Hello, while my laptop was idling my Sophos UTM detected a C&C traffic from that machine to a remote server ftp.linux.org.tr
Browsing to that ftp /manjaro blocks the traffic with the message:
"
ftp.linux.org.tr/manjaro/
The content is blocked due to the following condition:
You are trying to visit a URL that is normally only visited by a threat installed on a computer. Your computer may be infected with malware, please contact your administrator.
Report:
C2/Generic-A
"
Is it a false positive?
Is the ftp site recognized and well known?!
And why my laptop is talking to a ftp server while not used in the first place?
Thanks in advance for reply.
Manjaro systems comes with Pamac - which handles periodical check for updates - this is a background service - and you can disable the check - but doing so requires you to manually check for updates from time to time.
Another activity you will discover at some point - is NetworkManager which uses an internet address discover if network is up and connected. ([apollo.archlinux.org] - if I recall correct)
You can control which mirror(s) is used by using the pacman-mirrors utility.
It will also connect to archlinux.org ( not sure about the previously mentioned apollo.archlinux.org)periodically for connectivity checks.
The specific file is /usr/lib/NetworkManager/conf.d/20-connectivity.conf:
You can delete that file, comment it out, override it with a new file /etc/NetworkManager/conf.d/20-connectivity.conf, or increase the time between checks with e.g.: