Old 1st March 2011, 15:08   #1
cuddles71
Senior Member
 
Join Date: Oct 2008
Posts: 104
Phantom DJ? Haunted sc_trans?

Ok, this is getting annoying, and weird.

I'm running sc_trans 2 beta 6 (last one that I've found to be stable), and for the last 2 hours, I've been watching this happen:

code:

2011-03-01 10:57:57 I msg:[titleupdate] receiving DJ metadata ""
2011-03-01 10:57:57 W msg:[titleupdate] no DJ connected
2011-03-01 10:58:58 I msg:[titleupdate] receiving DJ metadata ""
2011-03-01 10:58:58 W msg:[titleupdate] no DJ connected
2011-03-01 10:59:58 I msg:[titleupdate] receiving DJ metadata ""
2011-03-01 10:59:58 W msg:[titleupdate] no DJ connected
2011-03-01 11:01:00 I msg:[titleupdate] receiving DJ metadata ""
2011-03-01 11:01:00 W msg:[titleupdate] no DJ connected
2011-03-01 11:02:00 I msg:[titleupdate] receiving DJ metadata ""
2011-03-01 11:02:00 W msg:[titleupdate] no DJ connected
2011-03-01 11:03:01 I msg:[titleupdate] receiving DJ metadata ""
2011-03-01 11:03:01 W msg:[titleupdate] no DJ connected
2011-03-01 11:04:01 I msg:[titleupdate] receiving DJ metadata ""
2011-03-01 11:04:01 W msg:[titleupdate] no DJ connected
2011-03-01 11:05:01 I msg:[titleupdate] receiving DJ metadata ""
2011-03-01 11:05:01 W msg:[titleupdate] no DJ connected
2011-03-01 11:06:02 I msg:[titleupdate] receiving DJ metadata ""
2011-03-01 11:06:02 W msg:[titleupdate] no DJ connected



There's not even a DJ SCHEDULED right now! The default playlist is playing, station's running just fine, but the logs are getting filled up with that!

So am I haunted, or what?
cuddles71 is offline   Reply With Quote
Old 1st March 2011, 15:11   #2
thinktink
Forum King
 
thinktink's Avatar
 
Join Date: May 2009
Location: On the streets of Kings County, CA.
Posts: 3,012
Send a message via Skype™ to thinktink
It could be just some script kiddy with a port scanner found your DJ port and is trying to figure out what it is. Temporarily block the port from the internet and see if it stops.

What port number do you have it set as?
thinktink is offline   Reply With Quote
Old 1st March 2011, 15:22   #3
cuddles71
Senior Member
 
Join Date: Oct 2008
Posts: 104
It does indeed stop. As for what port, it's set to 8566.

Any way to log the IP that this is coming from?
cuddles71 is offline   Reply With Quote
Old 1st March 2011, 15:25   #4
thinktink
Forum King
 
thinktink's Avatar
 
Join Date: May 2009
Location: On the streets of Kings County, CA.
Posts: 3,012
Send a message via Skype™ to thinktink
I'm not sure it's possible to get the IP from sc_trans directly even with the latest published build. You'll have to get the IP by some other means. Are you running it on *nix or Windows?
thinktink is offline   Reply With Quote
Old 1st March 2011, 15:28   #5
cuddles71
Senior Member
 
Join Date: Oct 2008
Posts: 104
Ubuntu, latest build.
cuddles71 is offline   Reply With Quote
Old 1st March 2011, 15:33   #6
thinktink
Forum King
 
thinktink's Avatar
 
Join Date: May 2009
Location: On the streets of Kings County, CA.
Posts: 3,012
Send a message via Skype™ to thinktink
k, unblock the port then open a new bash window/prompt/whatever it's called (I forgot.)

Run the following command in it:
netstat -tap | grep 8566

You will probably need to repeat that over and over until it catches it right at the exact time it's connected. When you do, don't act on it right away as it could be from some other legit service trying to use that port locally. Ignore hits from 127.0.0.1, localhost, your server name, and/or your LAN IP addresses. Post it here first so I can confirm it for you.
thinktink is offline   Reply With Quote
Old 1st March 2011, 15:45   #7
cuddles71
Senior Member
 
Join Date: Oct 2008
Posts: 104
Got a hit on the first try:

code:

transcoder1:~# netstat -tap | grep 8566
tcp 0 0 *:8566 *:* LISTEN 28161/sc_trans
tcp 0 0 transcoder1:8566 e29089.upc-e.chel:60180 TIME_WAIT -

cuddles71 is offline   Reply With Quote
Old 1st March 2011, 15:47   #8
thinktink
Forum King
 
thinktink's Avatar
 
Join Date: May 2009
Location: On the streets of Kings County, CA.
Posts: 3,012
Send a message via Skype™ to thinktink
oops, hangon, gonna check something.
thinktink is offline   Reply With Quote
Old 1st March 2011, 15:50   #9
thinktink
Forum King
 
thinktink's Avatar
 
Join Date: May 2009
Location: On the streets of Kings County, CA.
Posts: 3,012
Send a message via Skype™ to thinktink
Sorry, forgot an option on the command line.

Do the same thing as before except use this command:
netstat -pant | grep 8566

Sorry 'bout that.
thinktink is offline   Reply With Quote
Old 1st March 2011, 15:56   #10
cuddles71
Senior Member
 
Join Date: Oct 2008
Posts: 104
No worries.

code:
transcoder1:~# netstat -pant | grep 8566
tcp 0 0 0.0.0.0:8566 0.0.0.0:* LISTEN 28161/sc_trans
tcp 0 0 192.168.254.3:8566 213.93.29.89:60319 TIME_WAIT -

cuddles71 is offline   Reply With Quote
Old 1st March 2011, 15:57   #11
thinktink
Forum King
 
thinktink's Avatar
 
Join Date: May 2009
Location: On the streets of Kings County, CA.
Posts: 3,012
Send a message via Skype™ to thinktink
Bingo! k, hangon, lemme look that up.
thinktink is offline   Reply With Quote
Old 1st March 2011, 16:01   #12
thinktink
Forum King
 
thinktink's Avatar
 
Join Date: May 2009
Location: On the streets of Kings County, CA.
Posts: 3,012
Send a message via Skype™ to thinktink
That IP is not on any peculiar DNSBLs. Just standard dynamic IP range checkers.

Type in on the same bash window this:
sudo iptables -A INPUT -s 213.93.29.89 -p tcp --destination-port 8566 -j DROP



code:
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
% To receive output for a database update, use the "-B" flag.

% Information related to '213.93.0.0 - 213.93.127.255'
inetnum: 213.93.0.0 - 213.93.127.255
netname: UPC-NL
descr: CPE Customers NL
country: NL
admin-c: HMCB1-RIPE
tech-c: HMCB1-RIPE
status: ASSIGNED PA
remarks: Contact XXXXX@upc.nl concerning criminal
remarks: activities like spam, hacks, portscans
mnt-by: CHELLO-MNT
source: RIPE # Filtered
role: Hostmaster Chello Broadband
address: UPC Broadband
address: Internet Services
address: Erlachgasse 116
address: A-1100 Vienna
address: Austria
phone: +43 1 96068 5000
fax-no: +43 1 96068 5666
e-mail: XXXXXXXXXX@chello.at
admin-c: SB666-RIPE
tech-c: SB666-RIPE
tech-c: MS2509-RIPE
nic-hdl: HMCB1-RIPE
mnt-by: CHELLO-MNT
source: RIPE # Filtered

% Information related to '213.93.0.0/16AS6830'
route: 213.93.0.0/16
descr: NL-CHELLO-20000509
origin: AS6830
mnt-by: AS6830-MNT
source: RIPE # Filtered

% Information related to '213.93.0.0/17AS8209'
route: 213.93.0.0/17
descr: UPC.nl Network Services
descr: Chello.nl Customers
descr: The Netherlands
origin: AS8209
mnt-by: UPCNL-MNT
source: RIPE # Filtered

% Information related to '213.93.0.0/17AS6830'
route: 213.93.0.0/17
descr: UPC.nl Network Services
descr: Chello.nl Customers
descr: The Netherlands
origin: AS6830
mnt-by: AS6830-MNT
source: RIPE # Filtered

thinktink is offline   Reply With Quote
Old 1st March 2011, 16:02   #13
cuddles71
Senior Member
 
Join Date: Oct 2008
Posts: 104
Same result I got. So, block and report?
cuddles71 is offline   Reply With Quote
Old 1st March 2011, 16:08   #14
thinktink
Forum King
 
thinktink's Avatar
 
Join Date: May 2009
Location: On the streets of Kings County, CA.
Posts: 3,012
Send a message via Skype™ to thinktink
Did you run the new command I gave you? It should have blocked the IP.

And yes, if you like, go ahead and report it though the robtex output I posted has the actual e-mail address obfuscated partially so you'll need to run the robtex query on the IP address yourself (or just do a "whois 213.93.29.89" in the bash window to get it.) I stopped reporting a while ago. Really wasn't getting any satisfaction out of reporting random stuff like that but still, you can if you want to.

I would recommend just blocking the IP and be done with it.
thinktink is offline   Reply With Quote
Old 1st March 2011, 16:14   #15
cuddles71
Senior Member
 
Join Date: Oct 2008
Posts: 104
Well, it didn't block it, since it's still going on.

As for reporting, I have about an 80% success rate, as long as the offending IP isn't in China. Of course, that's from SSH attacks.
cuddles71 is offline   Reply With Quote
Old 1st March 2011, 16:18   #16
thinktink
Forum King
 
thinktink's Avatar
 
Join Date: May 2009
Location: On the streets of Kings County, CA.
Posts: 3,012
Send a message via Skype™ to thinktink
Odd, try this one:
sudo iptables -I INPUT -s 213.93.29.89 --destination-port 8566 -j DROP

[EDIT /]
Oops, change the -A to -I
thinktink is offline   Reply With Quote
Old 2nd March 2011, 13:33   #17
cuddles71
Senior Member
 
Join Date: Oct 2008
Posts: 104
Okay, found out a few things. That IP actually belongs to one of our DJs. We can't figure out WHY it's trying to connect repeatedly with no metadata though!
cuddles71 is offline   Reply With Quote
Old 2nd March 2011, 13:40   #18
DrO
 
Join Date: Sep 2003
Posts: 27,873
sounds like an issue with the SC source they're trying to use. is it known what it is?

-daz
DrO is offline   Reply With Quote
Old 3rd March 2011, 13:25   #19
cuddles71
Senior Member
 
Join Date: Oct 2008
Posts: 104
I -think- she uses SAM. But her computer wasn't even on until a bit before her show.
cuddles71 is offline   Reply With Quote
Reply
Go Back   Winamp & Shoutcast Forums > Shoutcast > Shoutcast Discussions

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump