While BitTorrent client functionality hasn’t fundamentally changed over the past 20 years, developers of leading clients haven’t let their software stagnate.
A good example is the excellent qBittorrent, a feature-rich open source client which still receives regular updates. In common with similar clients, qBittorent can be found on GitHub along with its source and installation instructions.
Elsewhere on the same platform, users were recently trying to work out how a standard qBittorrent install suddenly led to the appearance of unwanted cryptocurrency mining software on the same machine.
Proxmox and LXC
For those unfamiliar with Proxmox VE, it’s an environment for virtual machines that once tried becomes very useful, extremely quickly. It’s also free for mere mortals and in most circumstances, very easy to install and get up and running.
With help from various Proxmox ‘helper scripts’ offered by tteck on GitHub (small sample to the right), even beginners can install any of dozens of available software packages in a matter of seconds using LXC containers.
Even if none of that makes sense, it doesn’t matter. Those who want qBittorrent installed, for example, can copy and paste a single line of text into Proxmox…and that’s it. Given that the whole process is almost always flawless, user issues are very rare, so to hear of a possible malware infection came as a real shock recently
Cryptominer Discovery
In summary, a Proxmox user deployed a tteck script to install qBittorrent and then a month later found his machine being worked hard by cryptomining software known as xmrig. While he investigated the problem, tteck removed the qBittorrent LXC script as a basic precaution, but it soon became clear that neither Proxmox or tteck’s script had anything to do with the problem.
The unwelcome software was indeed installed maliciously, but due to a series of avoidable events, rather than a genius hack.
When a qBittorrent installation like this completes and the software is launched, access to qBittorent takes place through a web interface accessible from most web browsers. By default, qBittorrent uses port 8080 and since many users like to access their torrent clients from remote networks, qBittorrent uses UPnP (Universal Plug and Play) to automate port forwarding, thereby exposing the web interface to the internet.
Having this working in record time is all very nice, but that doesn’t mean it’s safe. To ensure that only the operator of the client can access the web interface, qBittorrent allows the user to configure a username and a password for authentication purposes.
This generally means that random passers-by will need to possess these credentials before being able to do damage. In this case, the default admin username and password were not changed and that allowed an attacker to easily access the web interface.
Attacker Told qBittorrent to Run an External Program
To allow users to automate various tasks related to downloading and organizing their files, qBittorrent has a feature that can automatically run an external program when a torrent is added and/or when a torrent is finished.
The options here are limited only by the imagination and skill of the user but unfortunately the same applies to any attacker with access to the client’s web interface.
In this case the attacker told the qBittorrent client to run a basic script on completion of a torrent. The script accessed the domain http://cdnsrv.in from where it downloaded a file called update.sh and then ran it. The consequences of that are explained in detail by tteck, but the main points are a) unauthorized cryptomining on the host machine and b) the attacker maintaining root access via SSH key authentication.
Easily Avoided
The default admin username for qBittorrent is ‘admin’ while the default password is ‘adminadmin’. Had these common-knowledge defaults been changed following install, the attacker would still have found the web interface but would’ve had no useful credentials for conventional access.
More fundamentally, possession of the correct credentials would’ve had limited value if the qBittorrent client hadn’t used UPnP to expose the web interface in the first place. Taking another step back, if UPnP hadn’t been enabled in the user’s router, qBittorrent would’ve had no access to UPnP, and wouldn’t have been able to forward ports or expose the interface to the internet.
In summary: disable UPnP in the router and only enable it once its function is fully understood and when absolutely necessary. Never leave default passwords unchanged, and if something doesn’t need to be exposed to the internet, don’t expose it unnecessarily.
Finally, it’s worth mentioning that tteck‘s response, to a problem that had nothing to do with Proxmox or his scripts, has been first class. Anyone installing the qBittorrent LXC from here will find the default admin password changed and UPnP disabled automatically.
Any time saved can be spent on automated installs of Plex, Tautulli, Emby, Jellyfin, Jellyseerr, Overseerr, Navidrome, Bazarr, Lidarr, Prowlarr, Radarr, Readarr, Sonarr, Tdarr, Whisparr, and many, many more.
