LISTSERV - HP3000-L Archives

HP3000-L Archives

November 2005, Week 4

HP3000-L@RAVEN.UTC.EDU

	LISTSERV Archives
	HP3000-L Home
	HP3000-L November 2005, Week 4

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	JINETD message
From:	James Hofmeister <[log in to unmask]>
Reply To:	James Hofmeister <[log in to unmask]>
Date:	Mon, 28 Nov 2005 12:48:35 -0500
Content-Type:	text/plain
Parts/Attachments:	text/plain (65 lines)

Hello John, all,

It sounds like some one has installed a system/network monitoring 
application that uses FTP to determine system availability.

It is likely that this tool is initiating a FTP/TCP connection sending a 
SYN, then receives a SYN/ACK and then replies with a RESET.

The INETD job is successfully forking off a FTPSRVR as per the $stdlist 
messages "Received call for: ftp tcp" and "inetd: fork succeeded" but the 
connection is terminated before FTP can complete an open.

The console message "9:42/#J494/89/FTP CLOSE" should of been followed by an 
IP address, it seems that we found a corner case here where it is not able 
to achieve that information.

As a workaround, the console messages can be turned off in SETPARMS.ARPA.SYS 
as documented in FTPDOC.ARPA.SYS.

If you can contact the HP-RC, I would be interested in seeing a TCP trace of 
this .


The warranty and liability expired as you read this message.
If the above breaks your system, it's yours and you keep both pieces.

Regards,
James Hofmeister
Email: <first>.<last>@hp.com
Hewlett Packard - Global Solutions Engineering (WTEC)
P.S. My Ideals are my own, not necessarily my employers.

> Yesterday we started getting thousands of the
> following in the STDLIST for JINETD:
>
> 5074 Received call for: ftp tcp
> 5075 inetd: fork succeeded
> 5078 Received call for: ftp tcp
> 5079 inetd: fork succeeded
> 5082 Received call for: ftp tcp
> 5083 inetd: fork succeeded
> 5086 Received call for: ftp tcp
> 5087 inetd: fork succeeded
> 5090 Received call for: ftp tcp
> 5091 inetd: fork succeeded
>
> and the following on the console from JINETD:
>
> 9:42/#J494/89/FTP CLOSE
>
> about every minute. This is happening on both our
> production system and our shadow and development
> system. Both on the same network. Anyone have any idea
> where these are coming from or what is generating
> them? FTPs are all working okay (at lease as far as we
> can tell) and we do not have the volume of FTPs to be
> generating this many messages. Any suggestions would
> be appreaciated.

> John Bawden
> QualChoice 

* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *

ATOM RSS1 RSS2

RAVEN.UTC.EDU