Official eMule-Board: Personal Information Appearing In Part Files. - Official eMule-Board

Jump to content


  • (2 Pages)
  • +
  • 1
  • 2

Personal Information Appearing In Part Files. more and more this is happening, is it by design ?

#1 User is offline   WeThePeople 

  • Member
  • PipPip
  • Group: Members
  • Posts: 35
  • Joined: 19-March 08

Posted 17 August 2011 - 07:06 PM

I have a fairly small amount of memory,
it is either 768-MB when testing something in Win-ME,
or 2-GB when using Win-2K/XP instead.

And for years all of the machines I've installed eMule on have done this.

Unusued areas of part files, usually the first block have large blocks of memory loaded into them,
I suspect this is by design to free up memory for eMule to use, but it is now a security problem.

For all I know it is a hackers exploit on the networks attempting to phish for data...



As example, if I have my TV card recording a show,
parts of that show show up in blocks not occupied yet
by the actual content that belongs in that section.

When the files are done, there is no hint of them anymore.



But now I have noticed a dangerous trend in this new eMule,
it is also storing blocks of memory program related like FireFox.

I have found my login information, and parts of various posts,
plus notepad entries, downloaded .Doc chunks, and keystrokes.



I know your knee-jerk instinct will be to say
I have five comprimised computers here.

Not probable, I'll explain why.

All five are loaded as quad-boot style machines,
with a seperate dedicated drive for eMule to use.

I loaded linux, Win-ME, Win-2K Pro SP-4, Win-XP Pro SP-3 RU-1,
And all of this gets done while disconnected from any network.

I load all updates from optical media also, never seen the 'net,
I then make parition images and burn them to media for safety.

Each of the four OS's is loaded from a clean partition image EVERY REBOOT,
the world is a dirty place and I don't mind the slightly under three minutes.

The updates are also on optical media from the Micro$haft developers team,
so the updates are not comprimised either, they have never seen the internet.



This all sounds like overkill,
but I know I'm clean every reboot, period...

So the question now becomes why does this newer eMule
store more than just video streams in memory like the older one did.

How do I know that the blocks of personal data are not being shared too ?

I've tried this on all three M$ OS's, and all three broswers I have loaded,
FireFox, Opera, and Micro$haft's own 'lil delite ... Internet Exploder.

login's, forum posts, and many other forms of ASCII
and Extended-ASCII are stored in these part files.

Only other thing I can note that might be helpful
is that eMule tends to use the first (or more) blocks
of the largest downloads that are not currently paused.



If this is by design to free up the most memory for eMule to use, OK.

But what confidence level is applied to this personal info
not being shared by accident please ?

Start looking at your part files with a hex editor, you'll see.

Oh, and the data persists after eMule is closed,
it is only removed by being overwritten by the intended file data.

Thank you in advance for clarification on this matter.
1

#2 User is offline   xilolee 

  • eMule 0.50b BETA1 user
  • PipPipPipPipPipPipPip
  • Group: Italian Moderators
  • Posts: 7983
  • Joined: 20-August 08

Posted 17 August 2011 - 09:24 PM

Every file leaves its bytes on the hard disk, even if you delete it.
When you delete the file, O.S. deletes only a few of bytes of it, that identifies the file on the hard disk.

Hope it helps :o

This post has been edited by xilolee: 17 August 2011 - 09:41 PM

INCONCEIVABLE! - You keep using that word. I do not think it means what you think it means.
come ottenere aiuto italian guides - guide della sezione italiana
italian support - sezione italiana scaricare la lista server
ottenere id alto impostare le porte nel router
recuperare file corrotti i filtri ip
Sembra talco ma non è serve a darti l'allegrIa! Se lo lanci e poi lo respiri ti dà subito l'allegrIa! Immagine Postata
0

#3 User is offline   WeThePeople 

  • Member
  • PipPip
  • Group: Members
  • Posts: 35
  • Joined: 19-March 08

Posted 20 August 2011 - 08:36 AM

View Postxilolee, on 17 August 2011 - 03:24 PM, said:

Every file leaves its bytes on the hard disk, even if you delete it.
When you delete the file, O.S. deletes only a few of bytes of it, that identifies the file on the hard disk.

Hope it helps :o


I know this, thank you though, and it is only the beginning of the filename,
which can be hand edited in DiskEdit, etc., to re-reveal the file intact.

Or use undelete and offer the first character of the filename based on the rest of the name.



But this has nothing to do with what I am reporting or asking,
perhaps your referencing my indicating persnal data persists
until said data is overwritten by what is actually supposed to be
in that section of the file as I clearly indicated above...
1

#4 User is offline   WeThePeople 

  • Member
  • PipPip
  • Group: Members
  • Posts: 35
  • Joined: 19-March 08

Posted 26 August 2011 - 10:12 PM

I had a chance to visit a friend,
they have two computers (his & hers)
that run emule every night while they sleep.

Let me point out what is important in what I just typed,
ONLY while they sleep, NEVER while doing anything else...

One gets documents and movies, a little porn,
the other music and pics/screensavers/etc, and doc's.

They both had very personal data in the part files
that occurred ONLY BEFORE emule was ever launched !

So I am probably right on that guess that emule moves current data residing in memory blocks,
something that Micr0$haft's Winblows has always been incredibly irrisponsible about anyway,
into part files temporarily to free up available memory for caching purposes or something.

As already stated, I prefer Win-9x,
but have Win-2K Pro SP-4,
Win-XP Pro SP-3 RU-1,
and Linux at the ready if forced to use them.

You'll never see that Vista crap on anything I own, ever,
I could tolorate Win-7 if forced to,
but I'd need to buy bigger hardrives
to load that oversized abortion of an OS...



But the the part that surprised me was that
both their machines have 4-GB of memory each,
one runs Vista :( (a laptop that always crashes),
and the other is real new Win-7 desktop machine.

So why is memory being swapped out,
should be no need for that, right ?



I went back to V0.48 for now,
and the problem is gone too.

To be clear,
it still stores sections of the video stream from my video card
(which is set by a timer to record my shows) in the part files,
and sections of any DVD's or vids (not DL'd by emule) I watched.

But no personal data anymore.

I can accept the above usage of part files,
but logins/passwords/clipboard/notepad data
are a complete dealbreacker for me, sorry.



Nobody has directly addressed this,
is this a (known) taboo/exploit topic ?

I'll stop posting if a known security issue/exploit.

Thanks

.

This post has been edited by WeThePeople: 26 August 2011 - 10:26 PM

1

#5 User is offline   Vegan 

  • Splendid Member
  • PipPipPipPip
  • Group: Members
  • Posts: 167
  • Joined: 17-June 08

Posted 28 August 2011 - 02:21 AM

check to see what you are sharing, do not share the whole hard disk
If you download TV shows, movies and games etc, please share your download folder. Its the only way eMule can be efficient.
-1

#6 User is offline   WeThePeople 

  • Member
  • PipPip
  • Group: Members
  • Posts: 35
  • Joined: 19-March 08

Posted 28 August 2011 - 07:45 AM

View PostVegan, on 27 August 2011 - 08:21 PM, said:

check to see what you are sharing, do not share the whole hard disk


As I indicated, I am using a dedicated hardrive for emule.

No part of my operating system drive is shared.

I appreciate your input, but I am aware not to do that...

This post has been edited by WeThePeople: 28 August 2011 - 07:46 PM

1

#7 User is offline   Macaw 

  • Member
  • PipPip
  • Group: Members
  • Posts: 20
  • Joined: 26-August 11

Posted 28 August 2011 - 06:11 PM

This is worrying - how can I easily check my part files?

Also, I don't get your theory about releasing memory for emule. That is a job the OS does already, it's called a swap file or page file. Applications should not do this themselves, especially with memory that isn't their own!
1

#8 User is offline   WeThePeople 

  • Member
  • PipPip
  • Group: Members
  • Posts: 35
  • Joined: 19-March 08

Posted 28 August 2011 - 07:15 PM

View PostMacaw, on 28 August 2011 - 12:11 PM, said:

This is worrying - how can I easily check my part files?

Also, I don't get your theory about releasing memory for emule. That is a job the OS does already, it's called a swap file or page file. Applications should not do this themselves, especially with memory that isn't their own!


I fully agree,
I was strugglin' to come up with a plausable reason for this odd occurrence was all.

