(This is really a Linux question.)

My Windows XP workstation sits behind a firewall, and CA anti-virus/anti-intrusion software is running. I installed bittorrent a couple of years ago, and have used it only to download Ubuntu and Knoppix torrents.

On Friday, I had to shut off the workstation, because apparently, its bittorrent client had been hijacked, and was uploading 2GB per hour to an unknown IP address.

I am wondering how bittorrent could have been hijacked and how easy this would be to do on Linux. I am asking this, because our domain was temporarily blocked by SPAM clearing houses. I don't want to use a bittorrent client on Linux if the same thing has a good chance of happening on my Linux system.

What is the safest, best way to download ISO images? I have had trouble with ISO Images whenever I have not used bittorrent.

It doesn't sound like anything was hijacked, it sounds like the torrent client was acting normally and seeding after your download had finished.

I totally agree.

Except that normally seeding won't look like traffic "to [a single] unknown IP address" - unless of course it's a really unpopular torrent. cmnorton, if you could elaborate a bit more as to what happened, it would be great. I, for one, am not able to draw the connection between the BT client and the SPAM lists, unless you mean that the BT client was exploited and was used as a means to obtain the ability to do non-BT things (such as sending SPAM)?

"uploading 2GB per hour to an unknown IP address" implies one address receiving the upload. No reason for SPAM clearing houses to step in so far as I can tell. On the other hand, if those 2GB per hour are going to a great many IP addresses, then I could see SPAM clearing houses doing something about it.

I would also do a great deal of forensics on my computer to try to find out whether or not it has been taken over by a spam bot of some kind.

Our firewall indicated 2GB was being uploaded to a site Europe. I don't know what was being uploaded, but bittorrent was doing the uploading.

I searched for files like DVD and CD images, and could come up with nothing I did not recognize. In addition, I looked for jpegs, and everything looked normal. Edit Begin: I searched for unknown files, because I had heard of a legitimate story, where a copy of Shrek had been hacked onto someone's server, and that server started serving up Shrek downloads. Edit End.

The funny thing is I have downloaded Knoppix, Ubuntu, and other Linux ISOs using bittorrent, and that was well over a month ago. I clearly don't understand how it works, but why it would be uploading somewhere a month later, still baffles me.

Bittorrent is a sharing program that downloads from multiple sources according to a set of rules which have to do, among other things, with how much is uploaded from your computer. Generally, the more you share the faster you can download.

All the torrent clients will share the fractions of the file that they have successfully downloaded; it is normal to see your client simultaneously downloading one section of a file while uploading another section to someone else.

When you have downloaded the complete file, unless you tell your torrent client to NOT do this, it will automatically announce itself as a "seeder" on the torrent network, and then will permit anyone to connect with your machine to upload that file.

If you do not set bandwidth limits on this, it can permit uploads at the maximum speed your network connection will permit. If the file it is seeding is not a high demand file AND the connection is allowed to go fast, it is common to find only one or two people accessing it and taking the entire file as a complete download from your computer.

So, basically, the behavior you describe simply says that bittorrent (or some other client) is running on a machine behind your firewall, the capability for outsiders to connect is enabled through your firewall, and bittorrent is seeding.

This behavior is normal.

If you don't want this behavior, stop bittorrent or tell it to not seed.

What bittorrent client are you using? By default, most bittorrent clients will continue uploading a torrent indefinitely, until you manually tell it to stop seeding it. Of course, the speed of the uploading depends on if anyone is downloading--it's entirely plausible for weeks to go by with no one downloading from your bittorrent client.

Of course, in order for the bittorrent client to do anything at all, it needs to be up and running. Some bittorrent clients need to be manually restarted after a reboot. Others automatically restart after a reboot.

I cannot remember if I had removed the torrents from my list or not. Bittorrent always started after a reboot.

I think that sums up about this thread. 0) The "incident" was not related to GNU/Linux at all, 1) the OP can not provide any logs or "evidence" otherwise so there's only guessing left, 2) if the Bittorrent protocol or 3) Bittorrent clients would have flaws they'd be exposed and be ironed out by now regardless of platform. While all incidents can be considered bad this forum is not for Mcrsft incidents, and because there's only one GNU/Linux related question (answered), and for reasons of #0 and #1 I consider this thread closed.

If the OP wants to have this thread moved to /General (where all Mcrsft questions belong), please use the "Report" button.