rpc-bind-address changes on its own?!

[maki.ato]

I'm running Transmission Daemon 2.71 on my NAS (D-Link DNS-323) behind an Asus router running Tomato. In the router I only forward the traffic port I use in tranmission, not the web-interface, so no rpc access from outside my local network.

So today, I try to access transmission from my PC on the LAN in multiple method (web interface, transmission remote cli) and I can't. So after a few restarts of the daemon I realize that's not the problem, and I take a look at settings.json.

To my surprise, instead of

Code: Select all

"rpc-bind-address": "0.0.0.0",

I see

Code: Select all

"rpc-bind-address": "some-ip-address-in-California",

...and I'm in Asia.

I should add I'm using the rpc white-list feature:

Code: Select all

"rpc-whitelist": "127.0.0.1,192.168.*.*",
"rpc-whitelist-enabled": true,

I didn't touch that file in months. After fixing this I could access transmission again.
that's the only thing that changed (I diff-ed against a backup).

How is that possible?

[rb07]

My guess: you recently installed version 2.71 from a package... and the package builder messed up the settings.json or the start-up script that gets installed (haven't we heard that one before? like a 100 times lately).

[maki.ato]

I did install it from a package (a fonz' fun plug package), but that package doesn't contain a settings.json file, or any install-time scripts.
Furthermore, like I wrote, nothing else was changed besides the rpc-bind-address, not even the rpc username/password.

[maki.ato]

OK, it happened again. Somehow rpc-bind-address changed from 0.0.0.0 to something else: 68.61.151.168
I've updated to v2.72

Unfortunately, I didn't write down the IP address when it happened previously.
This IP, it seems, is associated with some bad behavior, according to this: http://dawhois.com/rbl_check/?query=68.61.151.168.

Is it some kind of exploit/hack attack going on? I checked my router and I don't see any connections from that IP.
Since I have my rpc-whitelist enabled and set to match my LAN's subnet and additionally I'm not port forwarding (and there's no DMZ, or port triggering) the transmission rpc port I'm in no danger right? It's just the question of why that's happening.

Anyone has any idea?

[rb07]

Let's analyze the data:

• A strange address appears in settings.json's "rpc-bind-address". Does this do anything? No if the daemon was already running, bind address only is used at the start, and binding to an nonexistent (in the local system's network interfaces) address shouldn't work anyway (unless its a broadcast, or multicast address);
• But RPC stops working... then the daemon started with that "rpc-bind-address". Looking at the log would be interesting, I would expect an error logged about not being able to bind to that address;
• Who's doing this changes? I doubt it is an exploit aimed at the daemon (a RPC command -- are you using any 3rd party software to monitor/control the daemon?), more likely is something in the start-up script, or the options used by the script... but you already said that there is nothing wrong there;
• For what purpose? I don't know.
• How? As far as I know there are only 2 ways to change it: (1) editing settings.json, and sending a HUP signal so the daemon re-reads the configuration file (I'm not sure if the daemon will try to bind to the new address); (2) using the -r (or --rpc-bind-address) parameter. See why I still think this is done before the daemon starts?

Does your Linux distribution include the audit (or inotify, or dnotify) package? My NAS doesn't, and any of those needs a kernel configured to use it. There are other tools, FAM, Gamin, but these are unlikely to be on a NAS (they are used with GUIs).

[maki.ato]

Thank you so much for helping me make sense of it.

• ... Looking at the log would be interesting, I would expect an error logged about not being able to bind to that address;

I should've added that I grepped through Transmission Daemon's log and found nothing relevant. I "grep -i" for error, fail, rpc and bind as well as the rpc bind IP address.

• Who's doing this changes? I doubt it is an exploit aimed at the daemon (a RPC command -- are you using any 3rd party software to monitor/control the daemon?), more likely is something in the start-up script, or the options used by the script... but you already said that there is nothing wrong there;

I'm using Kylek's fun-plug package, like many tens or hundreds (or more) people. This only started recently.
I am using a 3rd party script - one that i wrote myself: A watchdog that restarts transmission when its memory usage (which tends to grow significantly over time - I seed hundreds of torrents 24/7) reaches some threshold value. It only interacts with the running daemon when it kills it. It kills it by sending it a SIGINT, not by RPC. You can find that script here: http://forum.dsmg600.info/viewtopic.php?id=7132. Cron runs this script every 2 hours, and the daemon is restarted every 3 days or so.
So something changes (somehow) that rpc-bind-address, and the restart causes it to be written to settings.json and then used when started again?

