Hacked because I didn't secure my Deluge
Posted: Sat Sep 17, 2016 3:57 pm
I set up Deluge a while ago on my Synology DSM. I changed the default password and set up port-forwarding on my router so I could access the deluge-web UI from out in the world. Then a while later I forgot my password. I reset the Deluge config, and then got distracted from what I was doing so left it with the default password. A few hours later, somebody logged into the web UI and added a bunch of torrents to share things like /root/.ssh/.
deluge-web.log shows this:
How I laughed.
Happily, my machine is locked down in various ways: root SSH is not allowed, /root/ isn't readable or writable by my deluged user, and /root/.ssh/ doesn't even exist. My network monitoring doesn't show anything else unusual. So I'm pretty sure this script kiddie didn't get anything for their efforts. Even through deluge-web they don't seem to have done anything else: my existing torrents are all still there, and the config looks right. But let this stand as a warning to us all.
I have of course changed my password, turned off the port forwarding, and set up SSH tunnelling instead.
deluge-web.log shows this:
Code: Select all
[quote]
[INFO ] 09:35:35 json_api:773 Adding torrent from file `tmpNrXvXT.torrent` with options `{u'download_location': u'/root/'}`
[INFO ] 09:36:47 json_api:773 Adding torrent from file `tmp1kTkUW.torrent` with options `{u'download_location': u'/root/'}`
[INFO ] 09:37:18 json_api:773 Adding torrent from file `tmpBxiLxj.torrent` with options `{u'download_location': u'/root/'}`
[ERROR ] 10:06:22 auth:329 Login failed (ClientIP 107.185.249.53)
[ERROR ] 10:06:33 auth:329 Login failed (ClientIP 107.185.249.53)
[ERROR ] 10:06:38 auth:329 Login failed (ClientIP 107.185.249.53)
[ERROR ] 10:06:43 auth:329 Login failed (ClientIP 107.185.249.53)
[ERROR ] 10:06:50 auth:329 Login failed (ClientIP 107.185.249.53)
[ERROR ] 10:16:52 auth:329 Login failed (ClientIP 107.185.249.53)
[ERROR ] 10:16:59 auth:329 Login failed (ClientIP 107.185.249.53)
[INFO ] 11:03:40 json_api:773 Adding torrent from file `tmpC61QxE.torrent` with options `{u'download_location': u'/root/'}`
[INFO ] 11:04:16 json_api:773 Adding torrent from file `tmpCVVEth.torrent` with options `{u'download_location': u'/root/'}`
[INFO ] 11:04:34 json_api:773 Adding torrent from file `tmp6fjlxE.torrent` with options `{u'download_location': u'/root/'}`
[INFO ] 12:50:05 json_api:773 Adding torrent from file `tmpQdgKWZ.torrent` with options `{u'download_location': u'/root/'}`
[INFO ] 12:50:10 json_api:773 Adding torrent from file `tmp4d2qEc.torrent` with options `{u'download_location': u'/root/'}`
[/quote]Happily, my machine is locked down in various ways: root SSH is not allowed, /root/ isn't readable or writable by my deluged user, and /root/.ssh/ doesn't even exist. My network monitoring doesn't show anything else unusual. So I'm pretty sure this script kiddie didn't get anything for their efforts. Even through deluge-web they don't seem to have done anything else: my existing torrents are all still there, and the config looks right. But let this stand as a warning to us all.
I have of course changed my password, turned off the port forwarding, and set up SSH tunnelling instead.