| Title: | DEC TCP/IP Services for OpenVMS |
| Notice: | Note 2-SSB Kits, 3-FT Kits, 4-Patch Info, 7-QAR System |
| Moderator: | ucxaxp.ucx.lkg.dec.com::TIBBERT |
| Created: | Thu Nov 17 1994 |
| Last Modified: | Fri Jun 06 1997 |
| Last Successful Update: | Fri Jun 06 1997 |
| Number of topics: | 5568 |
| Total number of notes: | 21492 |
Cross posted from the OpenVMS conference.
<<< VAXAXP::NOTES$:[NOTES$LIBRARY]VMSNOTES.NOTE;1 >>>
-< VAX and Alpha VMS - Digital Internal Use Only >-
================================================================================
Note 358.0 Unknown access from Accounting 3 replies
TAINO::RFONSECA 30 lines 20-MAR-1997 15:40
--------------------------------------------------------------------------------
A customer is experiencing problems while trying to trace the origin of
certain users. He has enabled certain accouting entries in order to
record this activity. Below is a sample of one of the records in which
we are not sure the origin of the user:
LOGIN FAILURE
-------------
Username: <login> UIC: [SYSTEM,MANAGER]
Account: <login> Finish time: 11-MAR-1997 22:07:33.77
Process ID: 0000A45A Start time: 11-MAR-1997 22:06:25.91
Owner ID: Elapsed time: 0 00:01:07.85
Terminal name: NTY1785 Processor time: 0 00:00:00.07
Remote node addr: Priority: 4
Remote node name: TELNET Privilege <31-00>: FFFFFFFF
Remote ID: CE63DAE0:0581 Privilege <63-32>: FFFFFFFF
Remote full name:
Queue entry: Final status code: 10D380F4
Queue name:
Job name:
Final status text: %LOGIN-F-NOSUCHUSER, no such user
Page faults: 71 Direct IO: 9
Page fault reads: 7 Buffered IO: 57
Peak working set: 1392 Volumes mounted: 0
Peak page file: 36640 Images executed: 1
Is there a way in which we can trace this type of login access/failure?
There are lots of PCs around and they are using TCP/IP (Multinet) to
access the systems (VAXes/Alphas).
Thanks in advance.
================================================================================
Note 358.1 Unknown access from Accounting 1 of 3
XDELTA::HOFFMAN "Steve, OpenVMS Engineering" 22 lines 20-MAR-1997 16:43
-< Contact Multinet; Assess Threat and Value >-
--------------------------------------------------------------------------------
This is (apparently) a failed access initiated via a telnet connection.
Whether this is an innocent login failure or probe, or if this is a
serious security threat requires more context.
Your customer will need to contact Multinet and determine how to decode
the Multinet-generated "CE63DAE0:0581" field. This field *probably*
contains an IP address, or potentially an Ethernet/802.3 address. And
possibly some other information. Stuff useful in tracking the source...
(UCX logs information around login failures, as well.)
Network activity can be difficult to track, and hosts and remote users
can potentially easy to spoof -- consider a network monitoring tool...
There are several different approaches to network monitoring, and there
are various tools available.
Also consider network segmentation and firewalls -- if this system is
a "target" for users at the site, or if this system is connected to the
Internet, seriously consider placing a firewall between this system and
the "threat".
================================================================================
Note 358.2 Unknown access from Accounting 2 of 3
AUSS::GARSON "DECcharity Program Office" 4 lines 20-MAR-1997 20:54
--------------------------------------------------------------------------------
re .0
It's probably an IP address and port number (both in hex) but only
Multinet can tell you.
================================================================================
Note 358.3 Unknown access from Accounting 3 of 3
TAINO::RFONSECA 9 lines 21-MAR-1997 15:29
-< 1st portion is IP address but 2nd ??? >-
--------------------------------------------------------------------------------
Spoke with the TCP guy and in fact the first part of the number is the
hex representation of the system/PC IP address. The second part which
seems to be the port # is what we don't know how to translate. Is
there a TPC/IP guru out there that might assist in this translation ?
Will try to find a TCP conference and cross post it there.
Thanks for the replies...
| T.R | Title | User | Personal Name | Date | Lines |
|---|---|---|---|---|---|
| 5372.1 | full client communication end-point | COMEUP::SIMMONDS | loose canon | Sun Mar 23 1997 20:26 | 10 |
Re: .0
> Remote ID: CE63DAE0:0581 Privilege <63-32>: FFFFFFFF
^^^^^^^^
So Multinet confirmed this is the IP address of the TELNET Client, so
surely 0581 is the Hex representation of the Client PORT number, no??
(Remember that the Client will use an ephemeral port number for its
end-point.. the Server end uses the Well Known port number)
John.
| |||||
| 5372.2 | info | BACHUS::ROELANDTS | Wa d'es ma da ve ne stuut | Mon Mar 24 1997 03:42 | 17 |
John,
This is the UCX conference, not the TGV Multinet conference, but
looking at the values :
CE63DAE0:0581 could be translated to Ip-address : 206.99.218.224
source port : 1409
In our TCP/IP implementation, I think there is a way to tell UCX to
show the hostnames instead of the IP-addresses.
Regards,
Guy
| |||||