Found Backdoors / Installation and Execution of Software (e.g. RansomWare)

General support for problems installing or using Deluge
New User
New User
Posts: 2
Joined: Wed Nov 28, 2018 5:11 am

Found Backdoors / Installation and Execution of Software (e.g. RansomWare)

Postby eduncan9112 » Wed Nov 28, 2018 5:29 am

OS: Windows Server 2012 (fully patched)
Deluge Version: (hard to tell, as it is all encrypted now.. Looks like 1.3.14 perhaps?)
Web UI: Disabled / not in use, nor exposed

Was hit with remote code that executed on my Torrent VM (RansomWare, fully encrypted the system).

Now, let me be clear... Deluge was the only software installed on this isolated VM dedicated to Deluge and torrents. And, I only had and currently have only 1 port open on my router: TCP to Deluge. Also, I was only seeding 7 torrent - nothing was downloading for months.

I know how to setup and run Windows securely as well as my network. I run multiple VMs, isolating services from each other and most of my private network (multiple VLANs). And even within those VMs, I run all services within a limited user account with no permissions on any other machine, nor admin access on local machines.

I am lacking SPI and other intrusion detection on my routers (working on that now, funny enough) so I still have some work to do.

However, Deluge i never could get running cleanly under a headless system. I didn't spend a lot of time on it, but oh well.

...oh well is right. When I was running Deluge, I ran it manually by RDPing into the desktop and running it under the local user. Since I used port 81, I simply logged in with an account with admin rights. Boy was that a mistake.

i didn't lose anything as I have robust backups (daily, weekly and monthly and off site). But this really pisses me off. :evil: It makes me question opening torrent software at all.

So in summary, the port open for Deluge, being the only service running on a headless VM, has had its entire filesystem "encrypted" by a variant of ransomware. All signs point to Deluge being exploited.

Return to “Support”

Who is online

Users browsing this forum: Google [Bot] and 13 guests