Hacking?
 

Over the last 3 days, I've been getting this kind of log entries:

<02/15/05@19:00:40> [source] invalid password from GET / HTTP/1.0 67.175.231.7
<02/15/05@19:08:14> [source] invalid password from GET / HTTP/1.0 67.175.231.7
<02/15/05@19:15:58> [source] invalid password from GET / HTTP/1.0 67.175.231.7
<02/15/05@19:23:28> [source] invalid password from GET / HTTP/1.0 67.175.231.7

That's only a small portion of it. It seems to repeat itself every 7 1/2 to 8 minutes, as you can see by the log.

Is this someone trying to hack my admin password? If so, what should I do about it?

Block the IP address?

ip number 67.175.231.7 tracks back to :

OrgName: Comcast Cable Communications, IP Services
OrgID: CCCIS
Address: 1800 Bishops Gate Blvd.
City: Mount Laurel
StateProv: NJ
PostalCode: 08054-4628
Country: US

below is the e-mail adress to send a complaint about this ip adress.


OrgAbuseHandle: NAPO-ARIN
OrgAbuseName: Network Abuse and Policy Observance
OrgAbusePhone: +1-856-317-7272
OrgAbuseEmail: abuse@comcast.net

hardly a case of contacting abuse. they are just hitting your shoutcast default page. probably tracking your listener figures, or maybe song playing/history.

Guess I should throw this into the thread. After the well known security hole in 1.9.4 I noticed that being a station with no on-demand programming there should be no attempts to connect to the /content/ directory without a reason.

I am seeing this alot in my log files:

<02/14/05@00:00:11> [dest: 83.192.249.42] Invalid resource request( HTTP/1.0)
<02/14/05@00:00:14> [dest: 83.192.249.42] Invalid resource request( HTTP/1.0)
<02/14/05@00:00:15> [dest: 83.192.249.42] Invalid resource request( HTTP/1.0)
<02/14/05@00:00:15> [dest: 83.192.249.42] starting stream (UID: 597)[L: 7]{A: shoutcastsource}(P: 1)
<02/15/05@15:15:05> [dest: 193.179.245.70] Invalid resource request( HTTP/1.0)
<02/15/05@15:15:05> [dest: 193.179.245.70] Invalid resource request( HTTP/1.0)
<02/15/05@15:15:06> [dest: 193.179.245.70] starting stream (UID: 5983)[L: 69]{A: shoutcastsource}(P: 9)
<02/15/05@15:15:08> [dest: 193.179.245.70] connection closed (3 seconds) (UID: 5983)[L: 68]{Bytes: 24576}(P: 9)
<02/15/05@15:15:09> [dest: 193.179.245.70] starting stream (UID: 5984)[L: 69]{A: shoutcastsource}(P: 9)
<02/15/05@15:15:00> [dest: 193.179.245.70] Invalid resource request( HTTP/1.0)
<02/15/05@15:12:33> [dest: 193.179.245.70] Invalid resource request( HTTP/1.0)
<02/15/05@15:12:33> [dest: 193.179.245.70] starting stream (UID: 5969)[L: 69]{A: shoutcastsource}(P: 12)

The first thing I notice is the player name being 'shoutcastsource' which as far as I know is not a legitimate player. Since in my log files I can see what one would expect of someone trying to hack the server - first trying the /content/ hack then checking to see if the stream is still up before continuing.

As I can see this occuring over several days repeatedly these are the kind of people I would report immediately as it is either a person manually going through a list trying to knock servers offline or someones computer infected with a virus or some type of worm and again people who have infected computers deserve to be removed from the internet until they clean up their PC's.

Whats your thoughts on this?

put your foil hats away. Someone is just connecting via a client on the source port. No hack attempt just an idiot alert.

...but my foil hat looks kewl!