Browser accessed remotely - Seeking advice on next steps

[zrlt]

Hello,

I am a new Gentoo user (been using it as my daily driver since about a month).

A couple of days ago, I noticed my Firefox browser seemingly being operated remotely. I use tridactyl to control my browser using the keyboard. On an idle system with a github page opened on my browser, I noticed the popup usually triggered by pressing <w>, which gives a selection of urls to be opened in a new window.

Then, this popup disappeared, usually done by pressing <Esc>. From this, I infer that this was not a case of some random key presses being sent over, but rather, the attacker could see the graphical contents of my screen. Then, hints to various links on the page appeared, usually triggered by pressing <f>. Then, I guess one of the links was followed, because a different part of the github page appeared. Then, hints to links appeared again and then nothing happened for a couple of secs. At this point, I powered off my system, and since then only accessed it with internet access disabled to inspect the logs for any useful info, to no success.

I am not very knowledgeable about security, but I was probably totally compromised in this scenario . Still, I just would like to get some insights from others instead of just spiraling on my own, to ensure that this does not happen again. What could have been the most likely attack vector this scenario? Can such a thing occur by just opening a shady website or would it have needed a download of a malicious file or software package? Do I need to scan all my files for malware now? Would it make sense to use some intrusion detection tools on my local network?

Some details about my setup and what was running on the system at that point:

1. Since the attacker seemed to have access to the screen contents, maybe the display server setup is relevant. I use a wayland compositor.
2. I was running firefox inside firejail. There was another firefox process running with a different profile (also within firejail) in which a couple of streaming sites recommended by r/piracy were running. I should mention that this streaming setup was running without firejail (an oversight from me) a few days prior to this. I guess this could be the source of the attack and I know it's on me if it was, but I checked these URLs on VirusTotal, I had uBlock running and I assumed that Firefox's features like site isolation etc. would keep me safe
3, I was connected to my home wifi and was using a VPN service with Local Network Sharing enabled, which means my device would be accessible on the LAN even with the VPN turned on.
4. Far as network services are concerned, sshd was inactive. There was no active firewall. I never installed any remote desktop software. But the syncthing user service was on. I should mention that I had setup and configured the syncthing service and the related web GUI just a couple of days prior to this incident. So apart from the streaming sites, I see this as the other probable source since that was the only network service that was running at that point.

Thanks very much for sparing your time to read this! Any insights and tips for my next setup are greatly appreciated!

[pietinger]

zrlt,

Welcome to Gentoo Forums!

[...] [1] What could have been the most likely attack vector this scenario? [2] Can such a thing occur by just opening a shady website or would it have needed a download of a malicious file or software package? [3] Do I need to scan all my files for malware now? [4] Would it make sense to use some intrusion detection tools on my local network?
[...]
Any insights and tips for my next setup are greatly appreciated!

Please take all my answers as my personal view (which could be wrong) ...

1. See number 2
2. Yes ... with a security related bug in your browser (AFAIK every browser has) it is sufficient to browse an evil website ... no download necessary.
3. No ... You should format every partition and install completely new from a booted LiveCD (and pray that they didn't leave anything in your NVRAM).
4. An IDS will tell you AFTER an intrustion has happened ... Install AppArmor or SeLinux ... maybe read my suggestions here:
https://wiki.gentoo.org/wiki/User:Pieti ... ne_Attacks

[Banana]

Hello,

I am a new Gentoo user (been using it as my daily driver since about a month).

A couple of days ago, I noticed my Firefox browser seemingly being operated remotely. I use tridactyl to control my browser using the keyboard. On an idle system with a github page opened on my browser, I noticed the popup usually triggered by pressing <w>, which gives a selection of urls to be opened in a new window.

Then, this popup disappeared, usually done by pressing <Esc>. From this, I infer that this was not a case of some random key presses being sent over, but rather, the attacker could see the graphical contents of my screen. Then, hints to various links on the page appeared, usually triggered by pressing <f>. Then, I guess one of the links was followed, because a different part of the github page appeared. Then, hints to links appeared again and then nothing happened for a couple of secs. At this point, I powered off my system, and since then only accessed it with internet access disabled to inspect the logs for any useful info, to no success.

Not to said you are wrong, but what are hard facts that this is a real attack? Software can malfunction, hardware can sometimes misbehave and sometimes it is just less sleep.
So before going down the rabbit hole of beeing attacked, try to verify that it is indeed an attack.

Does it happen again?
Does it happen, if possible, with other networks?
Does it happen if you use other input hardware?

[sam_]

Hello,

I am a new Gentoo user (been using it as my daily driver since about a month).

A couple of days ago, I noticed my Firefox browser seemingly being operated remotely. I use tridactyl to control my browser using the keyboard. On an idle system with a github page opened on my browser, I noticed the popup usually triggered by pressing <w>, which gives a selection of urls to be opened in a new window.

Then, this popup disappeared, usually done by pressing <Esc>. From this, I infer that this was not a case of some random key presses being sent over, but rather, the attacker could see the graphical contents of my screen. Then, hints to various links on the page appeared, usually triggered by pressing <f>. Then, I guess one of the links was followed, because a different part of the github page appeared. Then, hints to links appeared again and then nothing happened for a couple of secs. At this point, I powered off my system, and since then only accessed it with internet access disabled to inspect the logs for any useful info, to no success.

Not to said you are wrong, but what are hard facts that this is a real attack? Software can malfunction, hardware can sometimes misbehave and sometimes it is just less sleep.
So before going down the rabbit hole of beeing attacked, try to verify that it is indeed an attack.

Does it happen again?
Does it happen, if possible, with other networks?
Does it happen if you use other input hardware?

I was going to say the same thing. Especially as a compromise would not generally need anything to be displayed to you, so it would either have to be done deliberately, or as a very unlikely requirement of an attack vector.

Often when people report issues like this, they ended up having some USB receiver plugged in for a mouse or keyboard they forgot about, or a key got stuck, etc.

[NeddySeagoon]

zrlt,

It's unlikely to be a compromise.
Attackers usually keep quiet about getting into your system.
They want to use it for their own purposes, spam, botnot, bitcoin mining, whatever.
They can't do that once you know that they are there.

However, that's a probability. If you want certainty you have two options.
1. Restore from your last known clean backups.
2. Reinstall from scratch.

[zrlt]

Apologies for the late response. I was on the road and could not find time to post.

Thank you all for the responses!

maybe read my suggestions here:
https://wiki.gentoo.org/wiki/User:Pieti ... ne_Attacks

Thank you, pietinger, for the link. It's a very good resource for beginners like me. I will definitely try and implement some of the suggestions in there!

Not to said you are wrong, but what are hard facts that this is a real attack?

I do not yet have hard facts, only conjecture. Around the time this happened, apparently one of the streaming sites that was open on my browser was trying to get users to download potential malware: <removed by admin - see below>. So, my guess is that the attacker was trying to download the same file onto my pc using the extension I mentioned. Exactly how this was done is still something I need to figure out.

All in all, I am just going to do a fresh gentoo install and move on. So far, it looks like not much damage has been done. Again, thanks to all who shared their thoughts! I will post again if I dig up anything insightful.

[Administrator edit: removed link to Reddit. Per guidelines, piracy discussions are not appropriate on the Gentoo forums. I left the original mention of reddit piracy untouched because it was vague, but the URL stripped above led to more specific content, including citing a specific domain (albeit one that was distributing malware). -Hu]