I would prefer a "Push" call to the OS to swap out to the OS's swap file of course.

But this is not a new problem with eMule,
it has always done this with any streams occuring on a machine while it is running,
but now the V0.50 retains other than vid streams.

I went back to V0.48 and it stopped writing the personal data to part files now,
just any video stream that occurs while eMule is open, which I can live with.



You'll see as example (above) that DVD's, My TV capture card, and any video files do this.

I have five machines, and no, they are not compromised,
also two PC's at a different house do this to as well,
then they called a friend that said his does it too..

Like I said above,
I can take having streams temporarily placed in an unused part of a "*.part" file to keep things smooth,
but with V0.50 grabbing blocks of memory that has personal info, I'm just not happy with that at all...



I use a rather large full hex editor suite to look at exactly what a file really is as I am downloading it,
but a simpler hex viewer/editor should suffice to see a sample of this problem,
something small like 1FH.

Product (Free):
http://www.4neurons.com/1Fh/

Download link:
http://www.4neurons..../click.php?id=5

Please note though,
it tends to use the first block (~10-mb) of the larger part files,
and (of course) only the ones that have not downloaded any of the first block.

I have noted it won't do it right away,
but if eMule has been on quite a while,
and I open any video stream, it will happen.

I try with all my might to never open Micro$haft's Internet Exploder,
what I wrote above was personal data robbed in full as a memory block
from FireFox, text editors, run dialog box, etc.

At one point, I installed and used a memory viewer
to see it was really was a block of memory it wrote.

I can see my Alt+xxxx extended ASCII entry codes as example
that were used to input special characters into documents I wrote that day.

OK, so I hate using character map...,
maybe I'm a keyboard shortcut junky...lol...

Hope this helps.



EDIT:
I came back to answer a simple question that will no doubt come up.

How did I discover this ?

I assigned a player that tolerates both partial files and will open files in use too.

One day I opened one in "Preview" mode, and a TV show I recorded was the first block,
I have checked every part file since with a hex editor to learn more about this oddity.

I never thought to look at the part files before, bet no one else does either.

I've never seen any memory blocks other than video streams in them until V0.50

This post has been edited by WeThePeople: 28 August 2011 - 07:57 PM

1

#9 User is offline   WeThePeople 

  • Member
  • PipPip
  • Group: Members
  • Posts: 35
  • Joined: 19-March 08

Posted 28 August 2011 - 09:35 PM

I'll be away starting shortly, and for most of September,
so no questions asked will be answered during that period,
but with almost 500 views and no serious attention given,
I've all but abandoned this will ever get any attention.
0

#10 User is offline   Some Support 

  • Last eMule
  • PipPipPipPipPipPipPip
  • Group: Yes
  • Posts: 3667
  • Joined: 27-June 03

Posted 25 September 2011 - 09:05 AM

I missed the thread i suppose and i'm not sure if i cann follow all your text. But what i am sure is that there is no personal informations in any partfile. Period. Even if some parts of the partfile are not yet written with data from the downloading file - if it is allocated for this part file by the operation system you will see zeros when you open this file with an hex editor (otherwise any users could fish for informations of other users just by creating files on a multi user operation system).
I don't know if you tried raw read access on your hard disk with your editor - in this case you might see file junk but this isn't any eMule issue nor a problem and eMule wouldn't be able to access this data neither.

Now even if there were such a thing, eMule would never upload this to other users, because only data parts which have been verified by hashing will be distributed and no this cannot be circumvented by any attacker.

#11 User is offline   WeThePeople 

  • Member
  • PipPip
  • Group: Members
  • Posts: 35
  • Joined: 19-March 08

Posted 28 September 2011 - 11:31 PM

Note:
I'm not home yet,
but this infuriated me enough to borrow a PC to post just this,
I'll be back at my machines in under a week from now I think...



View PostSome Support, on 25 September 2011 - 03:05 AM, said:

But what i am sure is that there is no personal informations in any partfile.
Period.

WRONG !

With V0.48A installed, you can preview any video on any machine,
and you can see bits of OTHER videos that are being downloaded,
this is realy old news and has been covered before elsewhere...

My point is on my 5 PC's using V0.50 I had part files with data from
my COMPLETELY SEPERATE OS DRIVE, as a neighbor's, and a friend's too !

I found it by accident on my main machine,
then reproduced it on the other four PC's.

We are ALL using V0.48A until this gets fixed !



View PostSome Support, on 25 September 2011 - 03:05 AM, said:

Even if some parts of the partfile are not yet written with data from the downloading file -
if it is allocated for this part file by the operation system you will see zeros when you open this file with an hex editor
(otherwise any users could fish for informations of other users just by creating files on a multi user operation system).

In my case, the drive that emule is on, and the temp/done folders are on a dedicated drive.
That drive is defrag'd, with a wipe of zero's on the empty space before every nightly run !

There is no left over data from an operating system on the drive,
because there IS NO friggin operating system on the damned drive !



View PostSome Support, on 25 September 2011 - 03:05 AM, said:

I don't know if you tried raw read access on your hard disk with your editor -
in this case you might see file junk but this isn't any eMule issue
nor a problem and eMule wouldn't be able to access this data neither.

Yes, I've accessed it with DiskEdit, and through a DOS-Stub loader
for the one machine with a NTFS partition for >4GB files like DVD ISO's...

The data while using V0.50 is clearly from the SEPERATE primary hardrive.

To save you from having to re-read all the above,
V0.48A ONLY catches video steams from my machines,
like the onboard TV capture card as an example,
I don't care about it snagging those.

As the ONLY video streams I find in the part files are from TV/Cable shows
that are scheduled to record during the overnight period while I am sleeping,
which is the ONLY time I run eMule too because I can't interfere with it...

Had I not needed a short video about energy and ran V0.50 during the day,
I never would have caught V0.50 writing my FireFox cache info to a part file !

All I was doing was checking the video with "Preview" to make sure
it wasn't just another piece of renamed porn (hate that, sooo lame...),
and my browser opened with an XML page from a browser session just before !



View PostSome Support, on 25 September 2011 - 03:05 AM, said:

Now even if there were such a thing,
eMule would never upload this to other users,
because only data parts which have been verified by hashing
will be distributed and no this cannot be circumvented by any attacker.

Well...,
if there is nothing but denial about the fact eMule shares It's part files
between itself for the downloads that are currently actively downloading.

Then what assurance is there it isn't sharing OTHER DATA due to some new
memory-resident style compromise or exploit trick by a smarter person ?!

Anyone reading this can download a fair section of any video,
then preview it with any player that will tolorate partial files
and they will see sections of the other videos they are downloading in it...

I've always assumed this was by design,
a way to act like the Torrent model
by using all machines for all files.





You did indicate you may not have understood all I wrote,
so I will just thank you for what you offered as such...




.

This post has been edited by WeThePeople: 28 September 2011 - 11:41 PM

-4

#12 User is offline   UserEmule 

  • Advanced Member
  • PipPipPip
  • Group: Members
  • Posts: 71
  • Joined: 01-September 09

Posted 08 November 2011 - 01:03 PM

View PostWeThePeople, on 28 September 2011 - 05:31 PM, said:

Well...,
if there is nothing but denial about the fact eMule shares It's part files
between itself for the downloads that are currently actively downloading.

Then what assurance is there it isn't sharing OTHER DATA due to some new
memory-resident style compromise or exploit trick by a smarter person ?!


It was never denied (unless by someone here on this forum?) that emule shares its part files. Overnet had the same system called horde, emule calls it something else. If the parts are shared and another user is downloading the same file, it finds them and then they both work together to download the file faster. Now if a hash can't be broken (as if many ppl use the same hash to dl) then only the info on the hash will be there. You can rename the file and whatnot, but the hash doesn't change. If the hash was to change, then the file would be "new" and would not be considered the same file by the program. Say for instance someone adds a 12Kb text file to a rar archive. The hash has changed, so the original file that had say 12 sharers (complete and partial file availability by the other users, but you download the file then add text to the rar pack, this is considered new as the hash has changed and now the 12 other sharers won't be able to download ur file unless they restart it under the new hash link. Hope that clarifys. Also if ur worried about stuff, get ur a vpn, change ur mac addresse, and use dedicated machines for emule. Also get total system encryption. Using all three of those, u should be fine.
0

#13 User is offline   WeThePeople 

  • Member
  • PipPip
  • Group: Members
  • Posts: 35
  • Joined: 19-March 08

Posted 26 November 2011 - 12:40 PM

I understand and agree with al you say UserEmule,
but it doesn't even come close to addressing my concerns.

