We have ESXi version5.0 machines which are managed by Vcenter installed on Win2008 R2 server. We have a network monitoring system which monitors all traffic between Vcenter and ESXi. Lately we have observed large files moving between ESX service console IP to Vcenter server. After analysing these files, it seems to be malware files (trojan, viruses etc). The Vcenter server communicates with ESX service console at TCP port 902 and the service console seems to be sending these malware files back from ESX to Vcenter. After extracting these files from the network monitoring system, our antivirus triggers indicating various kind of viruses, trojan etc.
The Vcenter has antivirus installed which didn't detect any virus installed on the server after a full scan. This is very strange. We have shut-down the vcenter and we need to monitor traffic for a few days to see how it goes.
Did anyone in the community encounter similar issues before? I would appreciate any feedback because its scary!!!
Thanks a lot
Are you sure those malware was not embedded inside vmdk-data ? - or maybe iso-files used to install something ?
Thanks for your feedback. I'm not expert in vmware. I'm the guy who monitors the network traffic between Vcenter and ESX machines so I need some clarifications about your questions:
As I understand, VMDK files are images (or snapshots) of the disks of the various virtual machines that reside on the ESX servers. Is this correct? Also, do these VMDK files get transferred (maybe for backup purposes) from the ESX servers to the Vcenter machine? If this is the case, then your assumption that malware might be embedded in the vmdk might be correct.
I would appreciate your feedback on the above.
Thanks a lot