Outline · [ Standard ] · Linear+ Anti-eMule files: cause 100% CPU intentionally!, I found 5 diff files who cause that.

[taltamir]

Computer configuration:
eMule Plus version:	1.2
Using proxy:	No
Firewall:	No
CPU:	AMD AlthonXP Burton core 2500+
Memory:	512MB
Operating System:	winXP pro corp SP2 integrated nLite modified
Updated drivers for network and video:	Yes

I found 5 seperate files (with the same name) all of which under 50kb in size (but different sizes individually) which, once completed, cause emule to be stuck at 100% cpu usage (stayed that way over week, surviving restarts and even when i copy pasted all the partial files to a different computer!). The files cannot be deleted from within emule (to delete them, turn off emule and delete the partials from the emule partial directory).

I have kept all the relevant files and they are available here:
http://home.comcast.net/~taltamir/eMule_bug.rar

as you notice there is a part.bad there aswell, to ensure I don't delete something i want I only deleted the .part file leaving the rest after each emule restart. Emule detected the file was missing and did whatever correction it does... I tried restoring those files and the 100% complete files who cause 100% cpu usage came back... I just went ahead and moved them all (with all associated files) to an appropriate directory, compressed them, and uploaded... hope this proves useful in tracking the issue (as I am certain its a malicious instance propagated by anti p2p people)

This post has been edited by taltamir: Sep 16 2006, 10:19

[Aw3]

Is just me or your archive is broken? How many files should be inside?
Anything unusual in debug log?

[muleteer]

Hmm.. archive seems fine to me. Contains 28 files totalling 133KB.

EDIT: I can confirm the exploit. Added one of the links. File is in completing for several minutes now. 50% CPU usage (I have dual CPU).

This post has been edited by muleteer: Sep 16 2006, 14:08

[Vladimir (SV)]

Me too, just decompressing the file.

#  Archivo C:\Documents and Settings\Vladimir\Escritorio\eMule_bug.rar
2006-08-13 22:09        30715        30644  c3185180  007.part
2006-09-16 04:55          235          233  8094eb0d  007.part.met.bad
2006-09-16 01:50          235          233  8094eb0d  007.part.met.bak
2006-09-16 05:06            63            63  dcfeaa0d  007.part.settings
2006-09-16 05:07            35            21  39428468  007.part.stats
2006-08-14 04:36        19134          201  34c70736  016.part
2006-09-16 04:59          235          230  e88b5351  016.part.met.bad
2006-09-16 04:55          235          230  e88b5351  016.part.met.bak
2006-09-16 04:59            63            63  dcfeaa0d  016.part.settings
2006-09-16 04:59            35            28  94622009  016.part.stats
2006-08-14 02:44          997          485  df714fd3  016.part.txtsrc
2006-08-13 23:36        32506        32308  afb63d73  019.part
2006-09-16 04:59          244          238  89df0d5c  019.part.met.bad
2006-09-16 04:55          244          238  89df0d5c  019.part.met.bak
2006-09-16 04:59            63            63  dcfeaa0d  019.part.settings
2006-09-16 04:59            35            27  cf0566e1  019.part.stats
2006-08-13 22:44          820          440  8319209d  019.part.txtsrc
2006-08-13 22:08        22748        21164  0812c3f3  036.part
2006-09-16 04:59          241          237  4696f13e  036.part.met.bad
2006-09-16 04:55          241          237  4696f13e  036.part.met.bak
2006-09-16 04:59            63            63  dcfeaa0d  036.part.settings
2006-09-16 04:59            35            27  b2e0f963  036.part.stats
2006-08-13 23:13        26322        24890  c21dfd02  079.part
2006-09-16 04:59          235          233  29ecd366  079.part.met.bad
2006-09-16 04:55          235          233  29ecd366  079.part.met.bak
2006-09-16 04:59            63            63  dcfeaa0d  079.part.settings
2006-09-16 04:59            35            29  b6b77922  079.part.stats
2006-08-13 22:44          830          429  54841235  079.part.txtsrc
#
# Total                Tamaño(size)    Comprimido(compressed)            Ficheros (files)
#                      136942        113350            28

[muleteer]

Hmm.. archive seems fine to me. Contains 28 files totalling 133KB.

EDIT: I can confirm the exploit. Added one of the links. File is in completing for several minutes now. 50% CPU usage (I have dual CPU).

Copied the completing .part file to another folder and opened with Hex Editor. Contains one line of text followed by a very long sequence of XXXXXXX with a few xx from time to time.

[Vladimir (SV)]

I had added them to \Temp dir but eMule Plus didn't even tried to hash them

[muleteer]

If you want to live dangerously, open a .part.txtsrc file with Notepad and copy/ paste the ed2k link inside. Still trying to complete. Very successful exploit. Will have to close client and delete part files to recover from the condition.

[Aw3]

Hmm.. archive seems fine to me. Contains 28 files totalling 133KB.

I can extract them as well. Might be something with my viewer as rar didn't reported any issues.

I had added them to \Temp dir but eMule Plus didn't even tried to hash them

I think you need to rename .met.bak into .met.

[muleteer]

The files posted by taltamir are not necessary. Only the links are needed. Get them from the .part.txtsrc files and add them to your downloads.

[Vladimir (SV)]

Ok, I can confirm too. 95-100%

[xalbux]

Does this also occur with 'official' eMule?

[taltamir]

Here is an interesting question (interesting to me that is)... how come two of my files didn't have a .txtsrc file?

I retested the links in emule plus (by entering them as link rather then putting my files there) and also tested emule classic (by entering the same links):
1. Those are each a different picture (they just have semi identical names (i think they have a "(#)" to differentiate them, but that is created normally when downloading multiple things with the same name... - oh, they also happen to be smut )
2. They work in emule classic. It downloads them and then puts them together correctly; they don't work in emule plus.
3. They cause 100% (or 50% on duel core) cpu usage on emule plus.. wheather that is intentional or not remains to be seen.

This post has been edited by taltamir: Sep 17 2006, 02:51

[Vladimir (SV)]

Thank you taltamir, I hope Admin/Devs take look into it.

P.S. If you found more of them, please let us know, as maybe they can be useful to found any ohter possible problems.

[taltamir]

Thank you taltamir, I hope Admin/Devs take look into it.

P.S. If you found more of them, please let us know, as maybe they can be useful to found any ohter possible problems.

sure thing...

I wonder if the reason they work with emule classic is because this is an issue exlusive to emule plus, or beause they already made a fix for this issue... if they already made a fix then perhaps their code could also be used in this situation... Worth looking into...

[muleteer]

Here is an interesting question (interesting to me that is)... how come two of my files didn't have a .txtsrc file?

txtsrc files are used to save your sources when you have save/ load sources enabled. Of course, if there are no sources for the file when the client is closed (eg. if a file completes in the same session in which it was started) there is no need for a txtsrc file.