I had exitted utorrent and checked that the proccess was not listed under the proccesses on the task manager, However when i went to my firewall it showed that utorrent is still uploading at 80kb/s, even 30 minutes after i had closed it. I know that you can still get incoming connections when utorrent is closed, but how can it be still uploading if utorrent is not even running?

What is going on here?

Thanks.

__________________
Need Help? Contact Me : MSN - vl.turbo.88@gmail.com, AIM - k1dcash Yahoo - Kidcash5000 Email : vl.turbo.88@gmail.com

I have had a similar situation happen to me. I asked ludde about it when he came to zirc to get out of our lists. This was back when the peerfactor thing happened.

Here is a little of that conversation.

<fa> I recently had a connection open up from utorrent and stayed open for 22 hours, when utorrent was closed
<fa> dunno man, that was before this news came out
<ludde> if utorrent is closed, then it's probably the OS keepin gth esocket open to guarantee some peculiarities of the TCP/IP protocol.
<ludde> there's no way for an application to transmit anything on a socket, if the application is closed, if that's what you're suggesting.
<fa> it was to a specific ip
<ludde> Why would I want to destroy the best bittorrent client there is, by affiliating with anti-p2p? That would just kill the software. Not my thing.
<ludde> I can't tell what that socket was about, but it's definitely not something malicious/spyware/adware.
<ludde> it was just a regular p2p connection that wasn't closed gracefully, i would bet.
<fa> was to an irc channel (Note: this was not entirely correct, It was the IP of an old irc server not in use anymore)
<ludde> That is probably origniating from some other process on your system. µTorrent does not connect to IRC.
<ludde> it's already small enough, hell, I don't bundle an IRC client in it.
<fa> lol, system safety monitor picked it up first
<fa> then x-netstat
<ludde> maybe your system is affected by some worm, they often use IRC.
<ludde> I gotta go.
<ludde> I hope you can resolve this matter.
<ludde> Thanks,
<ludde> Ludvig
<fa> it originated from utorrent, my box is clean
<ludde> maybe you should wait and see if other people report something similar before jumping to conclusions?
<ludde> there are hundreds of thousands of users
<fa> I was, then this news came out
<ludde> if there really was a malicious code in utorrent, don't you think at least 1% of those would report about it?
<fa> we were testing it

You are the first one to report something even close to what I have seen. I have not seen this type of behavior sinse, but I gave up utorrent at that point for a p2p downloader. I have it installed on my box and have never seen anything like it after that. I do not want people to think of me as the utorrent crusher or anything like that, I just thought I would tell you something like this has happened to me as well.

firstaid

firstaid,

Can you give us your honest assessment of what exactly you think was going on with your computer as you described it?

The reason I am interested in your opinion is because you deal with security all the time at BT. We have several µTorrent fanboys at PL and I have tried, with my posts, to discourage the use of this app. Or, at least, tried to encourage them to do the research and find out the Facts for themselves.

For me, it's the PeerFactor thing coupled with the closed source of the app. There is just no way to really be sure what is going on with µTorrent. We have members report that they are getting many blocks in PG2 from companies like Media Sentry. When asked what p2p app they use, it is usually µTorrent.

A member of this forum has tested downloading the identical torrent using µTorrent and another p2p app (I can't recall which one off hand) and reports that µTorrent has many more PG2 blocks from companies like Media Sentry and other major ones like them than does the same download of the same torrent using the other p2p app.

In the conversation you posted, ludde certainly seemed to just brush off your concerns. He tried to pin the problem on everything else except his app. That really concerns me. I especially liked his comment that "maybe your system was affected by some worm, they often use in IRC". lol

You say this is the first time someone else reported an incidence like yours. I just wonder how many times this has happened to others that weren't computer savvy enough to notice.

Well, I hadn't been in any p2p for almost a week and system safety monitor popped up with a notice that utorrent wanted to make an outbound connection. I let it make the connection and it connected to only 1 ip. This IP is in level 1 atm and we have not had any reports or questions on it being blocked. It does not appear to be associated with utorrent in anyway.

I found it strange that utorrent would only connect to 1 IP, and ask for an outbound connection. The connection stayed open till I closed it. I took allot of grief for asking ludde to open source utorrent at that point, if you all remember :/ I do feel that it was needed for the security of the community but hard core utorrent users/seeders just kept using it not caring it was closed source. Now that utorrent is no longer being developed by ludde it is even more important to the community that it be open sourced. These types of behavior could mean an exploit in the application that someone has figured out, or even worse a planned action within the code. I ask you this, how vallid is luddes argument for keeping utorrent closed source now? He sold it out, his motives were not with the community but with money. The IPblocker/filter he added to utorrent was basically useless for any serious IPblocking and there was no way to deny clients that were known bad like I have knowledge of that can connect to utorrent no problem at all. The protocol encryption if not enabled makes the client even more dangersous for that reason. Yes, it's fast and small so I may be just spitting in the wind by saying all this, but it needs to be said.

