Results 1 to 3 of 3
Hi all, I have just a a very disturbing message from the webmaster of a private BitTorrent tracker to which I subscribe who claims that there is some kind of ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
- 01-27-2007 #1
- Join Date
- Nov 2004
infected by a DoS trojan? (URGENT)
I have just a a very disturbing message from the webmaster of a private BitTorrent tracker to which I subscribe who claims that there is some kind of DoS attack originating from my IP number. He wrote:
[...]our stats show a HUGE bandwidth leakage coming from you (equivalent to ~350 users...) I further invesitigated your connection an realized you are running a static-ip private server at your IP (XX.XX.XX.XX). That means you have AT LEAST http port 80 in an open state (and port 21 if you are running FTP). Fixed IPs and open ports are a dangerous mix, since if you don't protect your server extremely well, you are bound to innumerable hacking attempts, some of which can succeed. This seems to be the case, I guess. It is highly probable you have some sort of backdoor-virus or trojan running inadvertently at your site, which sends a DoS (Denial of Service) attack to whoever you link to. The DoS attack "floods" other peoples' servers with page requests, bringing those servers to their knees... We have anti-DoS protection, but it seems SOME of the requests get through anyway. In fact, u are requesting a page from our site ~every 15 seconds, 24 hours a day, 7 days a week...
My setup as is follows: I have small LAN behind a router doing NAT. Connected are a desktop box with FC6, a latop running Ubuntu 6.10, and, since the beginning of the month, an old Pentium II with FreeBSD 6.2 installed running Postfix and Lightttpd. Under Fedora and Ubuntu, I use the latest Firefox.
Ports 25 and 80 are forwarded to the BSD box; several port >1000 ranges (ed2k and BT) are forwarded to the Fedora box, which otherwise has never been used as a server, other than occasionally opening port 21 for ssh when I have been on the road.
At this point, since the Fedora box has been running for several years, I expect that if anything has been compromised, that would be the first place to start looking. But at this point, I don't even know where to begin.
I'd be most grateful for any or all suggestions on how to proceed.
- 01-27-2007 #2
- Join Date
- Nov 2004
False alarm. I appear that it is a bug in ktorrent. After investigating the apache logs, the webmaster wrote to me:
It's your CLIENT. Someway your client's announce interval is set to ~1-2 seconds overriding our normal 30 min announce interval, flooding the tracker with announce/scrape requests. I'm taking immediate action & will implement some sort of anti-flood routine in our announce.php. Please fix the client´s configuration ASAP.
- 01-27-2007 #3
Well, I'd be surprised to see a virus on a Linux or FreeBSD box, good thing it was only a tracker bug.I have sold my soul to the penguin