LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Closed Thread
 
Search this Thread
Old 06-22-2008, 04:42 PM   #1
cmnorton
Member
 
Registered: Feb 2005
Distribution: Ubuntu, CentOS
Posts: 585

Rep: Reputation: 35
Can Bittorrent Be Hijacked?


(This is really a Linux question.)

My Windows XP workstation sits behind a firewall, and CA anti-virus/anti-intrusion software is running. I installed bittorrent a couple of years ago, and have used it only to download Ubuntu and Knoppix torrents.

On Friday, I had to shut off the workstation, because apparently, its bittorrent client had been hijacked, and was uploading 2GB per hour to an unknown IP address.

I am wondering how bittorrent could have been hijacked and how easy this would be to do on Linux. I am asking this, because our domain was temporarily blocked by SPAM clearing houses. I don't want to use a bittorrent client on Linux if the same thing has a good chance of happening on my Linux system.

What is the safest, best way to download ISO images? I have had trouble with ISO Images whenever I have not used bittorrent.
 
Old 06-22-2008, 05:25 PM   #2
elliott678
Member
 
Registered: Mar 2005
Location: North Carolina
Distribution: Arch
Posts: 977

Rep: Reputation: 72
It doesn't sound like anything was hijacked, it sounds like the torrent client was acting normally and seeding after your download had finished.
 
Old 06-22-2008, 07:27 PM   #3
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 781
Blog Entries: 8

Rep: Reputation: 157Reputation: 157
Quote:
Originally Posted by elliott678 View Post
It doesn't sound like anything was hijacked, it sounds like the torrent client was acting normally and seeding after your download had finished.
I totally agree.
 
Old 06-22-2008, 10:27 PM   #4
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Except that normally seeding won't look like traffic "to [a single] unknown IP address" - unless of course it's a really unpopular torrent. cmnorton, if you could elaborate a bit more as to what happened, it would be great. I, for one, am not able to draw the connection between the BT client and the SPAM lists, unless you mean that the BT client was exploited and was used as a means to obtain the ability to do non-BT things (such as sending SPAM)?

Last edited by win32sux; 06-22-2008 at 10:29 PM.
 
Old 06-22-2008, 11:57 PM   #5
bigrigdriver
LQ Addict
 
Registered: Jul 2002
Location: East Centra Illinois, USA
Distribution: Debian Squeeze
Posts: 5,805

Rep: Reputation: 324Reputation: 324Reputation: 324Reputation: 324
Quote:
On Friday, I had to shut off the workstation, because apparently, its bittorrent client had been hijacked, and was uploading 2GB per hour to an unknown IP address
Quote:
I am asking this, because our domain was temporarily blocked by SPAM clearing houses. I don't want to use a bittorre
"uploading 2GB per hour to an unknown IP address" implies one address receiving the upload. No reason for SPAM clearing houses to step in so far as I can tell. On the other hand, if those 2GB per hour are going to a great many IP addresses, then I could see SPAM clearing houses doing something about it.

I would also do a great deal of forensics on my computer to try to find out whether or not it has been taken over by a spam bot of some kind.
 
Old 06-23-2008, 12:26 PM   #6
cmnorton
Member
 
Registered: Feb 2005
Distribution: Ubuntu, CentOS
Posts: 585

Original Poster
Rep: Reputation: 35
Don't have all the details

Quote:
Originally Posted by win32sux View Post
Except that normally seeding won't look like traffic "to [a single] unknown IP address" - unless of course it's a really unpopular torrent. cmnorton, if you could elaborate a bit more as to what happened, it would be great. I, for one, am not able to draw the connection between the BT client and the SPAM lists, unless you mean that the BT client was exploited and was used as a means to obtain the ability to do non-BT things (such as sending SPAM)?
Our firewall indicated 2GB was being uploaded to a site Europe. I don't know what was being uploaded, but bittorrent was doing the uploading.