Even if you had a firewall running and using utorrent this would not have been picked up, it was only an added layer of protection that did notice it. System safety monitor did pick it up as it is not set up like a firewall witch for utorrent to work has the connections allowed.

I don't find luddes answer to this at all comprehensive as the app asked for an outbound connection. The app had not been running for almost a week why would it need an outbound connection to an unknown IP.

I suggest everyone take a hard look at utorrent and not take it for face value that it is not doing anything wrong, it could be done at random intervals random IP's and not easily seen.

I would like to point out that this has not been determined as a fact that utorrent has been doing this to many peeps, it is still under investigation and any reports should be reported.

After this happened to me, I cannot see myself ever using that application again, I guess it will have to happen to others for them to rethink using it.

I am posting this now so people can look at this, I did not post it in the past as it was not by any means confirmed and if it is not associated with utorrent would have just made things worse for the client. There is a time and place for everything, If things get worse I will post other things that we talked about in irc. I do have more that I feel was not relevent to this that people would like to see, but I am still holding it back just in case ludde is on the up and up.

firstaid

I guess the only way to find out for sure what it's doing is by packet capture.

u can try this test.
1. after restart window before run utorrent , do u still see it happen? if it's possible by others program/worm.
2. is this happen all the time. like every time u close utorrent and restart windows.

after u 100% sure that only happen after u run u torrent
1. run tcpview it will show u the program that using tcp connection

Because of this I have stopped using Utorrent and switched over to AZ.

__________________
Need Help? Contact Me : MSN - vl.turbo.88@gmail.com, AIM - k1dcash Yahoo - Kidcash5000 Email : vl.turbo.88@gmail.com

kidcash,

You have made a wise decision. I hope more µTorrent users consider changing to another p2p app.

The reason I reserved a post was so that I didn't have to quote firstaid throughout my post. There have been too many posts since his for me to handle my response that way.
In your first post in this thread, I see you mentioned that this connection stayed open for 22 hours. I am sure you monitored it. Was there any activity during that time?

If, when the Peer Factor event happened, people had taken heed and abandoned µTorrent, ludde would have been forced to do something. Even if the something was to take the application down. In retrospect, that would have been the best thing that could have happened.

I agree that it should be open source now. The chances of that happening are probably nil. Especially if there is an exploit in the app, or worse than that, a planned action within the code. Those who continue to use µTorrent are taking a bigger chance now than before ludde sold out.

There is no valid argument for keeping µTorrent closed source. The only question to ask now is, Why not open source it?? What's there to hide??

I quoted you in a post I made here in this thread:

http://forums.phoenixlabs.org/t12907...must-read.html
Soon after I posted this, we had a member question that the blocklist couldn't be used effectively in the utorrent ipfilter. He decided he could manipulate the blocklist in such a way that it would be effective. He pointed to the µTorrent website stating it said the ipfilter would block ranges of IPs as well as single IPs. My point being there are still gullible people who are determined to continue to use µTorrent even when hit in the face with reality from someone who knows.

So, my statement that these things may be happening because people who are less than computer savvy don't notice is contradicted by your statement. In actuality, those without an added layer of protection would not notice, computer savvy or not, right? This just reaffirms my suspicion that this is happening more than we know.

This lack of a plausible answer on ludde's part just deepens my fears that this app does have a "backdoor". That might explain why there are many more blocks from major anti-p2p companies like Media Sentry and others in PG2 when using µTorrent than when dling the same torrent in Azureus. It's in this thread that a member talks about this fact:

http://forums.phoenixlabs.org/showth...5158#post95158

This is just more reason that I say take another look at the safety of using µTorrent. I am sure someone like ludde would have been very shrewd if he put a backdoor in his code.

It is hard to determine if these things are actually going on because it is closed source. Are there people actively testing this using higher levels of protection that would detect things like you saw? If not, now is the time to start doing it.

I can just reiterate what I have been saying, use µTorrent at your own risk. I appreciate your taking the time to explain this to us. We would welcome more info if you decide you want us to know.

I must say, since we have really brought this out into the open and have begun to connect the dots, several die hard users of µTorrent here at Phoenix Labs have switched to another app. All we can hope for, as we try to educate people, is that they open their ears and listen, REALLY listen.

Thanks, firstaid