Unidentified virus or malware detected across multiple operating systems (MacOS, Linux)
Unidentified virus or malware detected across multiple operating systems (MacOS, Linux)
So this is a weird one. I'm thinking that the likelyhood that I'm infected by something is small, but I figured I'd post this there because I've seen nothing like this before. I've been a pretty adamant tech user for 20 years and this just has me boggled. So I have an Unraid server and on that server I have a Linux VM with Pop OS installed (version 19.04), The laptop I'm using to access the VM's and the server is a Macbook Pro (2017). I VNC into the VM from my Mac using VNC Viewer from RealVNC, and when this happened I was just browsing the web while the VM was open on another desktop. When I go back to the VM, the linux terminal is opened and text is being automatically typed into the terminal without me doing anything at all. Here are screenshots of some of the commands it was trying to execute It's pretty clear it's trying to run some kind of Windows Powershell executable. Did a quick whois on the IP in some of the text, and it is based in the Ukraine with Protonmail e-mail addresses in the whois output. An obvious giveaway that something fishy is going on. There hasn't been a problem obviously since I don't have a Windows machine and clearly this isn't going to do anything in a Linux terminal. However, I am very curious to know where the hell this is coming from. Has someone hacked my VNC session? My security is pretty tight but nothing is foolproof obviously. Very few ports are exposed to the internet on my router, and 5900 (the VNC standard) is not one of them). 443 is open as I run several web based services through my own subdomains via reverse-proxy using NGINX and Let's Encrypt. I did a quick malware scan on my Mac using Malwarebytes, and no hits. It seems doubtful that it was being done live as I'm pretty sure the attacker would know they weren't in a Windows environment. I'm racking my brain trying to figure out where this is coming from, so any help would be greatly appreciated. So far it's been a one time occurrence. PS - This is a repost from Reddit on /r/techsupport, but not getting anywhere there so I figured I'd try this awesome community as well.
Identify which ports are accessible. It could help to disable one at a time to determine if stopping any stops the activity. If port 22 is open, consider changing its configuration. There are automated tools searching for open ports on that service. Nginx running on port 443 should not be reachable from outside. A potential risk involves someone compromising your network and capturing VNC connections, possibly through unencrypted traffic. Another scenario is physical access to your Wi-Fi or Ethernet setup allowing interception of sessions. For better security, use x2go instead of VNC—it operates faster and relies on SSH.
The available ports include 80, which sends traffic internally instead of exposing port 80 directly for reverse proxy handling. Port 443 redirects to another internal port for similar reasons. The OpenVPN port is used externally for server access. Plex ports are set for remote sessions, with ports 22 and 21 kept closed to avoid SSH or FTP connections from outside the LAN. A more secure setup uses a Docker container with a reverse proxy and VPN for external access. No open ports are visible on laptops' internal IPs. Thanks for suggesting x2go—it appears to be a better choice than VNC. I find it odd that this hasn’t occurred before, but I’m curious if others have similar experiences.
I'm using Advanced Tomato (shibby) on my ASUS router, and the default setting disables logging for incoming connections. I've enabled it now so any activity appears in the logs. I'll share updates if anything notable comes up. I wish there was a way to block all incoming traffic from certain regions—PfSense offers such functionality, which would be helpful for blocking Eastern Europe.
Keys only required. Everything seems to be working now. Logs are abundant, but some connections still drop. A few are accepted—after checking recent IP activity, it’s unclear if anything is malicious. Attached are the last 12 hours and a log file for review. Syslog.txt
The provided details aren't sufficient for analysis. Check the logs for specific requests to identify any unusual activity.
This an NGINX logging feature, and the only thing I use it for is via the Let's Encrypt container. Do you mean that I should enable logging here and that this will provide the necessary logs for any potential intrusions to my WAN IP? Will it not only log specific requests to the ports open for the reverse proxy? I can give it a shot sometime during the week if you think this will provide the information needed, and I would appreciate a short explanation as to how this log provides evidence of the requests in question, I'd consider myself tech savvy, but I'm by no means a networking guru ^^
Without logging active and no web content on the VM, the setup likely won’t serve a purpose. It seems unlikely someone sent a malicious request to the server at this time.