[/list][*]How? As far as I know there are only 2 ways to change it: (1) editing settings.json, and sending a HUP signal so the daemon re-reads the configuration file (I'm not sure if the daemon will try to bind to the new address); (2) using the -r (or --rpc-bind-address) parameter. See why I still think this is done before the daemon starts?[/list]

hmm, before it happened the first time, I did play around with transmission-remote. I wanted to experiment a bit with the intention to expand that watchdog script to send me an email report of torrents that has problems, such as unregistered torrents. So I ran a few queries. "all" I did was run stuff like:

Code: Select all

transmission-remote --auth  <user-name>:<password> -l | egrep "^[ ]*[0-9]+\*" | awk -F '*' '{ print $1}'

to grab torrent IDs and

Code: Select all

transmission-remote --auth  <user-name>:<password> -t <ID> -i

To see what I need to grep in order to identify those errornous torrents.
I didn't know of the -r -or --rpc-bind-address. according to transmission-remote --help is used to remove torrents. --rpc-bind-address isn't listed at all as an option.
That was a few days before this first happened. In the time period since it first happened and today I didn't use the command-line tool at all. Just the web interface and a couple of 3rd party front ends (transmission-remote-guy and transmission-remote dotnet).

Does your Linux distribution include the audit (or inotify, or dnotify) package? My NAS doesn't, and any of those needs a kernel configured to use it. There are other tools, FAM, Gamin, but these are unlikely to be on a NAS (they are used with GUIs).

[/quote]
That's a tougher one to answer. From searching the community hacking forum I'm pretty sure inotify isn't supported.

[rb07]

I grepped through Transmission Daemon's log and found nothing relevant

That by itself is odd, there should be 2 hits on "bind", one for the peer port, one for the RPC port. I don't have my current startup log, it was rotated some time ago.

None of the 3rd party scripts and plugins look suspicious.

Nothing you did is related.

--rpc-bind-address isn't listed at all as an option

You misunderstood, its a parameter for the -daemon, not for the -remote program.

a couple of 3rd party front ends (transmission-remote-guy and transmission-remote dotnet)

Now those look suspicious. "remote-guy" seriously?

I don't really know them, are they even current? I was wondering earlier if using an old 3rd party utility meant to be used with old versions of Transmission (the RPC protocol has changed over time) could do some damage. I don't have the answer.

That's a tougher one to answer

Yes I know, and the answer is probably no.

But the general idea is to install something to record who/what is changing the file (besides transmission-daemon).

Another fact which is very strange: you are the only one noticing this problem. I know I don't have it in my NAS, which is different that yours, and I build just about everything from (verified) source.

[maki.ato]

transmission-remote-gui, not transmission-remote-guy. Sorry for the typo.
Both listed on the add-on page (http://www.transmissionbt.com/resources/), for both I use the latest version.

oh, and the daemon is started with just two command line flags: -g -e

regarding the log: I imagine that it's some build-time option/config Kylek uses to reduce log verbosity.

[rb07]

regarding the log: I imagine that it's some build-time option/config Kylek uses to reduce log verbosity.

Kylek's plugin has nothing to do with Transmission's log... or maybe I don't know what the plugin (funplug?) is, I was assuming it is Kylek's automatic (a RSS feed scanner to load torrents automatically). The log verbosity is controlled in... guess where? yes, settings.json, so there may be somebody distributing a modified settings file after all.

Anyway there is no build option to get rid of the log, it should be there in /var/log/messages (along with everything else that uses syslog).

[maki.ato]

regarding the log: I imagine that it's some build-time option/config Kylek uses to reduce log verbosity.

Kylek's plugin has nothing to do with Transmission's log... or maybe I don't know what the plugin (funplug?) is, I was assuming it is Kylek's automatic (a RSS feed scanner to load torrents automatically). The log verbosity is controlled in... guess where? yes, settings.json, so there may be somebody distributing a modified settings file after all.

