Working online, my notebook crashed. The keyboard, mouse, and touchpad have been disabled. All blocked. It was impossible to turn it off.
A transparent blue filter covered half of the screen. The system started to work as if it were remote. I could see the mouse cursor clicking around the page of the website I was working on (Webflow) and finally closing it.
It was as if a threatening actor was invading the system and started working on my computer.
They accessed my private data, opening files, Evolution, e-diagnostics, apps, etc. The “Home Bank” App (I never used it) was opened several times during this event.
I could see the mouse cursor moving around the screen, spying on the system. I’m sure someone was accessing my notebook remotely. It was really spooky! I was scared.
Is this a cyber threat? A malicious attack? Is Endless vulnerable to working online?
At some point I managed to enter the terminal and ask for eos-diagnostics, some time later I managed to turn the machine off. I made another eos-diagnostics when I logged in again.
Attached the first one.
I made a video during the event with my cell phone. I attached some screenshots of it.
In general, Endless OS is due to it’s architecture one of the most secure operating systems available (OSTree based, Applications sandboxed), so i highly doubt that someone intruded into your system.
But, nonetheless, i would love to investigate this case further. Please upload the video you made to some file sharing platform and post a link to it.
From what i’ve read in the logs, there’s no obvious attack vector open on your system:
- SSH is disabled, VNC is disabled
- You are behind a NAT firewall, so nobody can directly access your system from the outside if no port mapping has been established on the router
- No problematic processes running
Please also tell us more about your environment - were you connected to your private network? Were other Persones also using this network at the same time? Are you the owner of the device? Had anyone except you physical access to the device? Have you left your device out of sight in a unsecure place recently?
Thank you, Egrath for your response and attention.
First of all, I would like to say that I love the educational purpose of Endless.
I am an Educator working with images (Photographer / Designer). I love GIMP, INKS, BLENDER.
I would love to keep working with this system, which is new to me.
Answering your questions:
I live with my sister; she is a manager therefore, our network service must be very secure. Our connection is private, we have a personal password and we never, never use public wi-fi. We have used the same net service for years and have never had any security issues.
I work with my notebook at home. I am the only person who uses it. We have not received anyone in our home these past months. No one else is using this network besides my sister and me. My sister basically works on her cell phone. She has a PC that she hardly ever uses.
I would like to ask a few questions if you don’t mind:
1- I was reading the eos-diagnostic today and noticed this warning (just at the time the event began) -15:12.
Is this relevant?:
Jan 09 15:12:19 endless gnome-shell: Window manager warning: last_user_time (6884369) is greater than comparison timestamp (6884311). This most likely represents a buggy client sending inaccurate timestamps in messages such as _NET_ACTIVE_WINDOW. Trying to work around…n 09 15:12:19 endless gnome-shell: Window manager warning: 0x1a00010 appears to be one of the offending windows with a timestamp of 6884369. Working around…
2-Is it possible (if had an intruder) to change the logs, deleting the attack vector to make the diagnostic appearing to be normal?
3-I was working online on a web design platform, Webflow. There is no need to download, we work in the cloud. I was inside my Dashboard working on a new project when the sinister event started. Can be seen in the first video.
Could it be possible, the system has presented a vulnerability when having to work on software/platform in the cloud, allowing the opening of a “door” for the attack?
I’m sorry for the bad word in the video, I was really surprised, in shock. (also its poor quality).
This is the second time happening, although the first event was not as obvious.
Please, I would like to know your conclusions about what happened.
Thanks for diligently recording and sharing these videos. It must have been really jarring to see this!
However, I’m rather confident you don’t have to worry about a malicious attacker at play here. Watching the videos, there is a sort of pattern to the mouse movements which is familiar to me (and likely others who have worked on touchpad drivers) - the rhythm at which they appear, and the movements which are somewhat random and largely diagonal. In brief, your touchpad is going crazy and reporting all kinds of movements and clicks.
I’d comfortably reached that conclusion before I looked at your log, but that also confirms it with many messages like:
(EE) event12 - SYNA7DB5:01 06CB:CD41 Touchpad: kernel bug: Touch jump detected and discarded.
So I think what you need to look at here is if there is a likely hardware issue with your touchpad. If it was a one-off then it may not be worth your time worrying about, but if it happens repeatedly then you could look at the warranty details of your PC to see if can be repaired.
And if it does happen again and you would like to rule out the possibility of a remote attacker, is it possible for you to unplug your WiFi router / access point for a few minutes, just as a test? You will see that the mouse movements continue even though the computer does not have any connectivity.
And the blue overlay on the right half of the screen is because a window was dragged to the right hand side. You can see this by dragging the title bar of any window over to the very right edge of the screen. Before you release the mouse, it will draw that blue overlay, indicating that you’re about to put that window in that precise right-aligned position.
In your case though, the highly erratic mouse movements appear to have confused the system in a way that the blue overlay does not disappear as it normally would, and the ensuing confusion within the system is potentially why there are many gnome/window-related warning messages in the log.
I can second @Daniel `s explanation, seems to me like your Touchpad has gone crazy due to some hardware issues. Especially in the beginning, there’s a pattern in the movement, going diagonal in movement and back.
Thank you, for your attention and orientation.
Information Technology is not my field of expertise, moreover I am newbie to the Endless; thus I may trust and follow your guidance.
Answering your question:
Yes, it is possible to unplug my WiFi router; I didn’t do it due to the goal of recording the videos for you.
Let’s hope won’t happen again, in case it does I will follow your suggestions.