Subsonic Forum

[Mike Marrone]

Starting today I have been getting repeated lines like this in my Subsonic log. They seem to be occurring with more frequency, even though I am the admin and I am logged in. I'm running Windows 7 on Lenovo stand alone with library on a Drobo. After many years of use I've never seen this before. I've logged out and in, completely powered down each component and then finally the PC. When I restarted everything still works fine, except I am still getting this message:

[11/30/12 1:22:18 AM EST] INFO RESTRequestParameterProcessingFilter Authentication failed for user admin
[11/30/12 1:22:28 AM EST] INFO RESTRequestParameterProcessingFilter Authentication failed for user admin
[11/30/12 1:22:38 AM EST] INFO RESTRequestParameterProcessingFilter Authentication failed for user admin
[11/30/12 1:22:48 AM EST] INFO RESTRequestParameterProcessingFilter Authentication failed for user admin
[11/30/12 1:22:58 AM EST] INFO RESTRequestParameterProcessingFilter Authentication failed for user admin
[11/30/12 1:23:08 AM EST] INFO RESTRequestParameterProcessingFilter Authentication failed for user admin
[11/30/12 1:23:18 AM EST] INFO RESTRequestParameterProcessingFilter Authentication failed for user admin
[11/30/12 1:23:28 AM EST] INFO RESTRequestParameterProcessingFilter Authentication failed for user admin
11/30/12 1:23:38 AM EST] INFO RESTRequestParameterProcessingFilter Authentication failed for user admin
[11/30/12 1:23:48 AM EST] INFO RESTRequestParameterProcessingFilter Authentication failed for user admin
[11/30/12 1:23:58 AM EST] INFO RESTRequestParameterProcessingFilter Authentication failed for user admin
[11/30/12 1:24:08 AM EST] INFO RESTRequestParameterProcessingFilter Authentication failed for user admin
[11/30/12 1:24:18 AM EST] INFO RESTRequestParameterProcessingFilter Authentication failed for user admin
[11/30/12 1:24:28 AM EST] INFO RESTRequestParameterProcessingFilter Authentication failed for user admin
[11/30/12 1:24:39 AM EST] INFO RESTRequestParameterProcessingFilter Authentication failed for user admin
[11/30/12 1:24:46 AM EST] INFO VersionService Resolved latest Subsonic final version to: 4.7
[11/30/12 1:24:46 AM EST] INFO VersionService Resolved latest Subsonic beta version to: 4.7.beta3
[11/30/12 1:24:49 AM EST] INFO RESTRequestParameterProcessingFilter Authentication failed for user admin
[11/30/12 1:24:59 AM EST] INFO RESTRequestParameterProcessingFilter Authentication failed for user admin
[11/30/12 1:25:09 AM EST] INFO RESTRequestParameterProcessingFilter Authentication failed for user admin
[11/30/12 1:25:19 AM EST] INFO RESTRequestParameterProcessingFilter Authentication failed for user admin
[11/30/12 1:25:29 AM EST] INFO RESTRequestParameterProcessingFilter Authentication failed for user admin
[11/30/12 1:25:39 AM EST] INFO RESTRequestParameterProcessingFilter Authentication failed for user admin

Can anyone help? Thanks in advance.... Mike

[GJ51]

Quite possibly. make sure your admin password is VERY strong. I'd just shut down for a bit, perhaps a day or two to give it a chance to get discouraged. If that doesn't work, you'll have to do some sophisticated network sniffing to see where the origin ip address is and see if the ISP that holds tha account will send a warning to the account holder.

Unfortunate, but there are some real losers out there with nothing better to do.

[Mike Marrone]

Thanks so much Gary that's what I did but unfortunately I am very green at hunting down this sort of thing. Is there anything fairly "paint by numbers" that I could do?

[GJ51]

It's been a while since I did one of these track downs, but you'll probably need to google for a packet sniffer or look for logs in your router to see if you can traceroute where the ip requests are coming from. If you can identify the source ip address you should be then able to identify the ISP using whois. Then send them an email letting the isp know that the account is being misused and ask them to warn the account holder. Most ISP's are pretty cooperative about stopping this kind of abuse.

Some routers also have built in features that auto detect DoS attacks and reading through your routers manual may help as well. You might even be able to ID and Blacklist the IP on some routers. Check your manual.

Google is always your best friend with this kind of problem.

http://community.spiceworks.com/topic/1 ... ip-address

[hakko]

It could also be somebody who've entered your .subsonic.org address by mistake in their Android client etc. If you're on a platform like Linux, you could very easily stop your service, and run nc -l 4040 to listen to incoming requests and print them. The interesting thing is whether the same password is sent every 10 sec, or if a new one is tried.

[GJ51]

http://www.wireshark.org/download.html

[G8DHE]

If you find the IP address then what ? Chances of actually being able to do something about it is minimal
Much easier to change the Port number your server is working on, to something significantly different, high up in the range. Unless they start to scan every port the chances of them finding it is much less !

[Mike Marrone]

Thanks very much for all the help and suggestions. I shut it down last night and just turned everything back on and it appears to have stopped. I really appreciate the instant feedback and support from this forum. You guys are the best!

Mike

[GJ51]

I did some additional reading last night as I find one of the things that is so fun about Subsonic is the new things you can learn when doing problem solving with it.

I'm a Windows user, so I would use Wireshark and the Resources monitor built into windows to identify the source ip generating the attack. You could then enter that specific address to be blocked at the router. I read through my router's manual and found that indeed you can block specific ip addresses as well as a range of ip addresses that would likely block all ip addresses from that ISP.

If the problem returns, the easiest solution may be to just change the port number and the Subsonic.org name at the same time. Great suggestion G8DHE, the easiest answer is always the best.

[hakko]

I believe that this should be taken care of by the application itself. A common approach is to have a delay between allowed login attempts. On a failed login, the delay time is doubled, on successful logins, it resets. An intruder then doesn't get too many failed attempts before it starts taking too long to actually brute force the password.