HELP! Someone has accessed my transmission remotely

[getthething]

I went to check Transmission today and discovered that all of my transfers were gone and there was two new .txt files. One in english that says "i have remote access to your transmission client set a username and password" and the other is the same thing but in French.

It seems someone accessed my Transmission and wiped out all of my transfers and replaced them with those. What steps do I need to take to make sure this doesn't happen again? I don't require authentication for remote transmission access but wouldn't the person need my IP address to access it?

What's the possibilities they were able to access anything else?

Is it possible to find out who accessed it?

Has anyone else seen this?

Any help would be much appreciated. Its freaked me out a little.

[John Clay]

What's the big deal? You left the remote interface enabled without a password, and you're surprised someone messed with your torrents?

Set a password.

[getthething]

What's the big deal? You left the remote interface enabled without a password, and you're surprised someone messed with your torrents?

Set a password.

I'm not terribly surprised. I'm mostly just looking for some education. I'll definitely enable a password but I'm just curious how someone would go about this so I can learn from my mistake.

[blacke4dawn]

Unless you need it yourself another step is to make sure your firewall blocks external connections on the RPC port.

I have one more question regarding the Mac Client. What exactly does "Display the web interface with Bonjour" do and is it necessary?

Bonjour is Apples "announce and discover" protocol stack for "zero configuration"-connections to different services. It's only necessary if you want easy and "painless" access to the web interface.

[blacke4dawn]

Bonjour is Apples "announce and discover" protocol stack for "zero configuration"-connections to different services. It's only necessary if you want easy and "painless" access to the web interface.

Okay, but I'm afraid that's about as clear as mud to me. Anyway, since we're talking about maximizing security, then it seems that feature should be left disabled.

To try and put it more simply, it's used for automatic discovery of services (like streaming music/video, gaming and some such) and effortlessly connecting to them.

It would be helpful if someone would enlighten us on how to gain a maximal security benefit by using the "rpc-whitelist" feature.

In particular: (Mac Client help files)

For security purposes, you can password protect access to Transmission, as well as restrict access to a trusted list of external IP addresses. To add an address to the list, click the + button.

What does this mean? Can access be restricted to a specific remote address?

Yes, access can be restricted to single IP-addresses or groups of them by using wildcards. The standard is 127.0.0.1, a.k.a only the local computer via the loopback interface.

Adding in only single IPs from addresses you know you regularly connect from would give the highest security potential from that feature alone, with the possible exception of your own home network that can go in a wildcard fashion.

[blacke4dawn]

Bonjour makes it unnecessary to know such things as the actual IP, port and url-string, this means that enabling bonjour would make it useless to try and "hide" it by having it use another port and/or url-string. As I haven't taken a full technical look at it I am not sure if it's routable or not, if it's not routable then it won't be "usable" outside of that specific network. I would guess it's not routable since I suspect that it is a broadcast type of protocol, and those tend to not be routable.


The whitelist is a comma separated list of IP addresses, and since it works like any other whitelist it will only allow access from those IPs that are specified in the list. I highly recommend to always have the IP 127.0.0.1 in it as a form of fallback, but outside of that then just add in any IP (or group of IPs by using wild cards) you want to be able to connect from separated by one comma. For example:

Code: Select all

"rpc-whitelist": "127.0.0.1, 217.188.32.5, 192.168.0.*",[/quote]
That allows access via loopback on the machine running transmission, from one external IP (the one you want to connect from remotely) and from the whole internal network.

Unless your client has a way to add IPs while it's running the only way I know of to add those addresses to the whitelist is standard config editing.

[sintek]

accessing your machine is MUCH easier than you think, and application like angryIP or nmap or nessus will scan a range of addresses and open Ports, when he see's your port 9091 is open he tries to connect, since you don't have a passoword (Dumbest Move EVER) he then has access to your machine, your lucky he did not take more advantage of this and actually let you know. lesson learned.

[Richy_T]

If the process questioned in the first paragraph of this post were true, 99.99% of users would never connect remotely to their home computer via RPC, EVER!!! Why? Because most users only whitelist local IP addresses so, of course, source addresses are not examined by the RPC code as they would all be refused (not on the whitelist).

So what's your point? I have only localhost and one other computer on my local subnet whitelisted and yes, those are the only two computers that can ever connect and use the rpc. (I do, however, mostly use transmission-remote from the command line of the installed computer).

OK, to get to the security point of the original question:

My recommendation: Do not open transmission-rpc to the internet in any way or form. Don't add any public ip addresses to the whitelist and do not punch any holes in your firewall. Quite simply, the world does not need access to your torrent client* so don't give it to them. If you want access to your client from remote locations, use a VPN or find out about SSH and tunneling.

*Obviously, opening your incoming torrent port is actually a good idea. I'm referring to the rpc port.