I run a Unifi UDM Pro as my firewall at home and a few weeks ago, I received a notification from my router describing an intrusion prevention and providing a signature for “ET MALWARE BPFDoor CnC Domain in DNS Lookup”. I took down all my servers (e.g. Ubuntu, Proxmox and Unraid) and researched the issue. I found a scrip on Github (https://github.com/rapid7/Rapid7-Labs/tree/main/BPFDoor) that helps detecting this malware. The script “found” traces of the malware on most of my servers, except one, which runs Ubuntu 24.04.4 LTS. I also tested my Unraid installation and it found traces of the malware, so it took me a few days but I wiped every disc (HHDs, USB, NVMEs) in the server and re-installed a fresh install of Unraid. After the server was back up and running, the first thing I did was to re-run the script and it found traces of the malware again! This is why I am wondering if this is not a false positive. The log file created by the script is attached, with a number of "CRITICAL" warnings, similar to what was found before the re-install. Any insight would be appreciated. Thank you.
bpfdoor_report_NewServer_2026-06-23_19-41-30.log