kris_wk

Yeah those were the same...I'll try to pull mine up but my unraid has been turned off for months while I learn how to get my family vids and pics off with unraid writing over everything... long story which i think i described above..

Those exact same things are happening to me... I bid you good luck on finding someone who can help. IDK who to even ask. I dont think AV companies do this, I dont know who to talk to. I've tried to ask people smarter and better at this than me and they all think I'm fuckin crazy so I''ve decided to start a cybersec career by learning as much as I can. I have a million books, and a TryHackMe sub. f*ck it....I hope I learn fast cuz I deadass wanna dedicate my life to helping anyone getting exploited by these lazy ass thractors lol and this was not directed at the gentleman who tried to help me with what was normal in Linux. I appreciate that schooling cuz I needed something to be normal. I gotta screenshot the crazzy stufff though because it''s undeniable now.

That's what jumped out to me.. Had the same issue and I think its so they can do stuff that would normally slow down the network, CPU etc...but since the de-synced everything, hardly even notice

Oh yeah and I forgot, the way they have it set up, some how used ChromeOS, at least in my case. Maybe it's how they can keep their OS small and in firmware IDK. They spoof all my stuff anyways why not. Ugh, I wish this on no man. Especially if I find out its someone local hacking from down the fucking street. Oh better hope that's not it This whole AVAHI thing, well it doesnt stop at Linux. They're using ICMP or whatever it is and IPV6 UDP connections to do whatever.... probably to stream your desktops. I have no clue. They make you think your updating shit but your'e probably not. Any time I restart they just revert it back anyways. God. I hate this shit. I dont trust anything on my PCs. I fucking hate it cuz I love computers.. It's been my passion forever i just wish I wouldve stuck w it instead of get an Xbox 360 lol. If anyone wants proof let me know. I'll find as much as I can. My next step is learning Volatility, DnSpy....memory dump reading and .NET program shit idk. Blue team go i guess..

I was one of those posts and after learning way more about everything involving cybersecurity, malware, etc, as well as essentially deciding to change my career completely into cybersec because there is NO ONE that's gonna help me with this so I'm going to learn it my damn self especially because everyone assumes I'm exaggerating. Anyways.. So far, in my situation anyways, I believe it for sure started at my Unraid server but I have no logs or proof of entrypoints yet. I went blasting through a ton of files for things I KNOW shouldn't be on my Windows PCs and also installed Linux onn a few of my PCs while I was learning all this stuff. AND got a friends old Macbook Pro, they hacked into every single one. Wiping drives, secure erase nothing removes this shit. I'm able to see this shit in the memory yet I still don't know enough to do anything. I'm pretty sure they got into firmwware they for SURE did on the Macbook by somehow installing 4 virtual drives into the BASE SYSTEM little tiny firmware chip like holy shit (They managed that while I was unfortunately in Recovery Mode, thanks Apple!) On Windows everything has been hidden and turned into DLLs using .NET. The only shitty thing is I have no real way of keeping track of it all, but I will gladly prove it to ANYONE who thinks I'm exaggerating. Whoever this is they are everywhere on my network. I used to have a Netgear XR1000, but I got so nervous they got into it I went and bought TP Link Omada equipment hoping to god I can shut some of this down with firewalls and vlans. I have seen the proof of them having virtual drives that are somehow always starting ahead of everything else. Anytime I made a new Linux installation for instance, immediately flood my /tmp with bullshit. Seems the first thing is always using CUPS, and if the internet goes down, they switch to using my mobile phone data over bluetooth. But I can't see any of it happening realtime. The evidence is elsewhere when digging through all the shit I can. I used their own fucked up version of Busybox to show me shit using something called DMAdecoder i think. I dont really know what half of the shit is they keep installing on my Linux installations but its always the same. If I add something (like when I switched to Linux Mint, it came with Bluez or whatever it is, i much nicer bluetooth manager, when I went back to Ubuntu, guess what started installing every single time from then on...Bluez or blueman i think its called idk) it gets added to their list and becomes the whole pwned PC distro lol I even found their log files for their own shit. From some magical tiny drive that mounted out of NO WHERE. This shit has just straight pissed me off, like I WANT TO USE MY HARDWARE. I have gigabit internet, theyre taking half I want to run Virtual Box and test out CTFs and just utilize this beautiful hardware I put together but I can't even run virtualbox or VMware or MS Hyper-V. Why? because they take it over every f*cking time, and make a ton of virtual networks, and interfaces. I can't even put containers or Docker on my PCs, they always use these things and dig in deeper. I can see all the lowercase files names, why even attempt to hide just gtfo of my network, im broke, i have zero use aside from hardware use and clearly they have they on lock. I built an 18TB unraid server, I cant even fucking use it I dont have a big enough imagination to come up with this shit in my head and I've never been paranoid in my whole life. I was a bit paranoid and nervous at first but I seriously just said fuck it. I hope they use my network and PCs to destroy some giant Antivirus company At this point, I think they're using our god damn iPhones, or Androids nearby as a C2 server. They already cloned most of my usual programs but mostly just stuck to cloning Windows system files. They 100% used ..NET to hide their exploits and malware which allows nothing to pick up on it and at this point, I have no way of getting rid of anything. I'm pretty savvy at computers but I started to believe these know-it-alls. Thinking it's in my head, these are just how modern PCs are now. I know how PCs feel when someone else isn't on them. I havent felt that way in at least a year or two maybe more but I'll be damned if I let it get to me any more. I guess me, my wife and my kids get to just put up w this until I learn how to end it myself. I have way too many systems to just throw away and get fresh stuff, and frankly I no longer have the money to replace all of it. Some yeah but not as much as we have now. Where's Mr. Robot when you need him, he'd make them regret ever crossing my WAN port.

Most likely originating from kids going on things they shouldn’t, and now I just don’t have a clue what to do about it. It’s like a fileless malware. I wipe everything and they still make it back on brand new installs. I clear CMOS, use new drives, OS installed from clean PCs and somehow they make it back.

i was just misinformed. These observations strictly come from combing through files, picking out things that seemed weird. Once I did though, I started seeing everything had ELF at the beginning with tons of gibberish text. So I was definitely infected with malware. Now being actively hacked, but chances are high they’ve been here for a while and I just didn’t notice. All my Windows machines had it too. They set up a domain using Active Directory, and a bunch of VMs, probably a cloud domain too. I don’t use anything like this and most of my PCs had W10 Pro. My brain is just fried trying to figure this out.

TL;DR If you're seeing constant logs from avahi-daemon, beware, you possibly got hacked. *Recent edits in blue after learning more and being schooled* Decided to just make a new thread for this since it came out way longer than I thought. I was originally going to leave it under this post which involved the exact same weird logs as me. I had the same exact log posts happen to me and I just discovered how deep it went after digging through my files. I had no idea what the hell was making all these avahi-daemon alerts but they happened with such frequency that I had to find out the cause. I needed to dig extremely hard to find anything whatsoever, which was hard enough for me not really knowing what I'm doing. It seems that at some point (my assumption anyway), I configured port forwarding incorrectly leaving my server wide open. Unfortunately whoever got in, they were very quiet for a long time but once my SMB shares went totally dead, I decided to scour every directory and lo and behold, tons of edited files, folders, hardlinks and symlinks. It all started with me trying to get rid of this random custom bridge that I was using and didn't even know it. There was no more docker0, only br0 and thie "br-blahandnumbers" bridge. All my dockers were running through this bridge because somehow the 172.18.0.1 ip range was added to this bridge rather than my custom network I made for my proxying. No matter how I attempted to delete this thing, it would reappear. Deleted the network.cfg, changed ip routes, tried straight up deleting the interfaces through ifconfig, then even through ip link. I was slamming my head on the desk trying to figure this out. Eventually, I found out that my br0, bond0, virb0 and even my eth0 were broadcasting at a different subnet, for example, virb0 was 192.168.23.255 or something like that. My normal ip 12.12.10.200 (not really) so eth0 really made no sense broadcasting out to 12.12.20.255. EDIT This was incorrect now that I learned everything broadcasts from .255 (I AM indeed learning lol) Then there was some random tunl0. I wasn't sure if this was them or me with a misconfigured cloudflared tunnel but it was on the ip route feed but went nowhere. In fact it was [email protected]. I couldn't delete it either no matter how hard I tried. Whatever they did, they went super crazy hiding and faking a lot of aspects of Unraid. They faked syslogs, killed alerts, stole network bridges and locked them all down for their own use. They were definitely keeping track of what users were active at whatever time. They blacklisted a lot of the real files and scripts so that they wouldn't print unless it was to their own "rsyslog" or it was also so that Unraid, or myself wouldn't be able to use any thing they were utilizing. I'm glad I isolated half of my threads for my machines. At least it gave them a little less power. They had my share folders that pointed to a totally new user, "user0" who essentially was sudo regardless if they even figured out my password or not. (clearly they got root or made some groups of their own) This user wasn't in my Users section that's for sure, yet they had that folder on my shares with that name. That was the only way I even knew about it. I would go through some of the files and I'm hit with TONS of gibberish code and peppered in between, they ran their own code. Seemed to be like bruteforcing through some of the tools in the system. Pushing right past anything in their way, it seemed because they were able to have it all set up relatively clean. They were doing some sort of overflows to push themselves into root and then changed the real root folder to symlink to their made up folder, named simply.... " / " This too was wrong, / is root, but in other distros recently they made a folder called rootfs which they locked me out of They did similar things with just about every aspect of my system. (/usr/local/state/emhttp became /usr/local/sbin/emhttp). Leave me alone, I'm trying to learn still lol this one also made no sense and i see that now They really did a number on this server because damn near every single file was edited by them at some point (their permissions were different than any others so at a glance it would change how the list looked when using ls -alh to list all directories cleanly) Anything I would've tried to change would never take. Unless I went through the actual filesystem in the cmd line. They were doing something that involved compressing and uncompressing a lot of data although these were earlier findings so I wasn't sure. Looking over some stuff it seems they were constantly trying to decrypt any and all hashed keys and passwords on all my storage. Not sure what they were hoping to find aside from just more access but it seems they changed tactics and took over their own section of the filesystems, hardware and even some of the network I guess. They are 100% utilizing Samba, avahi, winbindd (most likely just trying to jump to my other systems). They downloaded dozens of extra-curricular linux tools for who knows why (chmod, chroot, Tmux, b2sum things like this) They enabled hugepages, which I assumed was to make this whole 'keeping whatever they're doing hidden by not slowing down my use too much' thing that much easier, while also possibly making whatever they're doing work better. I still don't understand this but I guess it's normal? At first I assumed cryptomining, or just using part of my system as a bot-net. I seen some virtual machine stuff sprinkled in as well. All in all, I have no clue what they were doing for sure but it wasn't good. All these ideas and observations are coming from an advanced novice. Good with PCs and software, reading logs and figuring stuff out but at the core, I really have no idea what any of it means or can mean. Whoever it was seems to be utilizing my ipv6 DNS resolver and avahi's mDNS to keep their connections alive through a hidden bridge talking back and forth to specific hostnames but I can't remember what they were. They locked me out of using ipv6 for SMB whatsoever. I assumed I was just having issues with it on my router. They've been in my system for months, judging by my older config's flash backup. They hit and hid just about everything. The only reason things started even appearing on my syslog was me deleting certain items. It started to break their scripts and files, which made errors pop up. Which then made me super curious.. I was able to really expose a lot of it by killing ip routes and attempting to erase these network bridges and bonds they were creating. I literally just found all this stuff yesterday but I got so freaked out and angry, that's why I started deleting whatever I could in the first place (stupid really cuz who does that help besides me) Unfortunately, in the process of trying to erase one of their newly created fake folders, "sbin", where /bin was linking to, I erased my own actual /bin folder and now I'm super worried I'm going to lose all my files. At least that's what I read when someone else erased the same folder. I wish I would've been able to get to the creating a backup aspect of having an Unraid system but really, I just started this whole process at the beginning of the year I almost gave up on it completely until IBRACORP's videos reignited the flame. Made it a bit easier to understand, visualize and the info is a little more modern than a lot of videos and information out there on the web. That helped tremendously so I must thank @Sycotix for that. The whole Ibra YT team I suppose. And now I'm more thankful to Blackhat conferences and all the ethical hackers on Youtube along with TryHackMe for teaching me even more stuff I just very much hope any other people who come across these obnoxious logs from avahi-daemon take them seriously because even though they seem normal, when they repeat the way these were, there's clearly something wrong.