Solved

AS400 QSYSOPR Message - TCP/IP connection to remote system closed message

Posted on 2009-04-02
6
2,907 Views
Last Modified: 2013-12-06
I have an AS400 - 9405/520 that is logging some strange messages in the QYSOPR message queue. This particular machine is our disaster revovery machine and is not used in a production environment. We have it at an offsite location and we just do daily restores from a backup tape (from the production) to keep it current (within a day). I don't monitor it a whole lot because I am busy and it it does not do anything. I do try my best to make sure the restore job happens and I try to verify this daily.

Recently I noticed an the QYSOPR message queue a lot of messages indicating TCP connections closed. There are really a lot of these in the the message queue and I do not recognize the IP addresses. I looked some of them up and they are coming from Pakistan and Islmabad and Turkey etc. I find this odd and don't know if I should be concerned or paranoid or what.

This machine is connected to the Network. It has no public IP address, not a web server or anything like that. We have T1's + MPLS that connect the branches and the only way out is via an Internet connection that is shared across the T1 MPLS.

I am attaching an image file showing some of the messages.

Anyone have some good knowledge of what this all means?
400log.JPG
0
Comment
Question by:Razorking
  • 4
6 Comments
 
LVL 27

Accepted Solution

by:
tliotta earned 250 total points
Comment Utility
Razorking:

Technically, it means either that your AS/400 has programs that are connecting to those addresses or that those address are connecting to your AS/400, and also that either the R2 retry threshold (reason code 2) or the keepalive timeout (reason code 3) was reached.

There is essentially no doubt that that AS/400 is being probed for access from the outside.

Tom
0
 
LVL 27

Expert Comment

by:tliotta
Comment Utility
Razorking:

Please show the <F1> extended help details for one of those messages. It will indicate what service is being requested.

Tom
0
 

Author Comment

by:Razorking
Comment Utility
tliotta,
Thanks for the replies. I am sure your assessmnent is correct. It's hard for me to imaging how or why they would target this machine, but I guess that is not relevant to the situation. I have attached an image of the F1.

Obviously I need to examine my firewall. Beyond that, any suggestions for things I can do on the 400 itself to discourage this type of activity?
F1.JPG
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 27

Expert Comment

by:tliotta
Comment Utility
Razorking:

Not surprisingly, that shows port 23 being accessed, which is telnet by default. You might want to watch for disabled profiles.

Numerous things can be done. I'm a little restricted by employment contract on what I should say (<disclaimer> my employer markets network security products </disclaimer>), but one obvious thing to do would be to set up 'Packet Rules' to filter out such requests from any IP addresses outside of your desired address ranges or subnets.

In iNav, expand your system down through Network-> IP Policies-> Packet Rules. Create a set of filters that blocks in-bound packets from addresses that you don't connecting to your system.

Creating packet filters can be a little tricky -- I had no trouble locking myself out during my first tests a number of years ago; once locked out, it can be fun getting access to unlock things again. Start by reviewing everything about any 'sample .I3P file' that's available in the Rules Editor. Read and pay attention to the comments, especially warnings about the default DENY all traffic filter.

Create a test filter that allows everything from your local subnets and save it. Use it to create more restrictive test filters until you feel comfortable. Personally, before I activate a new IP packet filter, I usually add a RMVTCPTBL *IPFTR command to the job scheduler, scheduled to run a few minutes in the future, just in case.

Tom
0
 
LVL 34

Assisted Solution

by:Gary Patterson
Gary Patterson earned 250 total points
Comment Utility
As far as "how", there are lots of tools available to allow attackers to scan an address or range of addresses, probe the systems and services found, enumerate network devices, and attempt various exploits to gain access to (or at least to identify) vulnerable systems.

As far as "why":

1) Someone may be targeting your company in particular, seeking to gain access to your systems and data and obtain confidential information (financials, price lists, customer lists, credit cards, etc.)

2) The system may have been detected in a routine scan.  The company that I work for provides security consulting and monitoring serives to our clients, and we see constant scanning activity.  Now the attacker is attempting to gain access to the system (or has gained access and is seeking to elevate privileges).  Attackers routinely attempt to gain access to internet-connected systems in order to use those systems for a variety of purposes:
  • A jumping-off point to attack other systems within the service provider or corporate network.
  • A jumping-off point to attack other systems on the internet
  • To host files (warez, audio, video, etc) or services (ftp, http, proxies, spambots, DDOS clients)
  • Gain access to confidential information
  • Disrupt the operations of businesses or organizations
  • For sport
Of course, if one system/service is exposed, it means that other systems and/or services may also be similarly exposed.  This could be due to a problem with your network security, or it could be a problem with the service provider that hosts the system for you - I've seen both.

Your EE profile shows Pacific Daylight Time.  If you are based in the US, and if your system has been breached, and there is the possibility that any individual's private information was accessed, you may have a legal obligation to report the breach to the affected individuals.  Penalties for failure to comply can be stiff.  Other countries have breach disclosure laws in place, too.

Since this is apparently a series of unauthorized access attempts, you should bring this potential breach to the attention of your management team, and take immediate measures to secure the system and determine the extent of the breach of system and network security.

Breach disclosure laws by state: http://www.ncsl.org/programs/lis/cip/priv/breachlaws.htm

- Gary Patterson
0
 
LVL 27

Expert Comment

by:tliotta
Comment Utility
Gary's comments are worth following up on. One comment in particular may be most important:

> Of course, if one system/service is exposed, it means that other systems and/or services may also be similarly exposed.

If it's really true that there is no "public" IP address -- e.g., only non-routable addresses are pointing at that system and no port-forwarding, etc., is happening -- then there is a very significant chance that some other system _has_ been compromised and is involved in your QSYSOPR messages.

Finding the compromised system(s?) will be important, to say the least.

Tom
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Sometimes a user will call me frantically, explaining that something has gone wrong and they have tried everything (read - they have messed it up more and now need someone to clean up) and it still does no good, can I help them?!  Usually the standa…
Windows 10 is here and for most admins this means frustration and challenges getting that first working Windows 10 image. As in my previous sysprep articles, I've put together a simple help guide to get you through this process. The aim is to achiev…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now