I had a reality check today. I was getting some films with bittorrent and to get it to work i turned off the router's firewall and opened up about 10 ports in a range, including tcp and udp.

In addition, i made exceptions in my computer firewall for these ports.

I had left my pc for about 3hours and when i turned the monitor on there was over 10 windows open for a dialog for saving 'a snapshot' of the desktop.

I pulled the plug on my modem straightway. I turned on my router firewall and removed all the ports i opened. I set my firewall back to blocking everything. i also changed some policies e.g by making my home directory permissions only rw by myself, by disallowing remote connection to x windows...

Right now, i am not going to start using bittorrent again until i know whats what.

First thing i want to know is do i need to open just one port for bittorrent or not? Some websites say you should open a whole range of ports.

The second thing is, if i am opening a port what is to stop joe cracker from logging onto my computer and doing some damage?

Just how safe is this bittorrent stuff? From my experience, it sure dont seem very safe to me.

well 1st don't ever open your firewall!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!

Any software that is legit should allow for the client being able to traverse it with out problem. use something that comes with your distro for a client, in my case it was transmission. i would think very hard about wiping your system as it most likely has been compromised.

DON'T wipe your system until you absolutely understand what caused this situation. At this point, you could say that you caused the situation to happen because of your initial FW and router allowances. That doesn't explain what the attacker was doing, though. Wipe your system only after you understand what was going on (how he actually got in, what he was doing, and how to prevent it from happening again). You might also use this time to determine how to use Bittorrent without allowing such attackers to gain access to your network.

It's research time, not clean-up time. If you wipe your drive, you aren't going to learn from this and will quite possibly run into the same situation again later.

I'm not slagging you off but you should know how we deal with things here. This is the Linux Security forum. We like to deal with compromises of security accurate and decisively. But that can be only done when based on facts. (If you disagree you should provide substantial evidence that supports your conclusion.) Note there are some very knowledgable people here who deal well (as far as I'm concerned) with (perceived) compromises. Their triage usually starts by asking questions (especially if the OP posted nothing of value or incomplete information), followed by analysis (not opinion) of the situation, followed by advice. With all due respect but if you're lacking incident handling skills please just point to the default starting point: the CERT Intruder Detection Checklist, ask the OP for more information and allow others to do their thing. TIA.


Actually the first thing to do would be finding out, like Unixfool said. Pulling the plug is a typical default reflex but that doesn't mean it's the right thing to do, because by doing that you lose information. All that's left then is cold tracks like temporary files, login records, syslog, firewall, daemon and application logs, filesystem integrity and package content verification. I suggest you start with reading the the CERT Intruder Detection Checklist and take it from there.

Regarding the topic of BT security in general (this is separate from the possible compromise):

I don't think with BitTorrent it would really matter too much whether you "open the port" or not. I mean, I'm sure it reduces the threat somewhat, but people are still able to upload/download from you. Personally, I think that your security concerns regarding BT are well-founded. With BT you've got hundreds upon hundreds of connections open with all kinds of strangers and potentially hostile hosts. Someone who finds an exploit for a popular BT servent and creates an exploit will be able to wreak havoc upon many of us.

Personally, I started to become extremely concerned about BT security a while back. I stopped using it on my personal account and instead used a dedicated user account for it - extremely inconvenient. I haven't really had time to use BT lately but once I do get back into it I'm gonna do this right by wrapping my servent (I use Transmission) up with AppArmor instead. I just haven't had time to create a profile for it yet. Having my BT servent run under mandatory access control won't fix any security vulnerabilities in it, but it will give me peace of mind that any exploit launched against it will be severely limited in what it can do.

A broader question is this: "is there a history of bittorrent exploits?"

Are there known exploits against bittorrent clients right now? I know of none, but that means nothing. I also have never experienced anything like what OP describes, and sometimes when I have KTorrent running, I watch it just to see what it is doing.

I think the OP must have accidentally hit the print Screen key

Since you disabled the router's firewall, every port you have open on the computer was exposed, not just the ones that bit torrent uses. Also, you only needed to open one tcp port and another udp port to be able to seed torrents as well. Look at the ports that were exposed using nmap on another computer on the LAN. Also, opening the router, you may have had a different host compromised which may have been a trusted host on the LAN. So you need to look at the ports exposed on all of the hosts on the LAN, not just the one using bit torrent.

Yeah, my main concern was/is a bad guy gaining the ability to download arbitrary files from my home folder. Or worse, the ability to modify files within it. This is why I chose to run the BT application on another account (which didn't have read access to my home folder) instead. I would actually be surprised to hear of an exploit that would graphically let you know you've been owned. Placing myself in the shoes of a bad guy (a non-script-kiddie one), I would want to make the operation be as stealth as possible. The longer the community at large is unaware of the exploit I am using, the more data I am able to gain unauthorized access to.

Minimising chance always is a good choice. I've run BT for quite some time like that now and I've encountered nothing newsworthy.


Searching www.cve.mitre.org, osvdb.org and secunia.com you can find some entries. All from 2008, and apart from CVE-2008-0364 and CVE-2008-4434 only a few concern GNU/Linux products like Opera, BNBT or Azureus. Exploits aren't hard to find but I've seen nothing like you described.

DON'T PANIC

Unspawn probably gave the best advice in the thread.

Run through the cert checklist, run both of the root kit checking programs, etc. It's entirely possible your system has been compromised for months or that it's not compromised at all and your cat stepped on the keyboard, or that you're right-- its compromised. You need to establish the facts of what is happening before you do anything significant.

As far as I know there have been no Linux system compromises on the bit torrent clients, although that doesn't mean there aren't any. If your system is actually compromised then you need to look at the source of the client too. Did you download it from the sanctioned website or from your distributions repository or off some obscure forum? etc. There's also a big difference in the significance of a root level compromise and a user level compromise.

First things first though, calm down, don't panic, *think*.

Well, my system did have a few obvious security holes and i was doing the wrong thing opening a whole range of ports for bittorrent. ive now installed a new torrent client called transmission and it only requires 1 port to be open. In addition i have my router firewall and my linux firewall guarding my system.

However, I found the Hacker that caused the 'screenshot' dialog to appear!. I at first thought it was a 'remote hacker/cracker' who wanted a snapshot of my desktop as a trophy!!

But thankfully, i saw the same dialog pop up today. My cat has a habit of sleeping on top of my monitor and from time to time he will jump down onto the keyboard!!! thus causeing the print screen button to be pressed multiple times.

In my case, this was a false alarm - but i am definately going to take a closer interest in security issues from now on. When the problem first appeared i felt like the victim of a burglary - thinking that someone had been poking around my pc. I will do my best to make sure this threat is minimised for real.

hehe... is that what they mean by a 'Black Cat' hacker.

Anyone know of a cat-detection application for GNU/Linux?

I remember seeing some for Windoze a few years back (PawSense, etc).

Might be a good idea to use such a tool to prevent this from happening again.

Could one not disable the keyboard possibly by renaming or changing permissions on whatever /dev the keyboard is on?

Then, perhaps, to renable, a virtual keyboard....

Or, a script that would disable the keyboard, then re-enable when a zenity or xdialog is moused...

Edit:

Here we go: Lock Keyboard For Baby

cheers,