Find the answer to your Linux question:
Results 1 to 3 of 3
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1

    infected by a DoS trojan? (URGENT)

    Hi all,

    I have just a a very disturbing message from the webmaster of a private BitTorrent tracker to which I subscribe who claims that there is some kind of DoS attack originating from my IP number. He wrote:

    [...]our stats show 
    a HUGE bandwidth leakage coming from you (equivalent to ~350 users...)
    I further invesitigated your connection an realized you are running a 
    static-ip private server at your IP (XX.XX.XX.XX).
    That means you have AT LEAST http port 80 in an open state (and port 21 
    if you are running FTP).
    Fixed IPs and open ports are a dangerous mix, since if you don't protect 
    your server extremely well, you are bound to innumerable hacking 
    attempts, some of which can succeed. This seems to be the case, I guess.
    It is highly probable you have some sort of backdoor-virus or trojan 
    running inadvertently at your site, which sends a DoS (Denial of 
    Service) attack to whoever you link to. The DoS attack "floods" other 
    peoples' servers with page requests, bringing those servers to their 
    We have anti-DoS protection, but it seems SOME of the requests get 
    through anyway. In fact, u are requesting a page from our site ~every 15
    seconds, 24 hours a day, 7 days a week...
    I have asked him to block my IP while I sort this problem out.

    My setup as is follows: I have small LAN behind a router doing NAT. Connected are a desktop box with FC6, a latop running Ubuntu 6.10, and, since the beginning of the month, an old Pentium II with FreeBSD 6.2 installed running Postfix and Lightttpd. Under Fedora and Ubuntu, I use the latest Firefox.

    Ports 25 and 80 are forwarded to the BSD box; several port >1000 ranges (ed2k and BT) are forwarded to the Fedora box, which otherwise has never been used as a server, other than occasionally opening port 21 for ssh when I have been on the road.

    At this point, since the Fedora box has been running for several years, I expect that if anything has been compromised, that would be the first place to start looking. But at this point, I don't even know where to begin.

    I'd be most grateful for any or all suggestions on how to proceed.

  2. #2
    False alarm. I appear that it is a bug in ktorrent. After investigating the apache logs, the webmaster wrote to me:

    It's your CLIENT. Someway your client's announce interval is set to ~1-2
    seconds overriding our normal 30 min announce interval, flooding the tracker 
    with announce/scrape requests. I'm taking immediate action & will implement 
    some sort of anti-flood routine in our announce.php.
    Please fix the client´s configuration ASAP.

  3. #3
    Linux Newbie burntfuse's Avatar
    Join Date
    Nov 2006
    Laurel, MD
    Well, I'd be surprised to see a virus on a Linux or FreeBSD box, good thing it was only a tracker bug.
    I have sold my soul to the penguin

  4. $spacer_open

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts