My EndeavourOS main machine might have been hacked

Im writing here while I watch clamav run a full system scan. I have been running Eos as my main for 6months now.

Please forgive my english as its not my main language. For context, almost a week now. I started to get authentication request on my authenticator. On a very specific time of day. Where I dont usually hold my phone. When I open the authenticator, the request was already expired, so someone who tried to login into my email didnt get access. At first I thought, it might be an old request from me during the day that didnt complete, or I accidentally trigger it when I try to login into a different browser. Then I noticed that it keeps happening, everyday during a specific time span. So I waited for it. And to my surprise, its a login request from a Mac. I only have a macbook air, and its a shelf under my tv I have not open for almost a year. This got me a little worried. So I login to my account and check what is happening, there have been multiple signin attemps from around the world in the last week.

As any sane person would do. I changed my password(s). I changed my email login alias. I also updated my password in my browser(s)(yes I know, I am learned my lesson, Im out for a better password manager). That was Tuesday. Comes Wednesday, I didnt get any notification from the authenticator. And today here we are. I was watching TV when I heard a ping on my phone. Its the same notification, from a mac, from the same country. My heart sank when the request came from the new alias, that I never gave out to.

Now my first suspect are my browsers. I check firefox which btw, I did not update the password and new alias to. But when I did the house cleaning, I changed my mozilla profile password and added an authenticator, I changed my profile password for google chrome. I went into brave, and remove all other devices from the sync chain. I am leaning more towards brave to be the source… But to be safe as I mentioned I updated my system this afternoon, and now installed clamav and running a full scan.

I was reading on the brave forums when someone suggested to check my emails to https://haveibeenpwned.com/ no result.

So… If anyone has any suggestion for a good password manager that works with firefox, brave(depending how this goes), chrome, etc. I am all ears. Also, suggestions how or where to check my system if in case clamav miss anything.

Thanks for any possible help!

Bitwarden works great. I honestly would change log in details on a completely clean machine if you don’t trust the Linux machine and perhaps change the email you use for your most important accounts if you are really paranoid.

3 Likes

thanks, will look into bitwarden, im trying to hold of reinstalling the os since its a pain to setup my vm(i havent figured out how to automate it yet)

Considering you have the suspicion that your machine got hacked, I believe it is a pain worth taking for keeping your accounts safe. You do you, however.

2 Likes

If you prefer keeping your passwords offline then try https://keepassxc.org/ (the encrypted file can be stored in any location, including private and public cloud solutions) e.g. with Syncthing

5 Likes

this sounds awesome ill take a look thanks!

You are absolutely right. I still want to give it a chance depending what clamav shows after the full system scan. :slight_smile:

clamav may not find anything. Chances are a service is open/listening, perhaps something related to a game.

How is this computer connected to the wider Internet? You probably want a NAT firewall between both. Or a NAT router that doesn’t let inbound connections through.

Reboot your computer, disconnect from whatever internet connection, and consider a reformat/install. Your document backups may also be corrupted.

Yeah clamav returned this:

image

clamav may not find anything. Chances are a service is open/listening, perhaps something related to a game.

I only played steam games(POE) and I removed it together with steam more than a month ago when my 1050ti cant handle it(I havent figured out the proper cofig for it to run)

How is this computer connected to the wider Internet? You probably want a NAT firewall between both. Or a NAT router that doesn’t let inbound connections through.

Regular router from my ISP. For the firewall im using the one out of the box from EoS, didnt touch anything on it all out of the box.

Reboot your computer, disconnect from whatever internet connection, and consider a reformat/install. Your document backups may also be corrupted.

Ill prolly do this when I clock out tomorrow, do you have any suggestion any listing/finding services trying to communicate sending data out?

I did netstat -natu | grep 'ESTABLISHED' and netstat -natu | grep 'LISTEN' both with plugin ethernet and unplug nothing looks suspicious( i check the ip address into virustotal, all returned green).

I also comb thru btop, check process and which user running it, I googled stuff that looks weird to me, but nothing came up. For example, I learned about rtkit-deamon running with the rtkit user, same for dbus-broker with the dbus user. And dnmasq with nobody. Unless thats the culprit? I look around, seems a fedora bug, so I didnt look much into it.

lynis, maldet, tiger are all SUPERIOR to ClamAV. The dev abandoned Clam…Clam is Notorious for false positives.

My advice: gather up more evidence than Clam and show the forum any suspected irregularities. Don’t put your password in the cloud (that’s reckless). Change them all.

Part 2 of my advice: give it a few days and if your gut still feels uneasy about it, nuke the install and start fresh

two cents

I think it would help to try and understand the scope of the issue. Like, is this a phishing attempt (bogus login request hoping you’ll click something in the email), or is it just a bot brute forcing logins, posing very little actual risk (providing your security is decent)… or something else? Being the same time of day, every day, suggests something bot-like.

Could you also elaborate on what you mean by “its a login request from a Mac”?

What is it they’re trying to login to? Is it someone trying to login to your Apple account? “Mac” refers to a physical device, but maybe this has nothing to do with a physical device (particularly as your Mac has been off).

The headers of the email would be helpful (do not share here, for your privacy sake). I also don’t speak Apple, so I’m not familiar with the ways an Apple account could be nuisanced. For example, can you use a phone number to login to your Apple account? Might that be what they have, and therefore changing email didn’t help?

I would suggest using a different system until you can at least verify the scope of the alleged attack.

If your system has indeed been compromised, it is unclear what an alleged attacker might have access to, and be aware of. Any attempt to add-on security to a compromised system, could itself already be compromised.

If the attack is to be treated as legitimate, the system needs to be taken offline and backed up, then completely reset. For example, disconnect it completely from the Internet, reboot using a Live ISO, and backup your important data to an external drive and completely reformat with entirely new credentials.

Scan the backup drive separately, with a good anti-virus, before considering restoring any of that data to your system.

is op confusing a mac address I wonder? all that normal stuff that listens outside a browser and is logged? how would one know if a person with an apple machine was hacking you?

or is it just a bot brute forcing logins, posing very little actual risk (providing your security is decent)… or something else?

It was a brute force attack, at first look. Account in question is a microsoft live account. And it is linked to a Microsoft Authenticator on my iPhone. See from my original post, I mentioned I had to wait for the notification for authentication in my phone. That was key for me to know more, since Microsoft Authenticator, or even microsoft account doesnt have a log of Authenticator Request. They have the log of attempted signin which is different.

Could you also elaborate on what you mean by “its a login request from a Mac”?

If you you have used microsoft authenticator, when someone tries to login to your account, you will get a notification showing the email, location, and device. In my case, in the pop up, it said, Mac as the device.

You see, atleast from my experience with outlook and microsoft authenticator, you will not get an authentication request unless you have both the correct email and password. It will show you a pop up inside the app the email tyring to login, the location, and the device, a long with 3 numbers you need to pick from to login. And a deny button.
I just tested it now, so it is possible to send authentication request without the actual password. So it might still be a bruteforce attack. Attacker is hoping I click one of the numbers by accident.

I said, I thought at first it was a brute force attack because, when I started looking into my account before actually seeing the pop up notification for authentication. I looked at my microsoft account login history, I saw login attempts, with incorrect passwords. From different location, using different devices. When I saw the actual authentication request, thats what really scared me, they know the correct email and password, that microsoft ask for an authentication request in the attached authenticator.

With these details, it still looks like a brute force attack and they got really lucky. Just a note I dont use an easy password. When I finally saw the authentication request, and realize whats happening. I created a new login alias in microsoft, and set it as the only email microsoft will accept to login. The attack stop for a day. And then back again. Now with the new alias I created. Which I have never used in any signup/signin, or even use it as an email address.

The headers of the email would be helpful (do not share here, for your privacy sake). I also don’t speak Apple, so I’m not familiar with the ways an Apple account could be nuisanced. For example, can you use a phone number to login to your Apple account? Might that be what they have, and therefore changing email didn’t help?

I never interracted from any suspicous email prior to the attack. So I dont have any header I can share.

If the attack is to be treated as legitimate, the system needs to be taken offline and backed up, then completely reset. For example, disconnect it completely from the Internet, reboot using a Live ISO, and backup your important data to an external drive and completely reformat with entirely new credentials.

Ill do this over the weekend, thanks for the suggestion!

Is it possible that the “attacker” is your own iPhone and the Microsoft authenticator is just misinterpreting it as “mac”?

I actually thought of that. I tried to replicate and force if residural notification were not being sent on time. So far in the past few hours. Im getting them on time and all the notification are with the correct device(Linux), and country

If possible try to avoid proprietary softwares. At least our password manager, authenticator and browser should be opensource. IMO these 3 are the most important for our privacy and security.

Isn’t it way more likely that the password was sniffed from the phone? hacking into Linux isn’t a walk in the park and seldom worth the effort and, to this point, I can’t see any correlation between EOS and what the user is experiencing.

I have an old MSN email account protected by Microsoft Authenticator, which a couple of times a year maybe I have denied an unknown request attempting to connect.

The short answer is there is not much to worry about if usernames and passwords are not shared among accounts and multi factor authentication is used when available. That’s the point of MFA and account authentication.

It’s admittedly scary and stressful but probably OK. Microsoft Authenticator is protecting your account.

1 Like