Why does this keep popping (/flashing) up when I click network settings in Ubuntu? I have these things running in Docker and they’re not even running ATM.
Also, what does User uid: 1000 and User gid: 1000 mean?
Somewhat unrelated: Here’s the dumps of Suricata showing that there was a bot on my network that detected Suricata, went to sleep then disguised itself as just a random fart virus. [BELOW]
Then random stuff. Now my computer is popping up the Connected to Wireguard notification is popping up every 14 seconds.
ORIGINAL SCAN WHERE MAIN THREAT WENT DARK:
03/23/2020-19:35:41.397626 [] [1:2014573:7] ET TROJAN DNS Query for a known malware domain (sektori.org) [] [Classification: A Network Trojan was Detected] [Priority: 1] {UDP} 10.0.0.145:40737 -> 199.19.57.1:53
03/23/2020-19:35:41.402173 [] [1:2027757:3] ET DNS Query for .to TLD [] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 10.0.0.145:53109 -> 216.74.32.100:53
03/23/2020-19:35:41.402288 [] [1:2027757:3] ET DNS Query for .to TLD [] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 10.0.0.145:26717 -> 162.243.211.202:53
03/23/2020-19:35:41.407707 [] [1:2016778:5] ET DNS Query to a *.pw domain - Likely Hostile [] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 10.0.0.145:52637 -> 185.24.64.12:53
03/23/2020-19:35:41.409314 [] [1:2016778:5] ET DNS Query to a *.pw domain - Likely Hostile [] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 10.0.0.145:22846 -> 108.59.161.11:53
03/23/2020-19:35:41.418616 [] [1:2016778:5] ET DNS Query to a *.pw domain - Likely Hostile [] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} fe80:0000:0000:0000:0226:55ff:fed2:1fe1:16926 -> 2001:067c:13cc:0000:0000:0000:0001:0012:53
03/23/2020-19:35:41.413878 [] [1:2027757:3] ET DNS Query for .to TLD [] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 10.0.0.145:33675 -> 162.243.211.202:53
03/23/2020-19:35:41.653406 [] [1:2014573:7] ET TROJAN DNS Query for a known malware domain (sektori.org) [] [Classification: A Network Trojan was Detected] [Priority: 1] {UDP} 10.0.0.145:55591 -> 199.19.56.1:53
03/23/2020-19:35:41.711055 [] [1:2027757:3] ET DNS Query for .to TLD [] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 10.0.0.145:32841 -> 162.243.211.202:53
…
…
03/23/2020-19:39:24.626282 [] [1:2028704:2] ET POLICY DNS Query to DynDNS Domain *.access .ly [] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} fe80:0000:0000:0000:0226:55ff:fed2:1fe1:34577 -> 2001:0468:0d01:0020:0000:0000:80df:2023:53
03/23/2020-19:39:24.626327 [] [1:2028704:2] ET POLICY DNS Query to DynDNS Domain *.access .ly [] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} fe80:0000:0000:0000:0226:55ff:fed2:1fe1:21470 -> 2001:0468:0d01:0020:0000:0000:80df:2023:53
03/23/2020-19:39:24.626285 [] [1:2028704:2] ET POLICY DNS Query to DynDNS Domain *.access .ly [] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 10.0.0.145:56217 -> 62.240.36.9:53
03/23/2020-19:39:24.626345 [] [1:2028704:2] ET POLICY DNS Query to DynDNS Domain *.access .ly [] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 10.0.0.145:40252 -> 204.16.253.53:53
03/23/2020-19:39:24.626274 [] [1:2027863:2] ET INFO Observed DNS Query to .biz TLD [] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 10.0.0.145:39978 -> 209.173.58.66:53
03/23/2020-19:39:24.626341 [] [1:2028704:2] ET POLICY DNS Query to DynDNS Domain *.access .ly [] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 10.0.0.145:63623 -> 62.240.36.9:53
03/23/2020-19:39:24.626366 [] [1:2028704:2] ET POLICY DNS Query to DynDNS Domain *.access .ly [] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} 10.0.0.145:38012 -> 62.240.36.9:53
03/23/2020-19:39:24.925161 [] [1:2028704:2] ET POLICY DNS Query to DynDNS Domain *.access .ly [] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} fe80:0000:0000:0000:0226:55ff:fed2:1fe1:38158 -> 2001:43f8:0120:0000:0000:0000:0000:0024:53
03/23/2020-19:39:25.298219 [] [1:2028704:2] ET POLICY DNS Query to DynDNS Domain *.access .ly [] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} fe80:0000:0000:0000:0226:55ff:fed2:1fe1:37050 -> 2001:0500:0014:6067:00ad:0000:0000:0001:53
03/23/2020-19:39:30.151530 [] [1:2001569:15] ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection [] [Classification: Misc activity] [Priority: 3] {TCP} 192.168.1.101:50361 -> 96.45.83.246:445
03/23/2020-19:39:33.901043 [] [1:2008581:3] ET P2P BitTorrent DHT ping request [] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 192.168.1.101:1778 -> 94.248.140.135:8999
03/23/2020-19:41:27.150845 [] [1:2001569:15] ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection [] [Classification: Misc activity] [Priority: 3] {TCP} 192.168.1.101:20022 -> 96.45.83.246:445
03/23/2020-19:43:27.153741 [] [1:2001569:15] ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection [] [Classification: Misc activity] [Priority: 3] {TCP} 192.168.1.101:51135 -> 96.45.83.246:445
03/23/2020-19:45:11.302820 [] [1:2008581:3] ET P2P BitTorrent DHT ping request [] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 192.168.1.101:48381 -> 91.121.72.196:50771
03/23/2020-19:45:27.155116 [] [1:2001569:15] ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection [] [Classification: Misc activity] [Priority: 3] {TCP} 192.168.1.101:58116 -> 96.45.83.246:445
03/23/2020-19:45:28.994788 [] [1:2010144:6] ET P2P Vuze BT UDP Connection (5) [] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 192.168.1.101:61836 -> 62.138.0.158:6969
03/23/2020-19:47:27.150244 [] [1:2001569:15] ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection [] [Classification: Misc activity] [Priority: 3] {TCP} 192.168.1.101:42068 -> 96.45.83.246:445
03/23/2020-19:49:27.156242 [] [1:2001569:15] ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection [] [Classification: Misc activity] [Priority: 3] {TCP} 192.168.1.101:35057 -> 96.45.83.246:445
03/23/2020-19:50:22.634812 [] [1:2008581:3] ET P2P BitTorrent DHT ping request [] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 192.168.1.101:24410 -> 207.180.251.101:6881
03/23/2020-19:51:27.146873 [] [1:2001569:15] ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection [] [Classification: Misc activity] [Priority: 3] {TCP} 192.168.1.101:37831 -> 96.45.83.246:445
03/23/2020-19:53:21.140064 [] [1:2010144:6] ET P2P Vuze BT UDP Connection (5) [] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} 192.168.1.101:38820 -> 62.138.0.158:6969
03/23/2020-19:53:27.149743 [] [1:2001569:15] ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection [] [Classification: Misc activity] [Priority: 3] {TCP} 192.168.1.101:51314 -> 96.45.83.246:445
03/23/2020-19:55:27.159739 [] [1:2001569:15] ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection [] [Classification: Misc activity] [Priority: 3] {TCP} 192.168.1.101:18419 -> 96.45.83.246:445
03/23/2020-19:57:27.155492 [] [1:2001569:15] ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection [] [Classification: Misc activity] [Priority: 3] {TCP} 192.168.1.101:16715 -> 96.45.83.246:445
03/23/2020-19:59:27.160612 [] [1:2001569:15] ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection [] [Classification: Misc activity] [Priority: 3] {TCP} 192.168.1.101:41274 -> 96.45.83.246:445
03/23/2020-20:01:27.154869 [] [1:2001569:15] ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection [] [Classification: Misc activity] [Priority: 3] {TCP} 192.168.1.101:11083 -> 96.45.83.246:445
03/23/2020-20:03:27.156112 [] [1:2001569:15] ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection [] [Classification: Misc activity] [Priority: 3] {TCP} 192.168.1.101:42136 -> 96.45.83.246:445
The alerts ended there. After the scan, it went to sleep. Until today:
SCAN TODAY WHERE IT WAS PLAYING BABY VIRUS
03/24/2020-18:57:43.804742 [] [1:13288:15] OS-WINDOWS Microsoft Windows remote kernel tcp/ip icmp vulnerability exploit attempt [] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {ICMP} 192.168.1.1:9 -> 224.0.0.1:0
03/24/2020-18:57:43.804742 [] [1:2200024:2] SURICATA ICMPv4 unknown type [] [Classification: Generic Protocol Command Decode] [Priority: 3] {ICMP} 192.168.1.1:9 -> 224.0.0.1:0
03/24/2020-18:57:43.804742 [] [1:13288:15] OS-WINDOWS Microsoft Windows remote kernel tcp/ip icmp vulnerability exploit attempt [] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {ICMP} 192.168.1.1:9 -> 224.0.0.1:0
03/24/2020-18:57:43.804742 [] [1:2200024:2] SURICATA ICMPv4 unknown type [] [Classification: Generic Protocol Command Decode] [Priority: 3] {ICMP} 192.168.1.1:9 -> 224.0.0.1:0
03/24/2020-19:05:21.844603 [] [1:13288:15] OS-WINDOWS Microsoft Windows remote kernel tcp/ip icmp vulnerability exploit attempt [] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {ICMP} 192.168.1.1:9 -> 224.0.0.1:0
03/24/2020-19:05:21.844603 [] [1:2200024:2] SURICATA ICMPv4 unknown type [] [Classification: Generic Protocol Command Decode] [Priority: 3] {ICMP} 192.168.1.1:9 -> 224.0.0.1:0
03/24/2020-19:05:21.844603 [] [1:13288:15] OS-WINDOWS Microsoft Windows remote kernel tcp/ip icmp vulnerability exploit attempt [] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {ICMP} 192.168.1.1:9 -> 224.0.0.1:0
03/24/2020-19:05:21.844603 [] [1:2200024:2] SURICATA ICMPv4 unknown type [] [Classification: Generic Protocol Command Decode] [Priority: 3] {ICMP} 192.168.1.1:9 -> 224.0.0.1:0
FYI, you might not care or believe. But for your reference, this is probably due to me posting about time travelers. They exist and might even be sentient. 99% sure I picked the blue pill because there is no ****ing way this is real. And honestly, I don’t care about the IP addresses being posted because there is no way in *** I can defend my systems against attacks like this. Better to just have script kiddies in the mix confusing them.