I searched for files like DVD and CD images, and could come up with nothing I did not recognize. In addition, I looked for jpegs, and everything looked normal. Edit Begin: I searched for unknown files, because I had heard of a legitimate story, where a copy of Shrek had been hacked onto someone's server, and that server started serving up Shrek downloads. Edit End.

The funny thing is I have downloaded Knoppix, Ubuntu, and other Linux ISOs using bittorrent, and that was well over a month ago. I clearly don't understand how it works, but why it would be uploading somewhere a month later, still baffles me.

Last edited by cmnorton; 06-23-2008 at 12:28 PM. Reason: Add more information
 
Old 06-23-2008, 12:46 PM   #7
jiml8
Senior Member
 
Registered: Sep 2003
Posts: 3,171

Rep: Reputation: 115Reputation: 115
Bittorrent is a sharing program that downloads from multiple sources according to a set of rules which have to do, among other things, with how much is uploaded from your computer. Generally, the more you share the faster you can download.

All the torrent clients will share the fractions of the file that they have successfully downloaded; it is normal to see your client simultaneously downloading one section of a file while uploading another section to someone else.

When you have downloaded the complete file, unless you tell your torrent client to NOT do this, it will automatically announce itself as a "seeder" on the torrent network, and then will permit anyone to connect with your machine to upload that file.

If you do not set bandwidth limits on this, it can permit uploads at the maximum speed your network connection will permit. If the file it is seeding is not a high demand file AND the connection is allowed to go fast, it is common to find only one or two people accessing it and taking the entire file as a complete download from your computer.

So, basically, the behavior you describe simply says that bittorrent (or some other client) is running on a machine behind your firewall, the capability for outsiders to connect is enabled through your firewall, and bittorrent is seeding.

This behavior is normal.

If you don't want this behavior, stop bittorrent or tell it to not seed.
 
Old 06-23-2008, 12:49 PM   #8
IsaacKuo
Senior Member
 
Registered: Apr 2004
Location: Baton Rouge, Louisiana, USA
Distribution: Debian 4.0 Etch
Posts: 1,349

Rep: Reputation: 49
What bittorrent client are you using? By default, most bittorrent clients will continue uploading a torrent indefinitely, until you manually tell it to stop seeding it. Of course, the speed of the uploading depends on if anyone is downloading--it's entirely plausible for weeks to go by with no one downloading from your bittorrent client.

Of course, in order for the bittorrent client to do anything at all, it needs to be up and running. Some bittorrent clients need to be manually restarted after a reboot. Others automatically restart after a reboot.
 
Old 06-23-2008, 01:06 PM   #9
cmnorton
Member
 
Registered: Feb 2005
Distribution: Ubuntu, CentOS
Posts: 585

Original Poster
Rep: Reputation: 35
Windows XP version

I cannot remember if I had removed the torrents from my list or not. Bittorrent always started after a reboot.
 
Old 06-23-2008, 05:09 PM   #10
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,666
Blog Entries: 54

Rep: Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953Reputation: 2953
I think that sums up about this thread. 0) The "incident" was not related to GNU/Linux at all, 1) the OP can not provide any logs or "evidence" otherwise so there's only guessing left, 2) if the Bittorrent protocol or 3) Bittorrent clients would have flaws they'd be exposed and be ironed out by now regardless of platform. While all incidents can be considered bad this forum is not for Mcrsft incidents, and because there's only one GNU/Linux related question (answered), and for reasons of #0 and #1 I consider this thread closed.

If the OP wants to have this thread moved to /General (where all Mcrsft questions belong), please use the "Report" button.
 
  


Closed Thread


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
firefox hijacked? dcdbutler Linux - Software 10 02-20-2006 09:13 PM
konqueror hijacked EdEx03 Linux - General 5 01-13-2005 03:48 PM
Firefox Hijacked? (MDK 9.2) DoddyUK Linux - Software 9 12-27-2004 12:21 PM
hijacked browser irvken Linux - Security 2 10-06-2004 06:13 AM
hijacked my domain name budzynm Linux - Security 7 11-18-2003 10:13 PM


All times are GMT -5. The time now is 04:51 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration