I’ve discovered an unknown utun0 connection in my local network.
Here are some results from the Terminal:
I don’t recognize the utun0 connection to fe80::6296:1c25:7464:160f. Could someone help identify?
iMac Line (2012 and Later)
What all 3rd party extensions are you running?
EtreCheck is a simple little app to display the important details of your system configuration and allow you to copy that information to the Clipboard. It is meant to be used with Apple Support Communities to help people help you with your Mac.
http://www.etresoft.com/etrecheck
Pastebin is a good place to paste the whole report...
Workable but harder for me to work with...the Note tool on the bottom of this editor's toolbar, as shown in the image, to copy and paste the output from EtreCheck.
I’ve installed ProtonVPN and use it occasionally. Upon logging in, nothing has changed in Terminal apart from the address, which is now fe80::5b74:cd7b:849:8538. Connections to ProtonVPN are associated with ipsec0, though—does that matter?
Here’s my EtreCheck report: https://pastebin.com/NyTcanF6
According to System Preferences → Extensions, no third-party extensions have been installed. As the EtreCheck report shows, however, there are kernel extensions of Malwarebytes, Little Snitch and LuLu. Could any of those cause utun0?
I should note that the utun0 interface is shown by ifconfig whether an internet connection is established or not, even immediately after booting before plugging in the ethernet cable. Again, as far as I know, I have no VPN client installed, and System Preferences → Network only displays Ethernet, Bluetooth PAN, FireWire, Wi-Fi and Thunderbolt Bridge, with only Ethernet being on; all Sharing options are turned off, and the discontinued Back to My Mac doesn’t even appear in my iCloud services any more.
Are you using "Back to My Mac"?
I’ve never consciously used Back to My Mac or checked any of the Sharing options; I even removed myself from “Only these users:” and blocked all connections for Screen Sharing in Little Snitch. FileVault is on, and the built-in firewall in stealth mode blocks all incoming connections.
Still, I’ve been observing in recent weeks that (1) settings have been altered (including the microphone input volume, which had always been off, suddenly turned on), that (2) files such as bookmarks in Safari were suddenly deleted, and that (3) I was suddenly logged in to ProtonVPN even though I wasn’t even connected to the internet yet. This definitely wasn’t me and has been going on for weeks despite several complete reinstallations from scratch on different hard drives.
Is there any way for me to identify if someone is somehow able to monitor (be it via stream or perpetual screenshots) or access my system without my consent or knowledge?
If you spot anything suspicious, please let me know.
I’ve uninstalled ProtonVPN and rebooted the machine several times, and although I now don’t have any VPN client installed any more, the entry persists:
utun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 2000
inet6 fe80::30f3:834d:8903:9df4%utun0 prefixlen 64 scopeid 0xd
nd6 options=201<PERFORMNUD,DAD>
Again, the IPv6 address changes every time. Any other idea what it could be? A remote VPN connection?
I have Malwarebytes and LuLu, running, nom Little Snitch anymore. No utun0 here at all.
Ouch, you beed more RAM, if you don't want to buy any, I may have 2x4 GB or even 4x4 GB sticks shortly...
https://eshop.macsales.com/upgrades/imac-27-inch-mid-2011-3.4-ghz/memory
Just ran Wireshark, it lists utun0 interface under Thunderbolt! utun1 under Wifi.
Etrecheck report looks good except for... Free RAM: 17 MB
I hear that fee VPNs make money on the side with info.
So you don’t spot anything suspicious there? I was wondering if the number of “*:*<->*:*” might not be too high.
I have pretty much exactly the same number of “*:*<->*:*”
Do you use a VPN? Or have you installed VPN software, but may not gotten around to using it yet?
The 'tun' is for Tunnel which is what a VPN does, it Tunnels all your network traffic over the VPN.
Unknown utun0 Connection in Local Network
