I googled for this but all i got is that it is a malware. Im not sure what I should be looking at but this is wat i have been getting on my syslog for the past since March 31st after it was rebooted:
Mar 31 08:46:46 npidvnim01 user:debug syslog: libslp [139376]: decode_msg -- receive a SERVICE REQUEST m
essage from 172.16.195.38.
Mar 31 08:46:46 npidvnim01 user:debug syslog: libslp : decode_srvrqst -- scopes match.
Mar 31 08:46:46 npidvnim01 user:debug syslog: libslp : decode_srvrqst -- No reply to send to this servic
e request.
Mar 31 08:46:46 npidvnim01 user:debug syslog: libslp [139376]: decode_msg -- Message SERVICE REQUEST suc
cefully computed.
Mar 31 08:46:46 npidvnim01 user:debug syslog: libslp [139376]: SLPServiceListener -- SELECT call with ti
meout = NULL.
Mar 31 08:51:56 npidvnim01 user:debug syslog: libslp : srv_reg_one -- start.
Mar 31 08:51:56 npidvnim01 user:debug syslog: libslp : srv_reg -- start.
Mar 31 08:51:56 npidvnim01 user:debug syslog: libslp : srv_reg -- prepare_srv_reg returns with slp code
Apr 6 15:13:12 npidvnim01 user:err|error syslog: slp_srvreg : All of 3 tries to launch the SLP service listener failed. slp_srvreg will exit.
Apr 6 15:13:17 npidvnim01 user:debug syslog: libslp : decode_srvreg -- __srv_reg_local returns with slp code = 0. make an ack to remote=10.10.1.11.
Apr 6 15:13:17 npidvnim01 user:err|error syslog: slp_srvreg : All of 3 tries to launch the SLP service listener failed. slp_srvreg will exit.
Apr 6 16:09:05 npidvnim01 user:debug syslog: libslp : decode_srvreg -- __srv_reg_local returns with slp code = 0. make an ack to remote=127.0.0.1.
Apr 6 16:09:05 npidvnim01 user:debug syslog: libslp : decode_srvreg -- __srv_reg_local returns with slp code = 0. make an ack to remote=127.0.0.1.
Apr 6 16:09:05 npidvnim01 user:debug syslog: libslp : decode_srvreg -- __srv_reg_local returns with slp code = 0. make an ack to remote=127.0.0.1.
root@npidvnim01 /var/adm # date; uname -a
Tue Apr 6 16:18:30 EET 2010
AIX npidvnim01 1 6 00CF18E34C00
I don't know where you got this "malware" assumption from, but to me it looks more like a problem with the SLP configuration. Please explain what you are trying to do, what you have done and relevant documentation, for instance the contents of /etc/slp.conf
I didn't do anything, every single line in the conf file has been commented out:
# net.slp.maxResults
# A 32 bit integer giving the maximum number of results to accumulate and return for a
# synchronous request before the timeout, Positive integers and -1 are legal values.
# If -1, indicates that all results should be returned.
# Default value is -1.
# for example:
# net.slp.maxResults = 35
# net.slp.useScopes
# A value-list of strings indicating the only scopes a UA or SA is allowed to use when
# making requests or registering, or the scopes a DA must support.
# Default: scope "DEFAULT" is used if no other information is available.
# for example:
# net.slp.useScopes = david,bob
# net.slp.DAAddresses
# A value-list of IP addresses or DNS resolvable host names giving the SLPv2 DAs to use for
# statically configured UAs and SAs.
# Default is none.
# for example:
# net.slp.DAAddresses = 9.3.149.20, blahblah.ibm.com
# net.slp.isBroadcastOnly
# A boolean indicating if broadcast should be used instead of multicast.
# Default is false. So the default is multicast.
# for example:
# net.slp.isBroadcastOnly = false
# net.slp.multicastTTL
# A positive integer less than or equal to 255, giving the multicast TTL.
# Default is 255 (in seconds).
# for example:
# net.slp.multicastTTL = 255
# net.slp.DAActiveDiscoveryInterval
# A 16 bit positive integer giving the number of seconds between DA active discovery queries.
# If this parameter is set to zero, active discovery is turned off. This property corresponds
# to the protocol specification parameter CONFIG_DA_FIND.
# Default is 900 (in seconds).
# for example:
# net.slp.DAActiveDiscoveryInterval = 1200
# net.slp.multicastMaximumWait
# A 32 bit integer giving the maximum amount of time to perform multicast, in milliseconds.
# This property corresponds to the CONFIG_MC_MAX parameter in the protocol specification.
# Default is 15000 (in ms)
# for example:
# net.slp.multicastMaximumWait = 10000
# net.slp.multicastTimeouts
# A value-list of 32 bit integers used as timeouts, in milliseconds, to implement the multicast
# convergence algorithm. Each value specifies the time to wait before sending the next request.
# This property corresponds to the CONFIG_MC_RETRY parameter in the protocol specification.
# Default is: 3000,3000,3000,3000,3000 (in ms)
# There is no limitation on the maximum number entries to be specified. However the total sum
# of the entries can't be bigger than CONFIG_MC_RETRY (15000 in ms).
# for example:
# net.slp.multicastTimeouts = 2000, 3000, 4000
# net.slp.DADiscoveryTimeouts
# A value-list of 32 bit integers used as timeouts, in milliseconds, to implement the multicast
# convergence algorithm during active DA discovery. Each value specifies the time to wait
# before sending the next request,This property corresponds to the protocol specification
# parameter CONFIG_RETRY.
# Default is: 2000,2000,2000,2000,3000,4000 (in ms)
# There is no limitation on the maximum number entries to be specified. However the total sum
# of the entries can't be bigger than CONFIG_RETRY (15000 in ms).
# for example:
# net.slp.DADiscoveryTimeouts = 2000, 3000, 4000
# net.slp.datagramTimeouts
# A value-list of 32 bit integers used as timeouts, in milliseconds, to implement unicast
# datagram transmission to DAs. The nth value gives the time to block waiting for a reply on
# the nth try to contact the DA. The sum of these values is the protocol specification
# property CONFIG_RETRY_MAX.
# Default is: 2000, 2000, 2000, 2000, 3000, 4000 (in ms)
# There is no limitation on the maximum number entries to be specified. However the total sum
# of the entries can't be bigger than CONFIG_RETRY_MAX (15000 in ms).
# for example:
# net.slp.datagramTimeouts = 2000, 3000, 4000
# net.slp.SAAttributes
# A comma-separated list of parenthesized attribute/value list pairs that the SA must advertise
# in SAAdverts. The property must be in the SLP attribute list wire format, including escapes
# for reserved characters.
# for example:
# net.slp.SAAttributes = (user=zaphod,trillian,roger,marvin)
# net.slp.interfaces
# Value-list of strings giving the IP addresses of network interfaces on which the DA or SA
# should listen on port 427 for multicast, unicast UDP, and TCP messages. Default is empty,
# i.e. use the default network interface.
# for example:
# net.slp.interfaces = 9.3.149.20,9.3.149.50
---------- Post updated at 10:53 PM ---------- Previous update was at 10:52 PM ----------
config file was edited last year:
root@npidvnim01 /etc # ls -lrt sl*
-rw-rw-r-- 1 root system 5495 Feb 17 2009 slp.conf
-r-xr-xr-x 1 root system 1155 Feb 17 2009 slip.logout
-r-xr-xr-x 1 root system 1315 Feb 17 2009 slip.login
-rw-r--r-- 1 root system 1227 Feb 17 2009 slip.hosts
-rw------- 1 root system 6 Apr 06 18:22 slp_srvreg.pid
All lines commented out means SLP is operating on defaults. First, i stll don't get what you are trying to achieve. Maybe you don't need SLP at all (maybe you do, it is a prominent part of the mechanisms of IBMs System Director, i lack the data to have an opinion about this) in this case just shut it down like all the other services you don't need. (It is good practice in Unix to switch on only what is absolutely needed, unlike Windows, where only the things absolutely contradictory are being switched off.)
The log you posted looks like the usual startup messages followed by some failed attempt to communicate with another system (10.10.1.11?). To detect and pinpoint possible problems one would have to have intimate knowledge about your network, your environment in general, etc., etc. - to much, IMHO, to discuss it remotely on an internet board.
Get some professional help who can lay hands on your environment is the best advice i can give you.
