
LVL 27

Accepted Solution

tliotta earned 250 total points
ID: 24055363

Technically, it means either that your AS/400 has programs that are connecting to those addresses or that those address are connecting to your AS/400, and also that either the R2 retry threshold (reason code 2) or the keepalive timeout (reason code 3) was reached.

There is essentially no doubt that that AS/400 is being probed for access from the outside.

LVL 27

Expert Comment

ID: 24055379

Please show the <F1> extended help details for one of those messages. It will indicate what service is being requested.


Author Comment

ID: 24055537
Thanks for the replies. I am sure your assessmnent is correct. It's hard for me to imaging how or why they would target this machine, but I guess that is not relevant to the situation. I have attached an image of the F1.

Obviously I need to examine my firewall. Beyond that, any suggestions for things I can do on the 400 itself to discourage this type of activity?
Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

LVL 27

Expert Comment

ID: 24055947

Not surprisingly, that shows port 23 being accessed, which is telnet by default. You might want to watch for disabled profiles.

Numerous things can be done. I'm a little restricted by employment contract on what I should say (<disclaimer> my employer markets network security products </disclaimer>), but one obvious thing to do would be to set up 'Packet Rules' to filter out such requests from any IP addresses outside of your desired address ranges or subnets.

In iNav, expand your system down through Network-> IP Policies-> Packet Rules. Create a set of filters that blocks in-bound packets from addresses that you don't connecting to your system.

Creating packet filters can be a little tricky -- I had no trouble locking myself out during my first tests a number of years ago; once locked out, it can be fun getting access to unlock things again. Start by reviewing everything about any 'sample .I3P file' that's available in the Rules Editor. Read and pay attention to the comments, especially warnings about the default DENY all traffic filter.

Create a test filter that allows everything from your local subnets and save it. Use it to create more restrictive test filters until you feel comfortable. Personally, before I activate a new IP packet filter, I usually add a RMVTCPTBL *IPFTR command to the job scheduler, scheduled to run a few minutes in the future, just in case.

LVL 35

Assisted Solution

by:Gary Patterson
Gary Patterson earned 250 total points
ID: 24094365
As far as "how", there are lots of tools available to allow attackers to scan an address or range of addresses, probe the systems and services found, enumerate network devices, and attempt various exploits to gain access to (or at least to identify) vulnerable systems.

As far as "why":

1) Someone may be targeting your company in particular, seeking to gain access to your systems and data and obtain confidential information (financials, price lists, customer lists, credit cards, etc.)

2) The system may have been detected in a routine scan.  The company that I work for provides security consulting and monitoring serives to our clients, and we see constant scanning activity.  Now the attacker is attempting to gain access to the system (or has gained access and is seeking to elevate privileges).  Attackers routinely attempt to gain access to internet-connected systems in order to use those systems for a variety of purposes:
  • A jumping-off point to attack other systems within the service provider or corporate network.
  • A jumping-off point to attack other systems on the internet
  • To host files (warez, audio, video, etc) or services (ftp, http, proxies, spambots, DDOS clients)
  • Gain access to confidential information
  • Disrupt the operations of businesses or organizations
  • For sport
Of course, if one system/service is exposed, it means that other systems and/or services may also be similarly exposed.  This could be due to a problem with your network security, or it could be a problem with the service provider that hosts the system for you - I've seen both.

Your EE profile shows Pacific Daylight Time.  If you are based in the US, and if your system has been breached, and there is the possibility that any individual's private information was accessed, you may have a legal obligation to report the breach to the affected individuals.  Penalties for failure to comply can be stiff.  Other countries have breach disclosure laws in place, too.

Since this is apparently a series of unauthorized access attempts, you should bring this potential breach to the attention of your management team, and take immediate measures to secure the system and determine the extent of the breach of system and network security.

Breach disclosure laws by state: http://www.ncsl.org/programs/lis/cip/priv/breachlaws.htm

- Gary Patterson
LVL 27

Expert Comment

ID: 24101860
Gary's comments are worth following up on. One comment in particular may be most important:

> Of course, if one system/service is exposed, it means that other systems and/or services may also be similarly exposed.

If it's really true that there is no "public" IP address -- e.g., only non-routable addresses are pointing at that system and no port-forwarding, etc., is happening -- then there is a very significant chance that some other system _has_ been compromised and is involved in your QSYSOPR messages.

Finding the compromised system(s?) will be important, to say the least.


Featured Post

Networking for the Cloud Era

Join Microsoft and Riverbed for a discussion and demonstration of enhancements to SteelConnect:
-One-click orchestration and cloud connectivity in Azure environments
-Tight integration of SD-WAN and WAN optimization capabilities
-Scalability and resiliency equal to a data center

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Just about everyone has an old PC laying around.  Ask anyone in the IT industry, whether they are a professional or play in it as a hobby.  From outdated Desktops to cheap "throwaway" laptops, they are all around and not as hard to "fix up" as you m…
I don't know if many of you have made the great mistake of using the Cisco Thin Client model with the management software VXC. If you have then you are probably more then familiar with the incredibly clunky interface, the numerous work arounds, and …
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

790 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question