Author Topic: Accessing "a.uguu.se" why  (Read 447 times)

OpenSourcer

  • Newbie
  • *
  • Posts: 16
  • Karma: +0/-0
    • View Profile
Accessing "a.uguu.se" why
« on: May 01, 2019, 04:03:12 AM »
Anytime qbittorrent is running for me, it periodically tries to access a temporary file sharing website, uguu.se.  Specifically, the "a" subdomain, "a.uguu.se."

This is not linked to by any torrents ever used...I checked them all.  I also installed a clean version of 4.1.5, added a couple torrents I created and knew did not include that, and still it attempted to access that site.

Does anyone know why qbittorrent is doing this? It seems like shady behavior.

Thanks!

Peter

  • Administrator
  • Forum addict
  • *****
  • Posts: 1576
  • Karma: +37/-2
    • View Profile
Re: Accessing "a.uguu.se" why
« Reply #1 on: May 01, 2019, 06:20:02 PM »
Maybe favicon?
- qBittorrent team - server and forum administrator.
- Hungarian translation reviewer/moderator (+ translator).

Join the official qBittorrent Discord!
https://discord.gg/ma66Vv4

OpenSourcer

  • Newbie
  • *
  • Posts: 16
  • Karma: +0/-0
    • View Profile
Re: Accessing "a.uguu.se" why
« Reply #2 on: May 02, 2019, 06:07:15 AM »
A favicon for what?

It sounds like this web service wipes data after 24 hours.  That's not something you use to permanently host data.  It is something you could use to anonymously exfiltrate data, though....
« Last Edit: May 02, 2019, 06:09:44 AM by OpenSourcer »

Switeck

  • Forum addict
  • ****
  • Posts: 1425
  • Karma: +93/-0
    • View Profile
Re: Accessing "a.uguu.se" why
« Reply #3 on: May 02, 2019, 09:30:17 AM »
1.Is this an outgoing connection or incoming connection?

2.Is this access an ip address that maps to "a.uguu.se" or just the website directly?

3.What did you use (what program) to spot this happening?

OpenSourcer

  • Newbie
  • *
  • Posts: 16
  • Karma: +0/-0
    • View Profile
Re: Accessing "a.uguu.se" why
« Reply #4 on: May 03, 2019, 04:48:49 AM »
1. Outgoing
2. The URL itself, which is mapping to 45.76.12.27.  It is also using internal port 49512, which is significantly different that the port number I specified for the program to use.
3. Malwarebytes (which flags this activity as suspicious, and labels the executable a Trojan)

Unfortunately, all my favorite firewall programs have fallen by the wayside, with no active development or support for newer systems.  I don't feel up to using wireshark right now.
« Last Edit: May 03, 2019, 04:59:00 AM by OpenSourcer »

OpenSourcer

  • Newbie
  • *
  • Posts: 16
  • Karma: +0/-0
    • View Profile
Re: Accessing "a.uguu.se" why
« Reply #5 on: May 03, 2019, 05:00:37 AM »
1. Outgoing
2. The URL itself, which is mapping to 45.76.12.27.  It is also using internal port 49512, which is significantly different than the port number I specified for the program to use.
3. Malwarebytes (which flags this activity as suspicious, and labels the executable a Trojan)

Unfortunately, all my favorite firewall programs have fallen by the wayside, with no active development or support for newer systems.  I don't feel up to using wireshark right now.

Switeck

  • Forum addict
  • ****
  • Posts: 1425
  • Karma: +93/-0
    • View Profile
Re: Accessing "a.uguu.se" why
« Reply #6 on: May 04, 2019, 10:55:50 AM »
My best guess is it's a "common" DHT node, which means a long-running BitTorrent client probably running on a server at the location in question. Doesn't rule out if it has nefarious purposes, but I deem it unlikely.
"a temporary file sharing website" sounds like a likely candidate for a DHT node.

Try disabling DHT and seeing if that ip still shows up.

A quick Google search about the ip in question:
https://www.ip-tracker.org/blacklist-check.php?ip=45.76.12.27
https://www.ip-tracker.org/locator/ip-lookup.php?ip=45.76.12.27
https://www.ip-adress.com/ip-address/ipv4/45.76.12.27
Not terribly useful to me at first glance.
Might even be a VPN/proxy service?

OpenSourcer

  • Newbie
  • *
  • Posts: 16
  • Karma: +0/-0
    • View Profile
Re: Accessing "a.uguu.se" why
« Reply #7 on: May 05, 2019, 02:36:28 AM »
Okay, I disabled DHT and still had the same problem, so I spent another few hours working on it.  It seems that one specific torrent which I created (for Open Office) is doing this. Other torrents which I also made are not doing this, but I think I may have used different trackers.  Nonetheless, uguu.se is not on the tracker list.  Here is the magnet, in case you care:

magnet:?xt=urn:btih:55581e2d142fe7eb25d1761fde8f6a647951a210&dn=Apache_OpenOffice_4.1.6_Win_x86_install_en-US.exe&tr=http%3a%2f%2flegittorrents.info%3a2710%2fannounce&tr=https%3a%2f%2fopentracker.xyz%3a443%2fannounce&tr=https%3a%2f%2f3.tracker.eu.org%3a443%2fannounce&tr=udp%3a%2f%2ftracker.trackton.ga%3a7070%2fannounce&tr=udp%3a%2f%2ftracker.internetwarriors.net%3a1337%2fannounce&tr=http%3a%2f%2ftracker.openzim.org%3a80%2fannounce&ws=http%3a%2f%2fverified.archnet.us%2fApache%2fOpenOffice%2fApache_OpenOffice_4.1.6_Win_x86_install_en-US.exe&ws=https%3a%2f%2fayera.dl.sourceforge.net%2fproject%2fopenofficeorg.mirror%2f4.1.6%2fbinaries%2fen-US%2fApache_OpenOffice_4.1.6_Win_x86_install_en-US.exe

Any thoughts where this is coming from, then?

P.S. there's no proxy/VPN on my end.

Switeck

  • Forum addict
  • ****
  • Posts: 1425
  • Karma: +93/-0
    • View Profile
Re: Accessing "a.uguu.se" why
« Reply #8 on: May 05, 2019, 09:12:48 AM »
I tried that torrent and copied the peer list's ip addresses to a text file.
There was no mention of 45.76.12.27 ip address.

I also checked what ip addresses the tracker URL mapped to.
No match there either.

Try disabling download tracker favicon (in advanced settings) in qBitTorrent, since that can reach out to "random servers" to download those icons.

OpenSourcer

  • Newbie
  • *
  • Posts: 16
  • Karma: +0/-0
    • View Profile
Re: Accessing "a.uguu.se" why
« Reply #9 on: May 05, 2019, 07:07:14 PM »
Just to clarify, it is the URL, not the IP, which is being accessed.  I only provided the IP that URL mapped to in the off chance I had some kind of DNS poisoning going on.  I alos looked through the magnet for the URL and IP, and came up empty.

I disabled tracker favicons, but it still is trying to access that URL.

Switeck

  • Forum addict
  • ****
  • Posts: 1425
  • Karma: +93/-0
    • View Profile
Re: Accessing "a.uguu.se" why
« Reply #10 on: May 06, 2019, 02:31:55 PM »
I kept resolve ips disabled in my test (and in regular use, I don't use that either).

Can you try a clean install of qBitTorrent to rule out any way qBT is simply remembering old traffic?
(back up your settings and torrents first)
https://github.com/qbittorrent/qBittorrent/wiki/Frequently-Asked-Questions#Where_does_qBittorrent_save_its_settings
https://qbforums.shiki.hu/index.php/topic,2826.msg13292/topicseen.html#msg13292      Backup qBT settings!

You'll need to use different ports than in the past as well, just to eliminate that as a cause.

OpenSourcer

  • Newbie
  • *
  • Posts: 16
  • Karma: +0/-0
    • View Profile
Re: Accessing "a.uguu.se" why
« Reply #11 on: May 07, 2019, 12:40:31 AM »
I also have resolve IPs disabled by default.

I could do another reinstall, but this is a fresh install.  I installed it for the first time of this computer, added 4 torrents (3 of which I created previously), and immediately noticed this issue with the Open Office one.  It would be a little bit of a project to do this, partially since my network infrastructure is somewhat convoluted. Getting an open port takes some work.

The only thing I can think of that it might be "remembering" is that I first ran a clean copy of qBittorrent Portable (from portableapps[dot]com), added one torrent, then decided to install it instead. That same day I installed it, and found that it had loaded in the settings from the portable version.

Update: I tried just deleting that torrent, and then adding it again, just in case it was somehow messed with by the portable app (even though I trust the source).  Interestingly enough, it did still attempt to access this URL, but not until it finished downloading.  It downloaded the file entirely without reaching out to this address, but the exact second it finished the download, it attempted to initiate contact.
« Last Edit: May 07, 2019, 12:58:25 AM by OpenSourcer »

Switeck

  • Forum addict
  • ****
  • Posts: 1425
  • Karma: +93/-0
    • View Profile
Re: Accessing "a.uguu.se" why
« Reply #12 on: May 07, 2019, 03:03:05 AM »
Then one of the trackers or PEX is possibly handing out that ip/URL as a peer/seed.
...and intermittently, going by how you nearly finished the download before seeing it.

Having a closed port might be a better test...see if it can "slip in" otherwise.

OpenSourcer

  • Newbie
  • *
  • Posts: 16
  • Karma: +0/-0
    • View Profile
Re: Accessing "a.uguu.se" why
« Reply #13 on: May 07, 2019, 07:05:41 AM »
Since this is an outgoing connection, it would get out regardless of whether the port is open or not, unless I arbitrarily block outgoing traffic on that port, just because.

Switeck

  • Forum addict
  • ****
  • Posts: 1425
  • Karma: +93/-0
    • View Profile
Re: Accessing "a.uguu.se" why
« Reply #14 on: May 07, 2019, 09:16:51 AM »
Is anything else in qBitTorrent set to update? (I don't know how/why they'd use that URL, but DNS poisoning makes it possible.)