infected by a DoS trojan? (URGENT)

[chaud lapin]

Hi all,

I have just a a very disturbing message from the webmaster of a private BitTorrent tracker to which I subscribe who claims that there is some kind of DoS attack originating from my IP number. He wrote:

Code:

[...]our stats show 
a HUGE bandwidth leakage coming from you (equivalent to ~350 users...)
I further invesitigated your connection an realized you are running a 
static-ip private server at your IP (XX.XX.XX.XX).
That means you have AT LEAST http port 80 in an open state (and port 21 
if you are running FTP).

Fixed IPs and open ports are a dangerous mix, since if you don't protect 
your server extremely well, you are bound to innumerable hacking 
attempts, some of which can succeed. This seems to be the case, I guess.

It is highly probable you have some sort of backdoor-virus or trojan 
running inadvertently at your site, which sends a DoS (Denial of 
Service) attack to whoever you link to. The DoS attack "floods" other 
peoples' servers with page requests, bringing those servers to their 
knees...

We have anti-DoS protection, but it seems SOME of the requests get 
through anyway. In fact, u are requesting a page from our site ~every 15
seconds, 24 hours a day, 7 days a week...

I have asked him to block my IP while I sort this problem out.

My setup as is follows: I have small LAN behind a router doing NAT. Connected are a desktop box with FC6, a latop running Ubuntu 6.10, and, since the beginning of the month, an old Pentium II with FreeBSD 6.2 installed running Postfix and Lightttpd. Under Fedora and Ubuntu, I use the latest Firefox.

Ports 25 and 80 are forwarded to the BSD box; several port >1000 ranges (ed2k and BT) are forwarded to the Fedora box, which otherwise has never been used as a server, other than occasionally opening port 21 for ssh when I have been on the road.

At this point, since the Fedora box has been running for several years, I expect that if anything has been compromised, that would be the first place to start looking. But at this point, I don't even know where to begin.

I'd be most grateful for any or all suggestions on how to proceed.

[chaud lapin]

False alarm. I appear that it is a bug in ktorrent. After investigating the apache logs, the webmaster wrote to me:

Code:

It's your CLIENT. Someway your client's announce interval is set to ~1-2
seconds overriding our normal 30 min announce interval, flooding the tracker 
with announce/scrape requests. I'm taking immediate action & will implement 
some sort of anti-flood routine in our announce.php.
Please fix the client´s configuration ASAP.

[burntfuse]

Well, I'd be surprised to see a virus on a Linux or FreeBSD box, good thing it was only a tracker bug.