Tweet
Security Incident with Spool Files
Someone's output queue got cleared out by a user apparently. Thanks to dspjrn/QAUDJRN I was able to output spool file data to a helpful QASYSFJ5-type outfile. I saw all the entries labeled as 'D' for a delete, and what IP it came from, user profile, etc. It was pretty darn neat.
Firstly, I'm just trying to wrap my head around how the user did it.
The job name is NOT from a typical workstation ID/device description, but it's coming from a "QZRCSRVS" job running under QUSER according to the log generated. I was thinking they deleted the files using System i Navigator because the user did say their i Nav froze up while "clearing" out old stuff apparently.
I did try recreating this by deleting a spool file from a test outq. When I ran dspjrn to excitedly see what happened I noticed the job name was different - showing up in log as "QNPSERVS" under QUSER.
- From what I gather "QZRCSRVS" is for remote commands. Could the user tried a remote command? User profile itself has limited capability with locked down menu.
- Am I chasing after nothing, and this is simply System i Nav doing its thing?
- I did try a dsplog and seeing when this "QZRCSRVS" came onto the system, I do see job getting started by the user and nothing else interesting
- I did try looking at QAUDJRN for any specific commands entered, and the job did not show up, so I can't tell what commands were launched - if any
Other than that, I think I've hit a rock wall with digging deeper into this little incident. Part of me thinks it was just System i Nav, other part of me thinks another process took over and made it look like the poor fellow did something wrong, who knows. Thanks for reading!
Firstly, I'm just trying to wrap my head around how the user did it.
The job name is NOT from a typical workstation ID/device description, but it's coming from a "QZRCSRVS" job running under QUSER according to the log generated. I was thinking they deleted the files using System i Navigator because the user did say their i Nav froze up while "clearing" out old stuff apparently.
I did try recreating this by deleting a spool file from a test outq. When I ran dspjrn to excitedly see what happened I noticed the job name was different - showing up in log as "QNPSERVS" under QUSER.
- From what I gather "QZRCSRVS" is for remote commands. Could the user tried a remote command? User profile itself has limited capability with locked down menu.
- Am I chasing after nothing, and this is simply System i Nav doing its thing?
- I did try a dsplog and seeing when this "QZRCSRVS" came onto the system, I do see job getting started by the user and nothing else interesting
- I did try looking at QAUDJRN for any specific commands entered, and the job did not show up, so I can't tell what commands were launched - if any
Other than that, I think I've hit a rock wall with digging deeper into this little incident. Part of me thinks it was just System i Nav, other part of me thinks another process took over and made it look like the poor fellow did something wrong, who knows. Thanks for reading!
Comment