The matter isn't temporarily using the .Part files for other DL's,
it IS about using .Part files to store current computer enviroment data,
in my case video from my video card and viewed videos on V0.48,
and unbelievablely personal webpage info (LOGINs!) on 5.x versions.

Please, read carefully what I posted, your not even close to on topic.

It looked like a memory dump if that helps...

This post has been edited by WeThePeople: 26 November 2011 - 12:41 PM

-2

#14 User is offline   Nissenice 

  • clippetty-clopping...
  • PipPipPipPipPipPipPip
  • Group: Members
  • Posts: 4231
  • Joined: 05-January 06

Posted 26 November 2011 - 11:11 PM

View PostWeThePeople, on 26 November 2011 - 01:40 PM, said:

Please, read carefully what I posted, your not even close to on topic.

Well, as I see it you have yourself to blame! How about you write more carefully?

I mean why don't you just focus on what you consider to be the problem and just skip parts which are irrelevent? How many times am I or anyone else supposed to read what you write to get it?

Your first post is nothing but a DISASTER, if you ask me, so please don't make any judgements what's close on topic or not, thank you. :-k

This post has been edited by Nissenice: 26 November 2011 - 11:24 PM

0

#15 User is offline   xilolee 

  • eMule 0.50b BETA1 user
  • PipPipPipPipPipPipPip
  • Group: Italian Moderators
  • Posts: 7983
  • Joined: 20-August 08

Posted 27 November 2011 - 09:54 PM

I've just opened a part file with a hex editor.
(Copied from temp folder to the desktop, because I had emule running)
File size: 307.58 MB (this is the bigger part file I have, like you said)
Completed: 3.53 MB
Data are near the end of file (It hasn't got first and last chunks)
Part files are allocated entirely (full file size).
The file is full filled with zeros from the beginning to near the end...
My machine is not cleaned like yours, i'm just using drive c: for the system/programs and e: for temp/incoming/documents

How can I reproduce your problem?

This post has been edited by xilolee: 27 November 2011 - 10:52 PM

INCONCEIVABLE! - You keep using that word. I do not think it means what you think it means.
come ottenere aiuto italian guides - guide della sezione italiana
italian support - sezione italiana scaricare la lista server
ottenere id alto impostare le porte nel router
recuperare file corrotti i filtri ip
Sembra talco ma non è serve a darti l'allegrIa! Se lo lanci e poi lo respiri ti dà subito l'allegrIa! Immagine Postata
0

#16 User is offline   Omnithec 

  • Newbie
  • Pip
  • Group: Members
  • Posts: 14
  • Joined: 04-February 12

Posted 08 February 2012 - 01:04 PM

I think I understood what you mean, it is clear enough, but you do exaggerate in superfluous information and that ruins everything (I do that too, to a point, but I have been learning how not to do it and so should you)

I'll assume what you say you found is real, so anyone reading this should keep that in mind.

You are finding privileged information like browser cache, logins, similar things or even keystroke logs in .part files.


Are you sure you downloaded your eMule from the project's site? From a safe site?


If not, it might be (or most likely is) an altered version of eMule, created by someone ill intended.

Don't use any eMule until this is solved.

If you found your logins, and I assume you mean passwords, the smart thing would be to uninstall eMule, run malware detectors and removers and then change all your passwords and security questions.

Assuming you are right then your eMule is working like a trojan, using the eD2K network to phone home and give all your information to anyone who created that version in the first place.

Your problem isn't having your information move around other peoples disks. Your real problem is that someone already knows it is there and will use it for whatever he/she likes.

I doubt your information is sent with the rest of the file data to your peers. Probably that data is on the file so it's accessible by eMule and can piggy back on a seemingly normal connection to be delivered to a particular person.

You shouldn't fear them (your peers or anyone in the eMule community), you should fear him/her, whoever he/she is!

-- Edit --

I don't think reproducing this is a good idea. If it is really an altered version of eMule that is causing this, you do not want to run it on your computer. It would make your system vulnerable to attack and leave your data compromised.

