pambosch
Contributor
Contributor

Possible malware transferred between ESXi and Vcenter

We have ESXi version5.0 machines which are managed by Vcenter installed on Win2008 R2 server. We have a network monitoring system which monitors all traffic between Vcenter and ESXi. Lately we have observed large files moving between ESX service console IP to Vcenter server. After analysing these files, it seems to be malware files (trojan, viruses etc). The Vcenter server communicates with ESX service console at TCP port 902 and the service console seems to be sending these malware files back from ESX to Vcenter. After extracting these files from the network monitoring system, our antivirus triggers indicating various kind of viruses, trojan etc.

The Vcenter has antivirus installed which didn't detect any virus installed on the server after a full scan. This is very strange. We have shut-down the vcenter and we need to monitor traffic for a few days to see how it goes.

Did anyone in the community encounter similar issues before? I would appreciate any feedback because its scary!!!

Thanks a lot

0 Kudos
2 Replies
continuum
Immortal
Immortal

Are you sure those malware was not embedded inside vmdk-data ? - or maybe iso-files used to install something ?

Do you need support with a recovery problem ? - send a message via skype "sanbarrow"
pambosch
Contributor
Contributor

@continuum

Dear sir,

Thanks for your feedback. I'm not expert in vmware. I'm the guy who monitors the network traffic between Vcenter and ESX machines so I need some clarifications about your questions:

As I understand, VMDK files are images (or snapshots) of the disks of the various virtual machines that reside on the ESX servers. Is this correct? Also, do these VMDK files get transferred (maybe for backup purposes) from the ESX servers to the Vcenter machine? If this is the case, then your assumption that malware might be embedded in the vmdk might be correct.

I would appreciate your feedback on the above.

Thanks a lot

0 Kudos