Anyway there is no build option to get rid of the log, it should be there in /var/log/messages (along with everything else that uses syslog).

funplug is a script (+ a packaging system) that turns my Appliance NAS to a little Busy-box linux. Kylek is kind enough to provide us lazy fun-plug community members with a build of transmission-daemon (and cli tools) packaged for fun-plug.

https://trac.transmissionbt.com/wiki/EditConfigFiles

message-level: Number (0 = None, 1 = Error, 2 = Info, 3 = Debug, default = 2) Set verbosity of transmission messages.

Yes, you're both right, I failed to notice that log level is set in setting.json. I just checked, message-level is 2.
Since there's no syslog service running on the NAS, I run transmission-daemon with the -e option.

Like I wrote, I grepped through that log file and didn't find anything. It's not some file I rotate or anything, Last time I deleted it was a few weeks ago. It is now ~9.2MB in size.

[maki.ato]

message-level is 2

Try setting to 3. Stop the daemon first.

Search for "bound".

2012-10-22 12:14:04 -0600 net.c:558 [Debug] TurboT: Bound socket 11 to port xxxxx on 0.0.0.0

Sure, I can do that....I just did. Currently, after I fixed that setting again everything is in order.
So I/we can wait till that happens again and we'll, hopefully, see that line in the log. But will we see an indication that the rpc-bind-address setting was changed, and clues as to why?

Edit: Restarted transmission-daemon, Currently, rpc-bind-address is 0.0.0.0. When I grep for bound I only see the peer-port, not the rpc-bind-address.
Edit2: Should've added that grepping for "bound" gave no results with existing message-level-2 log.

Edit3: So now we play the waiting game. I'll keep an eye on this thread just in case anyone has any more suggestions. I'll be sure to report back when/if this happens again, and we'll see what a more verbose log can disclose.
I'd like to thank you rb07 and x190 for contributed to this discussion.

[rb07]

Try grep for "9091", the actual message doesn't mention bind (but the error with a strange IP address might):

Code: Select all

Serving RPC and Web requests on port 127.0.0.1:9091/transmission/

If you are not seeing it, and RPC is enabled, then something is modified in your daemon.

BTW what is "TurboT"? the log format with syslog is different from what you show, and that "TurboT" is not standard.

[maki.ato]

OK, now this gets even stranger. I tried that new grep on the current log (message-level 3) and it produced the (expected) following output:

Code: Select all

sh-3.2# cd /mnt/HD_a2/.transmission-daemon/
sh-3.2# grep -i rpc transmission-daemon.log
[22:12:26.264] RPC Server Adding address to whitelist: 127.0.0.1 (rpc-server.c:803)
[22:12:26.264] RPC Server Adding address to whitelist: 192.168.*.* (rpc-server.c:803)
[22:12:26.264] RPC Server Serving RPC and Web requests on port 127.0.0.1:9091/transmission/ (rpc-server.c:997)
[22:12:26.264] RPC Server Whitelist enabled (rpc-server.c:1001)
[22:12:26.265] RPC Server Password required (rpc-server.c:1004)
sh-3.2#

So I figured why not search the recent rsync-incremental-snapshot backup (made last night, before I deleted that ~9.2M) log and which covers the period containing the issue.
Here's the result:

Code: Select all

sh-3.2# cd /mnt/HD_b2/Backup_NAS/current/.transmission-daemon/
sh-3.2# grep -i rpc transmission-daemon.log
[22:51:40.465] RPC Server Adding address to whitelist: 127.0.0.1 (rpc-server.c:803)
[22:51:40.465] RPC Server Adding address to whitelist: 192.168.*.* (rpc-server.c:803)
[22:51:40.466] RPC Server Serving RPC and Web requests on port 127.0.0.1:9091/transmission/ (rpc-server.c:997)
[22:51:40.466] RPC Server Whitelist enabled (rpc-server.c:1001)
[22:51:40.466] RPC Server Password required (rpc-server.c:1004)
[18:14:44.577] RPC Server Adding address to whitelist: 127.0.0.1 (rpc-server.c:803)
[18:14:44.577] RPC Server Adding address to whitelist: 192.168.*.* (rpc-server.c:803)
[18:14:44.577] RPC Server Serving RPC and Web requests on port 127.0.0.1:9091/transmission/ (rpc-server.c:997)
[18:14:44.577] RPC Server Whitelist enabled (rpc-server.c:1001)
[18:14:44.578] RPC Server Password required (rpc-server.c:1004)
[08:15:49.260] RPC Server Adding address to whitelist: 127.0.0.1 (rpc-server.c:803)
[08:15:49.261] RPC Server Adding address to whitelist: 192.168.*.* (rpc-server.c:803)
[08:15:49.261] RPC Server Serving RPC and Web requests on port 127.0.0.1:9091/transmission/ (rpc-server.c:997)
[08:15:49.261] RPC Server Whitelist enabled (rpc-server.c:1001)
[08:15:49.261] RPC Server Password required (rpc-server.c:1004)
[18:14:45.988] RPC Server Adding address to whitelist: 127.0.0.1 (rpc-server.c:803)
[18:14:45.988] RPC Server Adding address to whitelist: 192.168.*.* (rpc-server.c:803)
[18:14:45.988] RPC Server Serving RPC and Web requests on port 127.0.0.1:9091/transmission/ (rpc-server.c:997)
[18:14:45.988] RPC Server Whitelist enabled (rpc-server.c:1001)
[18:14:45.989] RPC Server Password required (rpc-server.c:1004)
[22:15:48.453] RPC Server Adding address to whitelist: 127.0.0.1 (rpc-server.c:803)
[22:15:48.453] RPC Server Adding address to whitelist: 192.168.*.* (rpc-server.c:803)
[22:15:48.453] RPC Server Serving RPC and Web requests on port 127.0.0.1:9091/transmission/ (rpc-server.c:997)
[22:15:48.454] RPC Server Whitelist enabled (rpc-server.c:1001)
[22:15:48.454] RPC Server Password required (rpc-server.c:1004)
[20:14:49.423] RPC Server Adding address to whitelist: 127.0.0.1 (rpc-server.c:803)
[20:14:49.423] RPC Server Adding address to whitelist: 192.168.*.* (rpc-server.c:803)
[20:14:49.423] RPC Server Serving RPC and Web requests on port 127.0.0.1:9091/transmission/ (rpc-server.c:997)
[20:14:49.424] RPC Server Whitelist enabled (rpc-server.c:1001)
[20:14:49.424] RPC Server Password required (rpc-server.c:1004)
[18:14:48.074] RPC Server Adding address to whitelist: 127.0.0.1 (rpc-server.c:803)
[18:14:48.074] RPC Server Adding address to whitelist: 192.168.*.* (rpc-server.c:803)
[18:14:48.075] RPC Server Serving RPC and Web requests on port 127.0.0.1:9091/transmission/ (rpc-server.c:997)
[18:14:48.075] RPC Server Whitelist enabled (rpc-server.c:1001)
[18:14:48.075] RPC Server Password required (rpc-server.c:1004)
[08:14:46.285] RPC Server Adding address to whitelist: 127.0.0.1 (rpc-server.c:803)
[08:14:46.285] RPC Server Adding address to whitelist: 192.168.*.* (rpc-server.c:803)
[08:14:46.286] RPC Server Serving RPC and Web requests on port 127.0.0.1:9091/transmission/ (rpc-server.c:997)
[08:14:46.286] RPC Server Whitelist enabled (rpc-server.c:1001)
[08:14:46.286] RPC Server Password required (rpc-server.c:1004)
[15:50:04.525] RPC Server Adding address to whitelist: 127.0.0.1 (rpc-server.c:803)
[15:50:04.525] RPC Server Adding address to whitelist: 192.168.*.* (rpc-server.c:803)
[15:50:04.525] RPC Server Serving RPC and Web requests on port 127.0.0.1:9696/transmission/ (rpc-server.c:997)
[15:50:04.525] RPC Server Whitelist enabled (rpc-server.c:1001)
[15:50:04.526] RPC Server Password required (rpc-server.c:1004)
sh-3.2#

When I manually fixed that issue and restarted transmission, I decided to be on the safe side and use a different rpc-port, 9696. That's the last bit at the end (today, when I raised the log level I reverted it back to the default 9091). As I wrote above, I have a transmission watchdog cron job that restarts transmission about every 3 days, so this covers the time period this issue happened. Unfortunately, there's no sign of this happening, not to mention a hint for why it happened.

[rb07]

I don't think the Mac has anything to do here... he's using a daemon in a NAS, the log is from that NAS (running Linux).

[maki.ato]

I don't think the Mac has anything to do here... he's using a daemon in a NAS, the log is from that NAS (running Linux).

Yup, pretty much so. daemon running on NAS (linux), no syslogd, logging to file using the -e option.