arakasi72 / rtinst

seedbox installation script for Ubuntu and Debian systems
MIT License
1.22k stars 259 forks source link

Very dangerous software, took down my web server and made many other system changes with no warning or consent #567

Closed catharsis71 closed 3 years ago

catharsis71 commented 3 years ago

There needs to be better warnings about the implications of running this script

I know I'm foolish for running something without thoroughly investigating what it does & without making a full system backup first, but the damage this did was extensive, like nothing I've ever seen before

This script took down Apache with no warning and interfered with the configuration, taking down multiple websites. This took some time to fix.

Script should not interfere with any existing services without explicit user consent.

There also needs to be a way to easily roll back all changes. It looks like this has done widespread damage to my server.

If this script is only intended for fresh newly-installed systems with no existing services running on them, this needs to be clearly and unambiguously stated, preferably with some kind of software verification that the system is in a clean install state with no existing services (APACHE) to interfere with, or at least some kind of sanity-checking prompts.

List of other things that broke or were affected (almost certainly incomplete):

  1. My ability to SSH into the server was impaired and had to be fixed manually.
  2. So many packages were installed that it took hours to remove them all
  3. Several users were added to /etc/passwd that had to be deleted
  4. Processes had to be manually killed in order to delete some of the users
  5. sshd_config file was changed
  6. Certbot config appears to have been messed with
  7. created a /etc/rtinst directory that persisted after all packages were purged
  8. created a /var/www/rutorrent directory that persisted after all packages were purged
  9. created a /var/www/index.html
  10. added a file to /var/www/html -- this is a live directory that is in use by Apache
  11. added a file in /usr/local/bin/ that had to be manually removed
  12. created a directory in /home that had to be manually deleted
  13. large /usr/bin/rtorrent file that remained behind after package was uninstalled
  14. created a file named ''$'\342\200\224' in root home directory
  15. In SSH configuration, "PasswordAuthentication no" was commented out -- thanks for greatly weakening the security of my server for the amount of time it took me to notice this and fix it. I had a perfect SSH key setup that really didn't need to be messed with and it took a while to get everything back to proper functionality.
  16. Why did the software not make backups of all the config files it changed??
  17. Created something in /var/spool/cron/crontabs that had to be manually deleted
  18. Created a ton of additional links in /usr/local/bin (I eventually ended up deleting /usr/local/bin/rt*)
  19. Created something in /run/screen

I'm worried that things will break even worse when I reboot. I'm going to spend the next day or so trying to clean this up as much as I can then bite the bullet and reboot to see what happens.

I realize I made a lot of mistakes here: trusting random software without proper vetting, not making a full system backup immediately before, etc. I had partial backups but not comprehensive and recent enough that I could just do a full restoration.

The silver lining is that this has taught me to keep better backups & not to trust random Github repositories. And I hope this can at least serve as a warning to others.

I just wanted to see some torrents, I didn't want to have to spend an entire day (or likely more) fixing my server and probably never being able to trust that I actually fixed everything.

arakasi72 commented 3 years ago

Sorry you had a bad experience. I will look to improve the documentation though a lot of what you have raised is covered their already. I am not going to respond to your points individually as I doubt you would be satisfied with my answers.

You are welcome to use any part of the code to build a better script for yourself.

fabian310 commented 3 years ago

Same here, completely f'ed up access to multiple websites, can't login in to root anymore, created a bunch of dubious files (mentioned by catharsis71). Please add a big disclaimer at the start of the script, where you list the basic changes which need to be acknowledged by the user.

I guess I will be doing some data recovery the next few days in order to reinstall the server. Thanks 👍

catharsis71 commented 3 years ago

Same here

Welcome to the club

When/if you recover your server, if you still want to explore torrent options, take a look at the qbittorrent-nox Ubuntu/Debian package. It's qBittorrent for servers and much easier/safer to get running than the rtorrent/rutorrent crap and (in my opinion) a much better web UI.... not quite up to 'good' level but it's the 'least bad' torrent option for Linux servers

DWAA1660 commented 1 year ago

had this same issue broken ssh