Re: tcp port 8000 from ss06.live365.com

[gr () ECLIPSED NET (gabriel rosenkoetter)]

live365.com is, as you mention, an online radio station.

It would appear, at a glance, to be broadcasting streaming mp3s (their
browser detect presumes I'm a mac because I'm not a Windows box,
cute).

This means that you've got a user in your domain using some
appropriate client to request streaming audio, and the servers
response chokes at your firewall. In my experience, you've got a
couple of days max before someone comes to you asking why they can't
make RealPlayer play this cool new web radio station.

I suppose a live365.com server could have been compromised, but
without some more evidence of a real attack attempt, that doesn't seem
likely.

       ~ g r @ eclipsed.net

On Tue, May 23, 2000 at 09:11:45PM +0200, Robert Joosten wrote:
> Hi,
>
> My firewall blocked quite a few connection attempts to port 8000 (I've seen
> iRDMI listed; still don't know what that is ;(.
>
> One log example:
> "23/05/2000 20:41:10.029738 tun0 @0:13 b ss06.live365.com,45514 ->
> ipxxx-xx-xxx-xxx.xxx.wirehub.net,8000 PR tcp len 20 44 -S IN"
>
> The block did occure at: 20:41:06, 20:41:10, 20:41:16, 20:41:29, 20:41:58
> and 20:42:51.
>
> I've never seen such a attempt before. www.live365.com seemed to be home of
> a broadcast station. my syslog maps IP > addres and I don't have captured
> data-packet to look at right now.
>
> Anyone has seen simular attempts logged or tell me what that port is used for ?
>
> r,
> -= Robert