Hacked because I didn't secure my Deluge

General support for problems installing or using Deluge
Post Reply
Nick Barnes
New User
New User
Posts: 2
Joined: Sat Sep 17, 2016 3:29 pm

Hacked because I didn't secure my Deluge

Post by Nick Barnes »

I set up Deluge a while ago on my Synology DSM. I changed the default password and set up port-forwarding on my router so I could access the deluge-web UI from out in the world. Then a while later I forgot my password. I reset the Deluge config, and then got distracted from what I was doing so left it with the default password. A few hours later, somebody logged into the web UI and added a bunch of torrents to share things like /root/.ssh/.

deluge-web.log shows this:

Code: Select all

[quote]
[INFO    ] 09:35:35 json_api:773 Adding torrent from file `tmpNrXvXT.torrent` with options `{u'download_location': u'/root/'}`
[INFO    ] 09:36:47 json_api:773 Adding torrent from file `tmp1kTkUW.torrent` with options `{u'download_location': u'/root/'}`
[INFO    ] 09:37:18 json_api:773 Adding torrent from file `tmpBxiLxj.torrent` with options `{u'download_location': u'/root/'}`
[ERROR   ] 10:06:22 auth:329 Login failed (ClientIP 107.185.249.53)
[ERROR   ] 10:06:33 auth:329 Login failed (ClientIP 107.185.249.53)
[ERROR   ] 10:06:38 auth:329 Login failed (ClientIP 107.185.249.53)
[ERROR   ] 10:06:43 auth:329 Login failed (ClientIP 107.185.249.53)
[ERROR   ] 10:06:50 auth:329 Login failed (ClientIP 107.185.249.53)
[ERROR   ] 10:16:52 auth:329 Login failed (ClientIP 107.185.249.53)
[ERROR   ] 10:16:59 auth:329 Login failed (ClientIP 107.185.249.53)
[INFO    ] 11:03:40 json_api:773 Adding torrent from file `tmpC61QxE.torrent` with options `{u'download_location': u'/root/'}`
[INFO    ] 11:04:16 json_api:773 Adding torrent from file `tmpCVVEth.torrent` with options `{u'download_location': u'/root/'}`
[INFO    ] 11:04:34 json_api:773 Adding torrent from file `tmp6fjlxE.torrent` with options `{u'download_location': u'/root/'}`
[INFO    ] 12:50:05 json_api:773 Adding torrent from file `tmpQdgKWZ.torrent` with options `{u'download_location': u'/root/'}`
[INFO    ] 12:50:10 json_api:773 Adding torrent from file `tmp4d2qEc.torrent` with options `{u'download_location': u'/root/'}`
[/quote]
How I laughed.

Happily, my machine is locked down in various ways: root SSH is not allowed, /root/ isn't readable or writable by my deluged user, and /root/.ssh/ doesn't even exist. My network monitoring doesn't show anything else unusual. So I'm pretty sure this script kiddie didn't get anything for their efforts. Even through deluge-web they don't seem to have done anything else: my existing torrents are all still there, and the config looks right. But let this stand as a warning to us all.

I have of course changed my password, turned off the port forwarding, and set up SSH tunnelling instead.
Top
Nick Barnes
New User
New User
Posts: 2
Joined: Sat Sep 17, 2016 3:29 pm

Re: Hacked because I didn't secure my Deluge

Post by Nick Barnes »

FWIW, this was one of the torrent files:

Code: Select all

{'announce': 'http://9.rarbg.com:2710/announce',
 'announce-list': [['http://9.rarbg.com:2710/announce'],
                   ['http://announce.torrentsmd.com:6969/announce'],
                   ['http://bt.careland.com.cn:6969/announce'],
                   ['http://explodie.org:6969/announce'],
                   ['http://mgtracker.org:2710/announce'],
                   ['http://tracker.tfile.me/announce'],
                   ['http://tracker.torrenty.org:6969/announce'],
                   ['http://tracker.trackerfix.com/announce'],
                   ['http://www.mvgroup.org:2710/announce'],
                   ['udp://9.rarbg.com:2710/announce'],
                   ['udp://9.rarbg.me:2710/announce'],
                   ['udp://9.rarbg.to:2710/announce'],
                   ['udp://coppersurfer.tk:6969/announce'],
                   ['udp://exodus.desync.com:6969/announce'],
                   ['udp://glotorrents.pw:6969/announce'],
                   ['udp://open.demonii.com:1337/announce'],
                   ['udp://tracker.coppersurfer.tk:6969/announce'],
                   ['udp://tracker.glotorrents.com:6969/announce'],
                   ['udp://tracker.leechers-paradise.org:6969/announce'],
                   ['udp://tracker.openbittorrent.com:80/announce'],
                   ['udp://tracker.opentrackr.org:1337/announce'],
                   ['udp://tracker.publicbt.com:80/announce'],
                   ['udp://tracker4.piratux.com:6969/announce']],
 'created by': 'ruTorrent (PHP Class - Adrien Gibrat)',
 'creation date': 1473297996,
 'info': {'files': [{'length': 381, 'path': ['authorized_keys']}],
          'name': '.ssh',
          'piece length': 262144,
          'pieces': ',\xc7p\xa3\x82K?xye\xc3M\x10)\xbaYa\x17\xe4U'}}
Top
Post Reply

Return to “Support”