Update 9/18/2020: To future Googlers, this was determined to be an IT overreaction and I should not have posted it without proper research. The issue was likely our firewall incorrectly identifying a mirror server as malicious.
A few days ago I was installing Manjaro KDE on my laptop. I downloaded the manjaro-kde-20.0.3-200606-linux56.iso from the OSDN link, flashed it on Windows 10 using Rufus, and ran the install off of a freshly formatted flash drive.
I finished the install over my employer’s guest network, and within 5 minutes of booting into the system our IT director was in my office asking why a device called Manjaro was attempting to break through our firewall into the production network and install malware on the server. I immediately disconnected from WiFi, and wanting to get as far away from the issue as possible I downloaded ArcolinuxD, flashed it from my android phone, and installed that over Manjaro. My IT has confirmed no further suspicious activity since.
I am not sure whether the issue lies with Manjaro, or possibly with some pre-existing malware in my Windows 10 or Rufus installs, and since this is my personal machine I really don’t want to take any further risks to test this on our company network, and don’t really know how to identify the issue myself. I would really like to get my laptop running Manjaro, but I am nervous to try it again. Like an idiot, I did not verify the SHA1SUM of the ISO file, and the file was wiped out when I installed over Windows.
Since I am not really in a position to check in on this, so I wanted to put this out here in case someone with Manjaro wants to investigate. I am hopeful that any issues may have been eliminated with the new ISO that was just posted as I type this.
For me it would be interested to know why 20.0.3-200606 of our KDE build should have any Malware. It can also happen with the tools flashing it to your USB. We mostly use Etcher to create USB-Sticks. All our ISOs get generated by using our tools:
Additionally we have all our profiles used to configure the ISOs public:
As a company we work with many hardware vendors together and check ISOs on regular basis to be secure. ArcolinuxD most likely has a newer build as the 20.0.3 was. You may try 20.1 release to check.
However it would be great to know if your IT-Department would be able to be more specific on what had happen. We will check also from our end that particular ISO.
The ‘IT guys’ saw their firewall asking for a new device accessing the internet probably, and deduced it was an attack through their production network installing malware on the servers lol Probably/surely something along these lines… We may never know.
It turns out my IT manager was maybe being a little overdramatic about the nature of the issue. As best we can tell, there was no actual attack on the network. He just received a notice from the firewall that my device was connecting to a server that had been identified as potentially malicious, though apparently it did not actually log the url/IP address of the server.
The email he received from the firewall read as follows:
A threat has been detected in your network The source IP/host listed below was found to communicate with a potentially malicious site outside your company.
Details about the alert:
· Enables remote access
Affected Operating Systems
The threat is associated with the command and control servers used by malware.
Note: C2/Generic-A is not detection of a malware payload on an infected machine.
Firewall is blocking network traffic (reputation or IPS filtering) to a remote machine believed to be a C&C server. The alert indicates that a machine within the network is compromised with malware.
My best guess would be that maybe one of the international mirror servers was on our firewall’s blacklist and triggered this alert when the pacman-mirror command pinged it, especially given that the Manjaro device name suggest that I was still in the live environment when this alert was triggered.
Sorry for the potentially inflamatory post. I should have done some more digging before making this public.