Mailing List Archive: Weird mythsocket error messages on master / fixes/31

Weird mythsocket error messages on master / fixes/31

Jun 5, 2021, 5:51 AM

Post #1 of 5 (469 views)

After staring at my backend's logs to try to verify that the recent mysql
connection drop didn't remerge, I found these interesting errors in my
backend log:

Jun 4 18:48:53 mythtv mythbackend: mythbackend[1396]: E
MythSocketThread(58) mythsocket.cpp:853 (ReadStringListReal)
MythSocket(5583a09eda00:58): Protocol error: (parse failed) 'OPTIONS ' is
not a valid size prefix. 215 bytes pending.

Jun 4 18:49:00 mythtv mythbackend: mythbackend[1396]: E
MythSocketThread(58) mythsocket.cpp:853 (ReadStringListReal)
MythSocket(5583a09e7510:58): Protocol error: (parse failed) 'TNMP#004' is
not a valid size prefix. 8 bytes pending.

Jun 4 18:49:05 mythtv mythbackend: mythbackend[1396]: E
MythSocketThread(58) mythsocket.cpp:853 (ReadStringListReal)
MythSocket(5583a09e7e80:58): Protocol error: (parse failed) '#003' is not a
valid size prefix. 3 bytes pending.

Jun 4 18:49:10 mythtv mythbackend: mythbackend[1396]: E
MythSocketThread(58) mythsocket.cpp:853 (ReadStringListReal)
MythSocket(5583a09e77f0:58): Protocol error: (parse failed) 'DmdT' is not a
valid size prefix. 15 bytes pending.

Jun 4 18:49:15 mythtv mythbackend: mythbackend[1396]: E
MythSocketThread(58) mythsocket.cpp:853 (ReadStringListReal)
MythSocket(5583a09f6f00:58): Protocol error: (parse failed) ':' is not a
valid size prefix. 52 bytes pending.

Jun 4 18:49:25 mythtv mythbackend: mythbackend[1396]: E
MythSocketThread(58) mythsocket.cpp:853 (ReadStringListReal)
MythSocket(5583a09e8740:58): Protocol error: (parse failed) '#001' is not a
valid size prefix. 167 bytes pending.

Jun 4 18:49:30 mythtv mythbackend: mythbackend[1396]: E
MythSocketThread(58) mythsocket.cpp:853 (ReadStringListReal)
MythSocket(5583a09f7e50:58): Protocol error: (parse failed) '' is not a
valid size prefix. 82 bytes pending.

Jun 4 18:49:35 mythtv mythbackend: mythbackend[1396]: E
MythSocketThread(58) mythsocket.cpp:853 (ReadStringListReal)
MythSocket(5583a09f77c0:58): Protocol error: (parse failed) '' is not a
valid size prefix. 10 bytes pending.

Jun 4 18:49:41 mythtv mythbackend: mythbackend[1396]: E
MythSocketThread(58) mythsocket.cpp:853 (ReadStringListReal)
MythSocket(5583a09f05c0:58): Protocol error: (parse failed) 'GIOP#001' is
not a valid size prefix. 40 bytes pending.

Any thoughts on what might be causing them?

I can trace the errors back to Oct 16 last year (could be sooner, but
that's where my archived logs end) - meaning I was experiencing the errors
on both fixes/31 before my upgrade to master (which occured March 6 2021).

~John

Re: Weird mythsocket error messages on master / fixes/31 [ In reply to ]

pb.mythtv at gmail

Jun 6, 2021, 6:50 AM

Post #2 of 5 (468 views)

Permalink

On 6/5/21 8:51 AM, John Hoyt wrote:
> After staring at my backend's logs to try to verify that the recent
> mysql connection drop didn't remerge, I found these interesting errors
> in my backend log:
>
> Jun4 18:48:53 mythtv mythbackend: mythbackend[1396]: E
> MythSocketThread(58) mythsocket.cpp:853 (ReadStringListReal)
> MythSocket(5583a09eda00:58): Protocol error: (parse failed) 'OPTIONS '
> is not a valid size prefix. 215 bytes pending.
>
> Jun4 18:49:00 mythtv mythbackend: mythbackend[1396]: E
> MythSocketThread(58) mythsocket.cpp:853 (ReadStringListReal)
> MythSocket(5583a09e7510:58): Protocol error: (parse failed) 'TNMP#004'
> is not a valid size prefix. 8 bytes pending.
>
> Jun4 18:49:05 mythtv mythbackend: mythbackend[1396]: E
> MythSocketThread(58) mythsocket.cpp:853 (ReadStringListReal)
> MythSocket(5583a09e7e80:58): Protocol error: (parse failed) '#003' is
> not a valid size prefix. 3 bytes pending.
>
> Jun4 18:49:10 mythtv mythbackend: mythbackend[1396]: E
> MythSocketThread(58) mythsocket.cpp:853 (ReadStringListReal)
> MythSocket(5583a09e77f0:58): Protocol error: (parse failed) 'DmdT' is
> not a valid size prefix. 15 bytes pending.
>
> Jun4 18:49:15 mythtv mythbackend: mythbackend[1396]: E
> MythSocketThread(58) mythsocket.cpp:853 (ReadStringListReal)
> MythSocket(5583a09f6f00:58): Protocol error: (parse failed) ':' is not
> a valid size prefix. 52 bytes pending.
>
> Jun4 18:49:25 mythtv mythbackend: mythbackend[1396]: E
> MythSocketThread(58) mythsocket.cpp:853 (ReadStringListReal)
> MythSocket(5583a09e8740:58): Protocol error: (parse failed) '#001' is
> not a valid size prefix. 167 bytes pending.
>
> Jun4 18:49:30 mythtv mythbackend: mythbackend[1396]: E
> MythSocketThread(58) mythsocket.cpp:853 (ReadStringListReal)
> MythSocket(5583a09f7e50:58): Protocol error: (parse failed) '' is not
> a valid size prefix. 82 bytes pending.
>
> Jun4 18:49:35 mythtv mythbackend: mythbackend[1396]: E
> MythSocketThread(58) mythsocket.cpp:853 (ReadStringListReal)
> MythSocket(5583a09f77c0:58): Protocol error: (parse failed) '' is not
> a valid size prefix. 10 bytes pending.
>
> Jun4 18:49:41 mythtv mythbackend: mythbackend[1396]: E
> MythSocketThread(58) mythsocket.cpp:853 (ReadStringListReal)
> MythSocket(5583a09f05c0:58): Protocol error: (parse failed) 'GIOP#001'
> is not a valid size prefix. 40 bytes pending.
>
>
> Any thoughts on what might be causing them?
>
> I can trace the errors back to Oct 16 last year (could be sooner, but
> that's where my archived logs end) - meaning I was experiencing the
> errors on both fixes/31 before my upgrade to master (which occured
> March 6 2021).
>
> ~John

