Ok, this is getting annoying, and weird.

I'm running sc_trans 2 beta 6 (last one that I've found to be stable), and for the last 2 hours, I've been watching this happen:


2011-03-01 10:57:57 I msg:[titleupdate] receiving DJ metadata ""
2011-03-01 10:57:57 W msg:[titleupdate] no DJ connected
2011-03-01 10:58:58 I msg:[titleupdate] receiving DJ metadata ""
2011-03-01 10:58:58 W msg:[titleupdate] no DJ connected
2011-03-01 10:59:58 I msg:[titleupdate] receiving DJ metadata ""
2011-03-01 10:59:58 W msg:[titleupdate] no DJ connected
2011-03-01 11:01:00 I msg:[titleupdate] receiving DJ metadata ""
2011-03-01 11:01:00 W msg:[titleupdate] no DJ connected
2011-03-01 11:02:00 I msg:[titleupdate] receiving DJ metadata ""
2011-03-01 11:02:00 W msg:[titleupdate] no DJ connected
2011-03-01 11:03:01 I msg:[titleupdate] receiving DJ metadata ""
2011-03-01 11:03:01 W msg:[titleupdate] no DJ connected
2011-03-01 11:04:01 I msg:[titleupdate] receiving DJ metadata ""
2011-03-01 11:04:01 W msg:[titleupdate] no DJ connected
2011-03-01 11:05:01 I msg:[titleupdate] receiving DJ metadata ""
2011-03-01 11:05:01 W msg:[titleupdate] no DJ connected
2011-03-01 11:06:02 I msg:[titleupdate] receiving DJ metadata ""
2011-03-01 11:06:02 W msg:[titleupdate] no DJ connected


There's not even a DJ SCHEDULED right now! The default playlist is playing, station's running just fine, but the logs are getting filled up with that!

So am I haunted, or what?

It could be just some script kiddy with a port scanner found your DJ port and is trying to figure out what it is. Temporarily block the port from the internet and see if it stops.

What port number do you have it set as?

It does indeed stop. As for what port, it's set to 8566.

Any way to log the IP that this is coming from?

I'm not sure it's possible to get the IP from sc_trans directly even with the latest published build. You'll have to get the IP by some other means. Are you running it on *nix or Windows?

Ubuntu, latest build.

k, unblock the port then open a new bash window/prompt/whatever it's called (I forgot.)

Run the following command in it:
netstat -tap | grep 8566

You will probably need to repeat that over and over until it catches it right at the exact time it's connected. When you do, don't act on it right away as it could be from some other legit service trying to use that port locally. Ignore hits from 127.0.0.1, localhost, your server name, and/or your LAN IP addresses. Post it here first so I can confirm it for you.

Got a hit on the first try:


transcoder1:~# netstat -tap | grep 8566
tcp 0 0 *:8566 *:* LISTEN 28161/sc_trans
tcp 0 0 transcoder1:8566 e29089.upc-e.chel:60180 TIME_WAIT -

oops, hangon, gonna check something.

Sorry, forgot an option on the command line.

Do the same thing as before except use this command:
netstat -pant | grep 8566

Sorry 'bout that.

No worries.

transcoder1:~# netstat -pant | grep 8566
tcp 0 0 0.0.0.0:8566 0.0.0.0:* LISTEN 28161/sc_trans
tcp 0 0 192.168.254.3:8566 213.93.29.89:60319 TIME_WAIT -

Bingo! k, hangon, lemme look that up.

That IP is not on any peculiar DNSBLs. Just standard dynamic IP range checkers.

Type in on the same bash window this:
sudo iptables -A INPUT -s 213.93.29.89 -p tcp --destination-port 8566 -j DROP



% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
% To receive output for a database update, use the "-B" flag.

% Information related to '213.93.0.0 - 213.93.127.255'
inetnum: 213.93.0.0 - 213.93.127.255
netname: UPC-NL
descr: CPE Customers NL
country: NL
admin-c: HMCB1-RIPE
tech-c: HMCB1-RIPE
status: ASSIGNED PA
remarks: Contact XXXXX@upc.nl concerning criminal
remarks: activities like spam, hacks, portscans
mnt-by: CHELLO-MNT
source: RIPE # Filtered
role: Hostmaster Chello Broadband
address: UPC Broadband
address: Internet Services
address: Erlachgasse 116
address: A-1100 Vienna
address: Austria
phone: +43 1 96068 5000
fax-no: +43 1 96068 5666
e-mail: XXXXXXXXXX@chello.at
admin-c: SB666-RIPE
tech-c: SB666-RIPE
tech-c: MS2509-RIPE
nic-hdl: HMCB1-RIPE
mnt-by: CHELLO-MNT
source: RIPE # Filtered

% Information related to '213.93.0.0/16AS6830'
route: 213.93.0.0/16
descr: NL-CHELLO-20000509
origin: AS6830
mnt-by: AS6830-MNT
source: RIPE # Filtered

% Information related to '213.93.0.0/17AS8209'
route: 213.93.0.0/17
descr: UPC.nl Network Services
descr: Chello.nl Customers
descr: The Netherlands
origin: AS8209
mnt-by: UPCNL-MNT
source: RIPE # Filtered

% Information related to '213.93.0.0/17AS6830'
route: 213.93.0.0/17
descr: UPC.nl Network Services
descr: Chello.nl Customers
descr: The Netherlands
origin: AS6830
mnt-by: AS6830-MNT
source: RIPE # Filtered

Same result I got. So, block and report?

Did you run the new command I gave you? It should have blocked the IP.

And yes, if you like, go ahead and report it though the robtex output I posted has the actual e-mail address obfuscated partially so you'll need to run the robtex query on the IP address yourself (or just do a "whois 213.93.29.89" in the bash window to get it.) I stopped reporting a while ago. Really wasn't getting any satisfaction out of reporting random stuff like that but still, you can if you want to.

I would recommend just blocking the IP and be done with it.

Well, it didn't block it, since it's still going on.

As for reporting, I have about an 80% success rate, as long as the offending IP isn't in China. Of course, that's from SSH attacks.

Odd, try this one:
sudo iptables -I INPUT -s 213.93.29.89 --destination-port 8566 -j DROP

[EDIT /]
Oops, change the -A to -I

Okay, found out a few things. That IP actually belongs to one of our DJs. We can't figure out WHY it's trying to connect repeatedly with no metadata though!

sounds like an issue with the SC source they're trying to use. is it known what it is?

-daz

I -think- she uses SAM. But her computer wasn't even on until a bit before her show.