Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
My Windows XP workstation sits behind a firewall, and CA anti-virus/anti-intrusion software is running. I installed bittorrent a couple of years ago, and have used it only to download Ubuntu and Knoppix torrents.
On Friday, I had to shut off the workstation, because apparently, its bittorrent client had been hijacked, and was uploading 2GB per hour to an unknown IP address.
I am wondering how bittorrent could have been hijacked and how easy this would be to do on Linux. I am asking this, because our domain was temporarily blocked by SPAM clearing houses. I don't want to use a bittorrent client on Linux if the same thing has a good chance of happening on my Linux system.
What is the safest, best way to download ISO images? I have had trouble with ISO Images whenever I have not used bittorrent.
Except that normally seeding won't look like traffic "to [a single] unknown IP address" - unless of course it's a really unpopular torrent. cmnorton, if you could elaborate a bit more as to what happened, it would be great. I, for one, am not able to draw the connection between the BT client and the SPAM lists, unless you mean that the BT client was exploited and was used as a means to obtain the ability to do non-BT things (such as sending SPAM)?
On Friday, I had to shut off the workstation, because apparently, its bittorrent client had been hijacked, and was uploading 2GB per hour to an unknown IP address
Quote:
I am asking this, because our domain was temporarily blocked by SPAM clearing houses. I don't want to use a bittorre
"uploading 2GB per hour to an unknown IP address" implies one address receiving the upload. No reason for SPAM clearing houses to step in so far as I can tell. On the other hand, if those 2GB per hour are going to a great many IP addresses, then I could see SPAM clearing houses doing something about it.
I would also do a great deal of forensics on my computer to try to find out whether or not it has been taken over by a spam bot of some kind.
Except that normally seeding won't look like traffic "to [a single] unknown IP address" - unless of course it's a really unpopular torrent. cmnorton, if you could elaborate a bit more as to what happened, it would be great. I, for one, am not able to draw the connection between the BT client and the SPAM lists, unless you mean that the BT client was exploited and was used as a means to obtain the ability to do non-BT things (such as sending SPAM)?
Our firewall indicated 2GB was being uploaded to a site Europe. I don't know what was being uploaded, but bittorrent was doing the uploading.
I searched for files like DVD and CD images, and could come up with nothing I did not recognize. In addition, I looked for jpegs, and everything looked normal. Edit Begin: I searched for unknown files, because I had heard of a legitimate story, where a copy of Shrek had been hacked onto someone's server, and that server started serving up Shrek downloads. Edit End.
The funny thing is I have downloaded Knoppix, Ubuntu, and other Linux ISOs using bittorrent, and that was well over a month ago. I clearly don't understand how it works, but why it would be uploading somewhere a month later, still baffles me.
Last edited by cmnorton; 06-23-2008 at 11:28 AM.
Reason: Add more information
Bittorrent is a sharing program that downloads from multiple sources according to a set of rules which have to do, among other things, with how much is uploaded from your computer. Generally, the more you share the faster you can download.
All the torrent clients will share the fractions of the file that they have successfully downloaded; it is normal to see your client simultaneously downloading one section of a file while uploading another section to someone else.
When you have downloaded the complete file, unless you tell your torrent client to NOT do this, it will automatically announce itself as a "seeder" on the torrent network, and then will permit anyone to connect with your machine to upload that file.
If you do not set bandwidth limits on this, it can permit uploads at the maximum speed your network connection will permit. If the file it is seeding is not a high demand file AND the connection is allowed to go fast, it is common to find only one or two people accessing it and taking the entire file as a complete download from your computer.
So, basically, the behavior you describe simply says that bittorrent (or some other client) is running on a machine behind your firewall, the capability for outsiders to connect is enabled through your firewall, and bittorrent is seeding.
This behavior is normal.
If you don't want this behavior, stop bittorrent or tell it to not seed.
What bittorrent client are you using? By default, most bittorrent clients will continue uploading a torrent indefinitely, until you manually tell it to stop seeding it. Of course, the speed of the uploading depends on if anyone is downloading--it's entirely plausible for weeks to go by with no one downloading from your bittorrent client.
Of course, in order for the bittorrent client to do anything at all, it needs to be up and running. Some bittorrent clients need to be manually restarted after a reboot. Others automatically restart after a reboot.
I think that sums up about this thread. 0) The "incident" was not related to GNU/Linux at all, 1) the OP can not provide any logs or "evidence" otherwise so there's only guessing left, 2) if the Bittorrent protocol or 3) Bittorrent clients would have flaws they'd be exposed and be ironed out by now regardless of platform. While all incidents can be considered bad this forum is not for Mcrsft incidents, and because there's only one GNU/Linux related question (answered), and for reasons of #0 and #1 I consider this thread closed.
If the OP wants to have this thread moved to /General (where all Mcrsft questions belong), please use the "Report" button.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.