I would guess that you have a hacker or some rogue process that is
sending messages to your mythtv box. Is your port open to the internet?
Port 6543 is normally the MythTV port. You can see these errors if you
run telnet localhost 6534 and then type random junk into telnet. Each
line of stuff you type will be reported as a protocol error in
mythbackend (unless you by chance type a valid MythTV command :).

Peter

Re: Weird mythsocket error messages on master / fixes/31 [ In reply to ]

john.hoyt at gmail

Jun 6, 2021, 7:38 AM

Post #3 of 5 (468 views)

Permalink

>
> I would guess that you have a hacker or some rogue process that is sending
> messages to your mythtv box. Is your port open to the internet? Port 6543
> is normally the MythTV port. You can see these errors if you run telnet
> localhost 6534 and then type random junk into telnet. Each line of stuff
> you type will be reported as a protocol error in mythbackend (unless you by
> chance type a valid MythTV command :).
>

Thanks Peter. This is interesting as I block port 6543 access from outside
my network - so that means the rouge client is inside somehow. I'll have
to play around with some host firewall rules and VLAN firewall rules to
better determine the source.

Would enabling more detailed mythtv log help show a source for the socket
connection?

Re: Weird mythsocket error messages on master / fixes/31 [ In reply to ]

keemllib at gmail

Jun 6, 2021, 7:50 AM

Post #4 of 5 (468 views)

Permalink

On 6/6/21 9:38 AM, John Hoyt wrote:
> I would guess that you have a hacker or some rogue process that is sending messages to your mythtv box. Is your port open to the internet?
> Port 6543 is normally the MythTV port. You can see these errors if you run telnet localhost 6534 and then type random junk into telnet. Each
> line of stuff you type will be reported as a protocol error in mythbackend (unless you by chance type a valid MythTV command :).
>
>
> Thanks Peter. This is interesting as I block port 6543 access from outside my network - so that means the rouge client is inside somehow. I'll
> have to play around with some host firewall rules and VLAN firewall rules to better determine the source.
>
> Would enabling more detailed mythtv log help show a source for the socket connection?

Another option:

I'd shutdown everything MythTV and fire up Wireshark on the backend
(if possible).

You might see more text like the OPTIONS TNMP DmnP GIOP fragments.

--
Bill
_______________________________________________
mythtv-users mailing list
mythtv-users@mythtv.org
http://lists.mythtv.org/mailman/listinfo/mythtv-users
http://wiki.mythtv.org/Mailing_List_etiquette
MythTV Forums: https://forum.mythtv.org

Re: Weird mythsocket error messages on master / fixes/31 [ In reply to ]

john.hoyt at gmail

Jun 10, 2021, 5:18 PM

Post #5 of 5 (451 views)

Permalink

Bill, thanks for the suggestion!

I finally figured out the cause - I forgot my IPS does a pseudo random scan
of clients daily to check for vulnerabilities. All of the "improper"
traffic traced back perfectly to the IPS and correlated perfectly to when
it ran over the past week.

On Sun, Jun 6, 2021 at 10:52 AM Bill Meek <keemllib@gmail.com> wrote:

> On 6/6/21 9:38 AM, John Hoyt wrote:
> > I would guess that you have a hacker or some rogue process that is
> sending messages to your mythtv box. Is your port open to the internet?
> > Port 6543 is normally the MythTV port. You can see these errors if
> you run telnet localhost 6534 and then type random junk into telnet. Each
> > line of stuff you type will be reported as a protocol error in
> mythbackend (unless you by chance type a valid MythTV command :).
> >
> >
> > Thanks Peter. This is interesting as I block port 6543 access from
> outside my network - so that means the rouge client is inside somehow. I'll
> > have to play around with some host firewall rules and VLAN firewall
> rules to better determine the source.
> >
> > Would enabling more detailed mythtv log help show a source for the
> socket connection?
>
> Another option:
>
> I'd shutdown everything MythTV and fire up Wireshark on the backend
> (if possible).
>
> You might see more text like the OPTIONS TNMP DmnP GIOP fragments.
>
> --
> Bill
> _______________________________________________
> mythtv-users mailing list
> mythtv-users@mythtv.org
> http://lists.mythtv.org/mailman/listinfo/mythtv-users
> http://wiki.mythtv.org/Mailing_List_etiquette
> MythTV Forums: https://forum.mythtv.org
>