Security Incidents mailing list archives
Re: tcp port 8000 from ss06.live365.com
From: gr () ECLIPSED NET (gabriel rosenkoetter)
Date: Wed, 24 May 2000 16:10:48 -0400
live365.com is, as you mention, an online radio station. It would appear, at a glance, to be broadcasting streaming mp3s (their browser detect presumes I'm a mac because I'm not a Windows box, cute). This means that you've got a user in your domain using some appropriate client to request streaming audio, and the servers response chokes at your firewall. In my experience, you've got a couple of days max before someone comes to you asking why they can't make RealPlayer play this cool new web radio station. I suppose a live365.com server could have been compromised, but without some more evidence of a real attack attempt, that doesn't seem likely. ~ g r @ eclipsed.net On Tue, May 23, 2000 at 09:11:45PM +0200, Robert Joosten wrote:
Hi, My firewall blocked quite a few connection attempts to port 8000 (I've seen iRDMI listed; still don't know what that is ;(. One log example: "23/05/2000 20:41:10.029738 tun0 @0:13 b ss06.live365.com,45514 -> ipxxx-xx-xxx-xxx.xxx.wirehub.net,8000 PR tcp len 20 44 -S IN" The block did occure at: 20:41:06, 20:41:10, 20:41:16, 20:41:29, 20:41:58 and 20:42:51. I've never seen such a attempt before. www.live365.com seemed to be home of a broadcast station. my syslog maps IP > addres and I don't have captured data-packet to look at right now. Anyone has seen simular attempts logged or tell me what that port is used for ? r, -= Robert
Current thread:
- tcp port 8000 from ss06.live365.com Robert Joosten (May 23)
- Re: tcp port 8000 from ss06.live365.com meijin (May 24)
- Re: tcp port 8000 from ss06.live365.com gabriel rosenkoetter (May 24)
- Word Virus? Joseph Addison (May 24)
- <Possible follow-ups>
- Re: tcp port 8000 from ss06.live365.com Alex McCubbin (May 24)