View previous topic :: View next topic |
Author |
Message |
DJ-Zath
Joined: 11 Feb 2009 Posts: 155 Location: Western Illinois - USA
|
Posted: Fri Oct 10, 2014 7:33 pm Post subject: possable exploit(s) in Icecast? |
|
|
hi Karl and gang!
I think there may be a possible "back door" in Icecast..
last night, I was hosting a hip-hop/house show (scheduled broadcast) that raked-in a few hundred listeners.. (a huge gig outta Chicago)
...at which point, the mounts were "reset" and the source client and studio were KICKED by "admin"...
connection "admin" came in on a spoofed IP that resolved out of Russia!
this, of course, dumped the streams off my network..
I have had this happen a few times before, too.. and I tried resetting the admin password, getting a new host, setting up new servers and all that...
it seems that as soon as I acquire a few hundred or so listeners, some other station (from the YP directory/Russia?) somehow comes into icecast and resets all the streams and knocks me off the air momentarily- enough to lose the listeners!
I have even changed host providers and got one with clean-pipe service and all.. this is NOT a simple DDoS attack...
someones logging into icecast and resetting the mounts and dumping my broadcasts!
I have another HUGE scheduled broadcast planned for Oct 31st and I would like this resolved by then, otherwise, I see another incident occurring; its quite frustrating to have this happen most EVERYtime I start gaining a public!
-DjZ- _________________ -DjZ-
|
|
Back to top |
|
|
karlH Code Warrior
Joined: 13 Jun 2005 Posts: 5476 Location: UK
|
Posted: Fri Oct 10, 2014 10:48 pm Post subject: |
|
|
I presume from the description that icecast is not stopping, just that some request comes in and manages to drop the streams. If so then what log information do you have?
karl. |
|
Back to top |
|
|
dm8tbr
Joined: 09 Feb 2013 Posts: 45 Location: icecast.org
|
Posted: Sun Oct 19, 2014 7:19 am Post subject: Re: possible exploit(s) in Icecast? |
|
|
DJ-Zath wrote: |
I think there may be a possible "back door" in Icecast.. |
Certainly not intentional. Also I closed some security issues in the past, so if you are running 2.4.0, then there is currently no known problem.
DJ-Zath wrote: |
...at which point, the mounts were "reset" and the source client and studio were KICKED by "admin"...
connection "admin" came in on a spoofed IP that resolved out of Russia! |
Please provide full logs, both access.log and error.log and whatever other useful information you have, for the time of the incident. If there is something exploitable in the Icecast version you are running, then everything is relevant and we need unfiltered and unmodified logs for the time of the whole streaming event. We'll also need the full Icecast config XML file.
Due to the sensitive nature of this I'd ask you to provide this by email to either webmaster@xiph.org or directly to me thomas [that sign thing] ruecker [dött] fi (there is a GPG key for that address). I'll then share this securely with the rest of the Icecast development team and also with Karl.
Cheers
Thomas
Icecast maintainer
PS: Please make sure your admin password isn't "hackme" or something trivial. |
|
Back to top |
|
|
dm8tbr
Joined: 09 Feb 2013 Posts: 45 Location: icecast.org
|
Posted: Sun Nov 23, 2014 7:41 am Post subject: |
|
|
It's been about a month and we haven't heard back. I'm going to remove this from my radar.
In general, the proper contact details for Icecast security issues can be found above. Please use those or IRC, as I don't monitor this forum. |
|
Back to top |
|
|
|