AS400 QSYSOPR Message - TCP/IP connection to remote system closed message

I have an AS400 - 9405/520 that is logging some strange messages in the QYSOPR message queue. This particular machine is our disaster revovery machine and is not used in a production environment. We have it at an offsite location and we just do daily restores from a backup tape (from the production) to keep it current (within a day). I don't monitor it a whole lot because I am busy and it it does not do anything. I do try my best to make sure the restore job happens and I try to verify this daily.

Recently I noticed an the QYSOPR message queue a lot of messages indicating TCP connections closed. There are really a lot of these in the the message queue and I do not recognize the IP addresses. I looked some of them up and they are coming from Pakistan and Islmabad and Turkey etc. I find this odd and don't know if I should be concerned or paranoid or what.

This machine is connected to the Network. It has no public IP address, not a web server or anything like that. We have T1's + MPLS that connect the branches and the only way out is via an Internet connection that is shared across the T1 MPLS.

I am attaching an image file showing some of the messages.

Anyone have some good knowledge of what this all means?
400log.JPG
RazorkingAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

 
tliottaCommented:
Razorking:

Technically, it means either that your AS/400 has programs that are connecting to those addresses or that those address are connecting to your AS/400, and also that either the R2 retry threshold (reason code 2) or the keepalive timeout (reason code 3) was reached.

There is essentially no doubt that that AS/400 is being probed for access from the outside.

Tom
0

Experts Exchange Solution brought to you by ConnectWise

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
 
tliottaCommented:
Razorking:

Please show the <F1> extended help details for one of those messages. It will indicate what service is being requested.

Tom
0
 
RazorkingAuthor Commented:
tliotta,
Thanks for the replies. I am sure your assessmnent is correct. It's hard for me to imaging how or why they would target this machine, but I guess that is not relevant to the situation. I have attached an image of the F1.

Obviously I need to examine my firewall. Beyond that, any suggestions for things I can do on the 400 itself to discourage this type of activity?
F1.JPG
0
Cloud Class® Course: Microsoft Office 2010

This course will introduce you to the interfaces and features of Microsoft Office 2010 Word, Excel, PowerPoint, Outlook, and Access. You will learn about the features that are shared between all products in the Office suite, as well as the new features that are product specific.

 
tliottaCommented:
Razorking:

Not surprisingly, that shows port 23 being accessed, which is telnet by default. You might want to watch for disabled profiles.

Numerous things can be done. I'm a little restricted by employment contract on what I should say (<disclaimer> my employer markets network security products </disclaimer>), but one obvious thing to do would be to set up 'Packet Rules' to filter out such requests from any IP addresses outside of your desired address ranges or subnets.

In iNav, expand your system down through Network-> IP Policies-> Packet Rules. Create a set of filters that blocks in-bound packets from addresses that you don't connecting to your system.

Creating packet filters can be a little tricky -- I had no trouble locking myself out during my first tests a number of years ago; once locked out, it can be fun getting access to unlock things again. Start by reviewing everything about any 'sample .I3P file' that's available in the Rules Editor. Read and pay attention to the comments, especially warnings about the default DENY all traffic filter.

Create a test filter that allows everything from your local subnets and save it. Use it to create more restrictive test filters until you feel comfortable. Personally, before I activate a new IP packet filter, I usually add a RMVTCPTBL *IPFTR command to the job scheduler, scheduled to run a few minutes in the future, just in case.

Tom
0
 
Gary PattersonVP Technology / Senior Consultant Commented:
As far as "how", there are lots of tools available to allow attackers to scan an address or range of addresses, probe the systems and services found, enumerate network devices, and attempt various exploits to gain access to (or at least to identify) vulnerable systems.

As far as "why":

1) Someone may be targeting your company in particular, seeking to gain access to your systems and data and obtain confidential information (financials, price lists, customer lists, credit cards, etc.)

2) The system may have been detected in a routine scan.  The company that I work for provides security consulting and monitoring serives to our clients, and we see constant scanning activity.  Now the attacker is attempting to gain access to the system (or has gained access and is seeking to elevate privileges).  Attackers routinely attempt to gain access to internet-connected systems in order to use those systems for a variety of purposes:
  • A jumping-off point to attack other systems within the service provider or corporate network.
  • A jumping-off point to attack other systems on the internet
  • To host files (warez, audio, video, etc) or services (ftp, http, proxies, spambots, DDOS clients)
  • Gain access to confidential information
  • Disrupt the operations of businesses or organizations
  • For sport
Of course, if one system/service is exposed, it means that other systems and/or services may also be similarly exposed.  This could be due to a problem with your network security, or it could be a problem with the service provider that hosts the system for you - I've seen both.

Your EE profile shows Pacific Daylight Time.  If you are based in the US, and if your system has been breached, and there is the possibility that any individual's private information was accessed, you may have a legal obligation to report the breach to the affected individuals.  Penalties for failure to comply can be stiff.  Other countries have breach disclosure laws in place, too.

Since this is apparently a series of unauthorized access attempts, you should bring this potential breach to the attention of your management team, and take immediate measures to secure the system and determine the extent of the breach of system and network security.

Breach disclosure laws by state: http://www.ncsl.org/programs/lis/cip/priv/breachlaws.htm

- Gary Patterson
0
 
tliottaCommented:
Gary's comments are worth following up on. One comment in particular may be most important:

> Of course, if one system/service is exposed, it means that other systems and/or services may also be similarly exposed.

If it's really true that there is no "public" IP address -- e.g., only non-routable addresses are pointing at that system and no port-forwarding, etc., is happening -- then there is a very significant chance that some other system _has_ been compromised and is involved in your QSYSOPR messages.

Finding the compromised system(s?) will be important, to say the least.

Tom
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.