Unknown potential virus/malware - multi OS (MacOS, Linux)

[tuxflux]

So this is a weird one. I'm thinking that the likelyhood that I'm infected by something is small, but I figured I'd post this there because I've seen nothing like this before. I've been a pretty adamant tech user for 20 years and this just has me boggled.

 

So I have an Unraid server and on that server I have a Linux VM with Pop OS installed (version 19.04), The laptop I'm using to access the VM's and the server is a Macbook Pro (2017). I VNC into the VM from my Mac using VNC Viewer from RealVNC, and when this happened I was just browsing the web while the VM was open on another desktop. When I go back to the VM, the linux terminal is opened and text is being automatically typed into the terminal without me doing anything at all.

 

Here are screenshots of some of the commands it was trying to execute

 

It's pretty clear it's trying to run some kind of Windows Powershell executable. Did a quick whois on the IP in some of the text, and it is based in the Ukraine with Protonmail e-mail addresses in the whois output. An obvious giveaway that something fishy is going on.

 

There hasn't been a problem obviously since I don't have a Windows machine and clearly this isn't going to do anything in a Linux terminal. However, I am very curious to know where the hell this is coming from. Has someone hacked my VNC session? My security is pretty tight but nothing is foolproof obviously. Very few ports are exposed to the internet on my router, and 5900 (the VNC standard) is not one of them). 443 is open as I run several web based services through my own subdomains via reverse-proxy using NGINX and Let's Encrypt. 

 

I did a quick malware scan on my Mac using Malwarebytes, and no hits. It seems doubtful that it was being done live as I'm pretty sure the attacker would know they weren't in a Windows environment.

 

I'm racking my brain trying to figure out where this is coming from, so any help would be greatly appreciated. So far it's been a one time occurrence.

 

PS - This is a repost from Reddit on /r/techsupport, but not getting anywhere there so I figured I'd try this awesome community as well.

[Sauron]

Exactly what ports are exposed? Might be a good idea to close one at a time to see if closing any of them stops the typing. If you have an open ssh port on port 22 it might be a good idea to change it to something else, there are bots scouring the internet for open 22 ports. nginx on 443 shouldn't allow access to anyone. There's always the possibility someone pwned your mac but that sounds like a weirdly specific hack... the commands seem like they're coming from a bot so it would have to be a malware that infects your mac, checks for any open vnc sessions and hijacks them, then tries to run windows commands...

 

Another possibility is that someone got into your wifi network (or has physical access to your ethernet network...?) and intercepted VNC traffic, after all it's not encrypted. By the way, I strongly recommend you use x2go instead of VNC - it's faster and it uses ssh.

[tuxflux]

Ports that are open are as follows:

• 80 which redirects to internal port (not 80) on the server to directly access the nginx server for reverse proxy handling
• 443 which also redirects to another internal port for the same reason above
• OpenVPN port for external access to my server.
• Plex port for remote sessions
• Ports for my torrent client on the server

I keep port 22 and 21 closed and do not access my server via SSH og FTP externally. I have a more secure setup via a docker container using a reverse proxy and VPN to get access from outside my LAN. There are no open ports to my laptops internal IP.

 

Thanks for recommending x2go. It definitely seems like a better option than VNC. I agree that it seems strangely specific, and it hasn't happened since. I've made some modifications here and there and hopefully this won't happen again, but it was just so weird in the first place that I wanted to hear if anyone had any thoughts on it.

[Sauron]

9 hours ago, tuxflux said:

Ports that are open are as follows:

• 80 which redirects to internal port (not 80) on the server to directly access the nginx server for reverse proxy handling
• 443 which also redirects to another internal port for the same reason above
• OpenVPN port for external access to my server.
• Plex port for remote sessions
• Ports for my torrent client on the server

I keep port 22 and 21 closed and do not access my server via SSH og FTP externally. I have a more secure setup via a docker container using a reverse proxy and VPN to get access from outside my LAN. There are no open ports to my laptops internal IP.

 

Thanks for recommending x2go. It definitely seems like a better option than VNC. I agree that it seems strangely specific, and it hasn't happened since. I've made some modifications here and there and hopefully this won't happen again, but it was just so weird in the first place that I wanted to hear if anyone had any thoughts on it.

Please quote me or I won't get notified when you answer.

 

Does your router log incoming traffic? It might be a good idea to monitor that in the future so you can get a better idea of what's going on.

[tuxflux]

1 hour ago, Sauron said:

Please quote me or I won't get notified when you answer.

 

Does your router log incoming traffic? It might be a good idea to monitor that in the future so you can get a better idea of what's going on.

Sure. I'm running Advanced Tomato (shibby) on my ASUS router, and logging of inbound connections was turned off by default. I've turned it on now so any activity should be showing up in the log. I'll post and update if something interesting turns up. I really wish there was a feature to block all incoming connections from specific geolocations. I know PfSense has features like this. Must be nice to basically block out all of eastern Europe.

[GardeningWithSilicon]

Do your server logs show anything weird? 

 

Second - how is your openvpn setup? Do you use keys only?

[tuxflux]

4 hours ago, GardeningWithSilicon said:

Do your server logs show anything weird? 

 

Second - how is your openvpn setup? Do you use keys only?

Yes, keys only.  There shouldn't be any problems there.

 

My logs are plentiful now, and lots of inbound connections get dropped. However, some are accepted and after doing some quick research on the IPs in question, I'm not sure if it's bad or not. I'll attach the last 12 hours here and maybe some of you can give me some insight,

syslog.txt

[GardeningWithSilicon]

8 hours ago, tuxflux said:

Yes, keys only.  There shouldn't be any problems there.

 

My logs are plentiful now, and lots of inbound connections get dropped. However, some are accepted and after doing some quick research on the IPs in question, I'm not sure if it's bad or not. I'll attach the last 12 hours here and maybe some of you can give me some insight,

syslog.txt

There isn't enough information in that log to be useful.

 

https://docs.nginx.com/nginx/admin-guide/monitoring/logging/

 

We need to see the requests here to see if there was a weird request. 

[tuxflux]

5 hours ago, GardeningWithSilicon said:

There isn't enough information in that log to be useful.

 

https://docs.nginx.com/nginx/admin-guide/monitoring/logging/

 

We need to see the requests here to see if there was a weird request. 

This an NGINX logging feature, and the only thing I use it for is via the Let's Encrypt container. Do you mean that I should enable logging here and that this will provide the necessary logs for any potential intrusions to my WAN IP? Will it not only log specific requests to the ports open for the reverse proxy?

 

I can give it a shot sometime during the week if you think this will provide the information needed, and I would appreciate a short explanation as to how this log provides evidence of the requests in question, I'd consider myself tech savvy, but I'm by no means a networking guru ^^

[GardeningWithSilicon]

4 minutes ago, tuxflux said:

This an NGINX logging feature, and the only thing I use it for is via the Let's Encrypt container. Do you mean that I should enable logging here and that this will provide the necessary logs for any potential intrusions to my WAN IP? Will it not only log specific requests to the ports open for the reverse proxy?

 

I can give it a shot sometime during the week if you think this will provide the information needed, and I would appreciate a short explanation as to how this log provides evidence of the requests in question, I'd consider myself tech savvy, but I'm by no means a networking guru ^^

If you didn't have logging enabled, and the VM doesn't host any web facing content, then it probably won't be useful. The thought was that perhaps you had someone issue some sort of poisoned web request to the web server - but that doesn't seem plausible now. 

[tuxflux]

5 minutes ago, GardeningWithSilicon said:

If you didn't have logging enabled, and the VM doesn't host any web facing content, then it probably won't be useful. The thought was that perhaps you had someone issue some sort of poisoned web request to the web server - but that doesn't seem plausible now. 

Nope, All the web facing content is through docker containers. Bitwarden database, nextcloud, Sonarr and Radarr for example, All these containers are up to date and have no direct connection the VM. Since it hasn't happened again, I'm pretty sure it's under control. I'll update the thread if it happens again. Thanks for your input anyways.

[SenKa]

It certianly looks like somebody was trying to set up a virus. FTP.exe is the main executable for allowing FTP transfers on windows. From what little I know of powershell, it looks as if there was a firewall exception being added to FTP.exe so that Windows Defender would ignore it and thus allow a virus executable to be transferred into the startup folder of the windows install and manifest on reboot?

 

All theory, and not the most educated theory at that. @leadeater knows infinitely more about Powershell than I do, and is smart enough in it to have been Linus' help in the "These servers are TOO EXPENSIVE- Hybrid Storage Explored" video. 

 

[leadeater]

48 minutes ago, SenpaiKaplan said:

and is smart enough in it to have been Linus' help in the "These servers are TOO EXPENSIVE- Hybrid Storage Explored" video. 

Nah far better to watch a train wreck failure, we all learn from our failures right? . Videos on how to setup storage servers/arrays properly are rather boring.

[SenKa]

Just now, leadeater said:

Nah far better to watch a train wreck failure, we all learn from our failures right? . Videos on how to setup storage servers/arrays properly are rather boring.

Help us Powershell god!