It all started when I started trying to lock down my FW because of all the extra unexplained traffic I was seeing, and ended with me catching someone logged into my network who then began recklessly deleting files from many of my PCs, wrecked my QNAP nas … etc. My MacBook then got infected … the bios on my main PC was re-flashed and won’t accept a stock flash anymore … my routers got themselves new, shitty (i’m guessing backdoor-ed firmware) -- and the best part is these folks seem to be able to get in even when I disconnect the network cable -- I purposely didn’t include WiFi or Bluetooth on this PC (Ryzen7 & Asus Prime x370 pro).
Pulled ALL the drives, re-installed everything on fresh drives -- it’s still there. I see SSH connections on any OS -- even live CDs -- all using UNIX ports and the “MIT Magic cookie” -- which I’m not sure what that even is, or how they’re doing it. They always create weird files under /TMP/ -- always .ICE_UNIX and a few others.
Attached are the kaspersky KRD logs -- which has not been able to detect anything and I’d possibly go as far as to say is being controlled by the rootkit.
Can anyone lmk if they see anything? This has been one hard mofo to track down, but I’m sure its there.
I’ll follow up w/ some pictures.
Thanks all! This one has been crazy!