[prev in list] [next in list] [prev in thread] [next in thread]
List: mythtv-users
Subject: Re: [mythtv-users] Weird mythsocket error messages on master / fixes/31
From: John Hoyt <john.hoyt () gmail ! com>
Date: 2021-06-11 0:18:10
Message-ID: CAE8sghS3qhQ=QKV5E-VRvT0G9f4s=dO+TjxTdN=v3MkHZanRnQ () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Bill, thanks for the suggestion!
I finally figured out the cause - I forgot my IPS does a pseudo random scan
of clients daily to check for vulnerabilities. All of the "improper"
traffic traced back perfectly to the IPS and correlated perfectly to when
it ran over the past week.
On Sun, Jun 6, 2021 at 10:52 AM Bill Meek <keemllib@gmail.com> wrote:
> On 6/6/21 9:38 AM, John Hoyt wrote:
> > I would guess that you have a hacker or some rogue process that is
> sending messages to your mythtv box. Is your port open to the internet?
> > Port 6543 is normally the MythTV port. You can see these errors if
> you run telnet localhost 6534 and then type random junk into telnet. Each
> > line of stuff you type will be reported as a protocol error in
> mythbackend (unless you by chance type a valid MythTV command :).
> >
> >
> > Thanks Peter. This is interesting as I block port 6543 access from
> outside my network - so that means the rouge client is inside somehow. I'll
> > have to play around with some host firewall rules and VLAN firewall
> rules to better determine the source.
> >
> > Would enabling more detailed mythtv log help show a source for the
> socket connection?
>
> Another option:
>
> I'd shutdown everything MythTV and fire up Wireshark on the backend
> (if possible).
>
> You might see more text like the OPTIONS TNMP DmnP GIOP fragments.
>
> --
> Bill
> _______________________________________________
> mythtv-users mailing list
> mythtv-users@mythtv.org
> http://lists.mythtv.org/mailman/listinfo/mythtv-users
> http://wiki.mythtv.org/Mailing_List_etiquette
> MythTV Forums: https://forum.mythtv.org
>
[Attachment #5 (text/html)]
<div dir="ltr">Bill, thanks for the suggestion!<div><br></div><div>I finally figured \
out the cause - I forgot my IPS does a pseudo random scan of clients daily to check \
for vulnerabilities. All of the "improper" traffic traced back perfectly \
to the IPS and correlated perfectly to when it ran over the past \
week.</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On \
Sun, Jun 6, 2021 at 10:52 AM Bill Meek <<a \
href="mailto:keemllib@gmail.com">keemllib@gmail.com</a>> \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 6/6/21 9:38 AM, \
John Hoyt wrote:<br> > I would guess that you have a hacker or some rogue \
process that is sending messages to your mythtv box. Is your port open to the \
internet?<br> > Port 6543 is normally the MythTV port. You can see these \
errors if you run telnet localhost 6534 and then type random junk into telnet. \
Each<br> > line of stuff you type will be reported as a protocol error in \
mythbackend (unless you by chance type a valid MythTV command :).<br> > <br>
> <br>
> Thanks Peter. This is interesting as I block port 6543 access from outside my \
network - so that means the rouge client is inside somehow. I'll<br> > have \
to play around with some host firewall rules and VLAN firewall rules to better \
determine the source.<br> > <br>
> Would enabling more detailed mythtv log help show a source for the socket \
connection?<br> <br>
Another option:<br>
<br>
I'd shutdown everything MythTV and fire up Wireshark on the backend<br>
(if possible).<br>
<br>
You might see more text like the OPTIONS TNMP DmnP GIOP fragments.<br>
<br>
-- <br>
Bill<br>
_______________________________________________<br>
mythtv-users mailing list<br>
<a href="mailto:mythtv-users@mythtv.org" \
target="_blank">mythtv-users@mythtv.org</a><br> <a \
href="http://lists.mythtv.org/mailman/listinfo/mythtv-users" rel="noreferrer" \
target="_blank">http://lists.mythtv.org/mailman/listinfo/mythtv-users</a><br> <a \
href="http://wiki.mythtv.org/Mailing_List_etiquette" rel="noreferrer" \
target="_blank">http://wiki.mythtv.org/Mailing_List_etiquette</a><br> MythTV Forums: \
<a href="https://forum.mythtv.org" rel="noreferrer" \
target="_blank">https://forum.mythtv.org</a><br> </blockquote></div>
_______________________________________________
mythtv-users mailing list
mythtv-users@mythtv.org
http://lists.mythtv.org/mailman/listinfo/mythtv-users
http://wiki.mythtv.org/Mailing_List_etiquette
MythTV Forums: https://forum.mythtv.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic