Deluge
Deluge Version: (hard to tell, as it is all encrypted now.. Looks like 1.3.14 perhaps?)
Web UI: Disabled / not in use, nor exposed
Was hit with remote code that executed on my Torrent VM (RansomWare, fully encrypted the system).
Now, let me be clear... Deluge was the only software installed on this isolated VM dedicated to Deluge and torrents. And, I only had and currently have only 1 port open on my router: TCP to Deluge. Also, I was only seeding 7 torrent - nothing was downloading for months.
I know how to setup and run Windows securely as well as my network. I run multiple VMs, isolating services from each other and most of my private network (multiple VLANs). And even within those VMs, I run all services within a limited user account with no permissions on any other machine, nor admin access on local machines.
I am lacking SPI and other intrusion detection on my routers (working on that now, funny enough) so I still have some work to do.
However, Deluge i never could get running cleanly under a headless system. I didn't spend a lot of time on it, but oh well.
...oh well is right. When I was running Deluge, I ran it manually by RDPing into the desktop and running it under the local user. Since I used port 81, I simply logged in with an account with admin rights. Boy was that a mistake.
i didn't lose anything as I have robust backups (daily, weekly and monthly and off site). But this really pisses me off.
It makes me question opening torrent software at all.So in summary, the port open for Deluge, being the only service running on a headless VM, has had its entire filesystem "encrypted" by a variant of ransomware. All signs point to Deluge being exploited.