[WebUI Vulnerability] Malicious plugin "booster" found on my system

[eduncan9112]

Just FYI, I've narrowed down Deluge having an exploit in its network protocol (the TCP port you open to the network).

viewtopic.php?f=7&t=55166

If this is true, it would allow any remote actor to execute code on your machine,

[BinaryData]

I'm going to disengage my storage arrays, and nuke my systems. F***! I was SOOO hoping to not have to deal with this.

By the way, I AM running the latest version of deluged. Not sure if it didn't update because I haven't restarted in a year, but I thought 1.3.15 was out for longer than that?

[janos66]

I just found this "booster" plugin today (I didn't delve into Deluge settings for years...).
It shows up inactive on the WUI (not ticked) and I use deluged on a Linux box (no Dekstop, so Deluge is installed without GUI on Gentoo) where it has it's own "deluged" user/group, so it doesn't have privileged access but it does have a bash shell and it obviously has access to files it downloads (including executable files which I execute on Windows through SMB, sometimes with Administrator rights). Although the Windows virus scanner never complained about actually malicious files, just "potentially unwanted" stuff (and I didn't execute anything locally on Linux that came from torrents). Right now, the "deluged" user doesn't have anything running but the deluged process.

So, is it enough to delete the plugin and run a thorough virus scan on all machines?

I have absolutely no idea when "booster" appeared. But I update the system regularly (Gentoo world updates also update deluge).

[ambipro]

I just found this "booster" plugin today (I didn't delve into Deluge settings for years...).
It shows up inactive on the WUI (not ticked) and I use deluged on a Linux box (no Dekstop, so Deluge is installed without GUI on Gentoo) where it has it's own "deluged" user/group, so it doesn't have privileged access but it does have a bash shell and it obviously has access to files it downloads (including executable files which I execute on Windows through SMB, sometimes with Administrator rights). Although the Windows virus scanner never complained about actually malicious files, just "potentially unwanted" stuff (and I didn't execute anything locally on Linux that came from torrents). Right now, the "deluged" user doesn't have anything running but the deluged process.

So, is it enough to delete the plugin and run a thorough virus scan on all machines?

I have absolutely no idea when "booster" appeared. But I update the system regularly (Gentoo world updates also update deluge).

I would definitely start there and run some rootkit and virus scans on the linux box. I wouldn't think it would traverse the network, but it is entirely possible with the right bad-actor/malware to do so if it used some sort of local privilege escalation.

These are all "worst case scenario" - and it's more likely based on my understanding of the malware scene that it just tried to steal things like bitcoin wallets and passwords/credit card information stored, and then maybe sit on your system dormant.

Definitely run virus scanners on any PC's that would be at risk, root kits are another potential that often aren't covered WELL by the standard virus scanner. I'd use a online or boot-usb virus scanner if you are REALLY concerned.

If it finds nothing, and you've deleted the plugin, I'd assume you are probably safe. From your post it doesn't sound like you've noticed anything strange occurring or had fraud charges on your accounts or anything.

I would assume you're going to be OK if all the scans come up clean and you've deleted the plugin prior to the scans.

Just to reiterate, there is almost no reason to expose your WebUI directly to the internet, and there are solutions to avoid this such as tailscale if you need to access it outside your LAN. Set a secure password as well, always.

[janos66]

I checked, Deluge WUI and Server ports are set to REJECT in iptables (and I don't remember touching the firewall rules for years). But it's in/out ports are open (although these are changed from the defaults).
chkrootkit found nothing, lynis found nothing important, ClamAV will take ages (and I guess it will find nothing but I treat it as a slow scrub of the data).

Given how old this topic is and how long this could have been on my system, I think it's fairly safe to assume that it would have acted by now if it could and wanted. Running Deluge on Linux and as a limited user probably saved me. (For example, the ransomware mentioned earlier couldn't have benefited from encrypting files downloaded by deluge because that's easy to reacquire for free. And that report was about Windows, so it probably exploited a Windows vulnerability. And maybe the 'execute' plugin had something to do with it which was always disabled.)

[leif]

any benefit of running inside a Docker container for protecting from such types of attacks?