This post has been edited by Omnithec: 08 February 2012 - 01:07 PM

-1

#17 User is offline   xilolee 

  • eMule 0.50b BETA1 user
  • PipPipPipPipPipPipPip
  • Group: Italian Moderators
  • Posts: 7983
  • Joined: 20-August 08

Posted 15 February 2012 - 08:01 PM

I think he's not so newbie to download a fake emule.
That's why I asked how to reproduce the problem, because on my machine I can not.
INCONCEIVABLE! - You keep using that word. I do not think it means what you think it means.
come ottenere aiuto italian guides - guide della sezione italiana
italian support - sezione italiana scaricare la lista server
ottenere id alto impostare le porte nel router
recuperare file corrotti i filtri ip
Sembra talco ma non è serve a darti l'allegrIa! Se lo lanci e poi lo respiri ti dà subito l'allegrIa! Immagine Postata
0

#18 User is offline   DatHebIkWeer 

  • Advanced Member
  • PipPipPip
  • Group: Members
  • Posts: 66
  • Joined: 07-July 12

Posted 09 July 2012 - 01:31 PM

View PostWeThePeople, on 17 August 2011 - 08:06 PM, said:

As example, if I have my TV card recording a show,
parts of that show show up in blocks not occupied yet
by the actual content that belongs in that section.

When the files are done, there is no hint of them anymore.



But now I have noticed a dangerous trend in this new eMule,
it is also storing blocks of memory program related like FireFox.
Very interesting. Do you have a method to read those unused blocks in .part files? Can I do that too?
If you are afraid data will be stored in unused parts of temp files, just enable the Create new part files as 'sparse' setting. In that case there will be no empty space in the .part files. The file space will simply not be allocated on the disk until eMule writes legitimate data to it. So there can never be any malicious data stored in the files. You can check that simply by rightclicking on the file and choose properties. Windows will then tell you the file size on disk is much smaller than the nominal file size.

This post has been edited by DatHebIkWeer: 09 July 2012 - 01:34 PM

0

#19 User is offline   DatHebIkWeer 

  • Advanced Member
  • PipPipPip
  • Group: Members
  • Posts: 66
  • Joined: 07-July 12

Posted 10 August 2012 - 09:47 AM

View PostSome Support, on 25 September 2011 - 10:05 AM, said:

Even if some parts of the partfile are not yet written with data from the downloading file - if it is allocated for this part file by the operation system you will see zeros when you open this file with an hex editor (otherwise any users could fish for informations of other users just by creating files on a multi user operation system).
I don't know if you tried raw read access on your hard disk with your editor - in this case you might see file junk but this isn't any eMule issue nor a problem and eMule wouldn't be able to access this data neither.
Who says you can’t do that? ‘Any’ users are usually the local computer wizards who have administrator rights and can read personal info anyways, if they want to. I think you are close to something here Some Support.
Creating a large file and initialising it with zeroes takes a lot of time. EMule does not take a lot of time when starting a new download, so my guess is the files are not initialised with zeroes.

This is what I think happened here:
WeThePeople’s sister used the computer, which created all kinds of temporary files. Those stayed behind on the disk as file junk. When the .part file was created some of the file junk was captured in the .part file. Because eMule does not overwrite that info initially it will be there until it’s overwritten by downloaded data.

Is this worrying? No.
Just don’t share your temp directory. There is no point in sharing your temp directory anyway.
If you are worried about it there are 2 options:
-Use a clean fully formatted (not quick formatted) disk.
-Use sparse files.

By the way, if you think you are hilariously funny and you should try to upload fake files to unsuspecting users, be sure you do not accidentally upload your bank account data to them.
0

#20 User is offline   Some Support 

  • Last eMule
  • PipPipPipPipPipPipPip
  • Group: Yes
  • Posts: 3667
  • Joined: 27-June 03

Posted 12 August 2012 - 09:05 PM

I don't know why you keep beating this dead horse. No it is not possible. If you don't believe me, then do some research yourself and check how Windows works and what the file system calls eMule does do. Check eMules code to see wether it ever uploaded unchecked data. Only writing that you can imagine it could be otherwise is just pointless.

  • Member Options

  • (2 Pages)
  • +
  • 1
  • 2

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users