Just another WordPress weblog

After a tedious hour of research and testing (which cost me around 10 hours of “labour” work, I have finally able to incorporate rTorrent with rtGui (or any other GUI/ web that you are trying to).

It was not easy to incorporate these, lots of issue keep on popping up here and there even with numerous guidance (including official). But here is the fact, most of the guidance are meant for servers or PCs, not devices powered by ARM processor, like Synology/ Buffalo/ Linksys/ etc NAS (Network Attached Storage).

Knowing how freaking hard to get these up and running, here I compile the howto:

You need an access to your device, head on to ipkg + transmission-daemon + LsLivev3 for more details (before transmission part).

---

Update and install

ipkg update
ipkg install wget nano xmlrpc-c php-xmlrpc rtorrent php php-fcgi php-curl libcurl lighttpd screen

---

Configure your rTorrent

nano /opt/etc/rtorrent.conf

And below is my configuration:

min_peers = 100
max_peers = 300
min_peers_seed = 100
max_peers_seed = 100
max_uploads = 2
download_rate = 0
upload_rate = 0
directory = /mnt/disk1/storage/Download/
session = /root/.rtorrent/
schedule = watch_directory,5,5,load_start=/mnt/disk1/storage/torrent/*.torrent
schedule = untied_directory,5,5,stop_untied=
schedule = low_diskspace,5,60,close_low_diskspace=100M
schedule = ratio,60,60,"stop_on_ratio=50,5M,100"
port_range = 44444-44444
use_udp_trackers = yes
encryption = allow_incoming,try_outgoing,enable_retry,prefer_plaintext
dht = auto
dht_port = 6881
peer_exchange = yes
scgi_port = localhost:5000

Some argue on having

scgi_port = localhost:5000

instead of

scgi_local = /root/.rtorrent/rpc.socket
schedule = chmod,0,0,"execute=chmod,777,/root/.rtorrent/rpc.socket"

and some say other wise. But what ever it is, it is up to you which you choose.
If you going to use scgi_port, please use that, else, use the scgi_local and its schedule setting.

Once done, move it:

mv /opt/etc/rtorrent.conf /root/.rtorrent.rc

---

Configure Lighttpd

nano /opt/etc/lighttpd/lighttpd.conf

Basically, this is all you need for this part:

server.modules = (
"mod_access",
"mod_scgi",
"mod_fastcgi")

scgi.server = (
"/RPC2" =>
( "127.0.0.1" =>
("host" => "127.0.0.1", #I am using scgi_port
"port" => 5000, #I am using scgi_port
"check-local" => "disable",
#"socket" => "/root/.rtorrent/rpc.socket", #Uncomment this if using scgi_local
"disable-time" => 0)))

And please note this setting!

server.port = 8081

---

Configure rTorrent initializer

nano /opt/etc/init.d/S99rtorrent

Please check your first line!

##/opt/bin/sh
#!/bin/sh

#dirlayout="RTORRENT_DEFAULT"
dirlayout="CUSTOM"

#Your device user, should be "root"
user = "root"

#config="/opt/etc/rtorrent.conf"
config="/root/.rtorrent.rc"

#logfile="/opt/var/log/rtorrentInit.log"
logfile="/root/rtorrentInit.log"

#SCRIPTNAME=/etc/init.d/$NAME
SCRIPTNAME=/opt/etc/init.d/$NAME

#at checkcnfg(), line 94
#for i in `echo "$PATH" | tr ':' '\n'` ; do
#       if [ -f "$i/$NAME" ] ; then
                exists=1
#               break
#       fi
#done

#at d_start(), line 120
if [ -e /root/.rtorrent/rpc.socket ] || [ -e /root/.rtorrent/rtorrent.lock ] $
      echo "."
      echo "rtorrent has not been properly stop."
      echo "Deleting locked files ..."
      rm -rf /root/.rtorrent/rpc.socket
      rm -rf /root/.rtorrent/rtorrent.lock
      echo -n "Done"
fi
if [ -e /root/.rtorrent/rpc.socket ] || [ -e /root/.rtorrent/rtorrent.lock ] $
      echo "."
      echo -n "Locked files not deleted, please check .."
fi

stty stop undef && stty start undef
# this works for the screen command, but starting rtorrent below adopts scree$
# even if it is not the screen session we started (e.g. running under an unde$
#su -c "screen -ls | grep -sq "\.${srnname}[[:space:]]" " ${user} || su -c "s$
#su -c "screen -S "${srnname}" -X screen rtorrent ${options} 2>&1 1>/dev/null$
su -c "screen -d -m rtorrent ${options} 2>&1 1>/dev/null" ${user} | tee -a "$$

---

Configure rtGui

cd /opt/share/www/
wget http://rtgui.googlecode.com/files/rtgui-0.2.7.tgz
tar xvzf rtgui-0.2.7.tgz
cp config.php.example config.php

nano /opt/share/www/config.php

Make sure your rpc_connect is refering to the same port as per server.port

$rpc_connect="http://localhost:8081/RPC2";
$watchdir="/mnt/disk1/storage/torrent/";
$downloaddir="/mnt/disk1/storage/Download/";

Last Step

Do not forget to chmod 777 on your rtGui and chmod a+x on /dev/null

chmod 777 /opt/share/www/rtgui -R

chmod a+x /dev/null

References:

• http://granite.my/?p=96
• http://libtorrent.rakshasa.no/
• http://code.google.com/p/rtgui/
• http://forum.synology.com/wiki/index.php/RTorrent_wTorrent_HowTo

Thank you Yeh and Adnan for pointing out the admin password reset abuse, and they make their proof of concept by exploiting my wordpress.

I would rate this vulnerability as 3/5 as it only reset the admin password while the reset version of the password send to owner of the wordpress. But, it is necessary to patch your wp-login.php file. You would not know if somehow attacker manage to inject his/her email which later when reset will send reset version of password to the attacker’s email.

At wp.login.php, line 188, change from this line of code


$key = preg_replace('/[^a-z0-9]/i', '', $key);


to


if(is_array($key)) {
$key = '';
return new WP_Error('invalid_key', __('Invalid key'));
}
else
$key = preg_replace('/[^a-z0-9]/i', '', $key);


This serve as temporary counter measure against the password reset abuse until wordpress have fixed this issue.

References:

1. Adnan – WordPress <= 2.8.3 Remote Admin Reset Password Vulnerability and the Patch
2. Milworm – WordPress <= 2.8.3 Remote admin reset password