OK, I'm going to try to organize my images of appearing windows to help in replys too..
1 - Authentication Password Required https://ibb.co/7jdfL33 Main Concern/Problem
2 - Duplicated Bookmarks Brave Browser https://ibb.co/R3nzjfC
3 – Something Went Wrong https://ibb.co/Dg3DH1C
4 – ProtonVPN App https://ibb.co/JFRcJLd
I'm mostly concerned with window #1 - Authentication Password Required. https://ibb.co/7jdfL33
I can show and display the password, it contains 20 characters , my non-browser password manager defaults to using 16 characters, just checked, so it's not auto-filling it.
I show #2 - Duplicated Bookmarks Brave Browser https://ibb.co/R3nzjfC because it may have appeared around the same time – not sure.
I show #3 - Something Went Wrong https://ibb.co/Dg3DH1C for the same reason as above – maybe same time.
Originally, I showed #4 - ProtonVPN App https://ibb.co/JFRcJLd (notice connection error at top of image) "authentication denied"
I'm not attributing the following correlations to causation, just mentioning because they might be related.
Just yesterday I was almost certain that #3-Something Went Wrong was attributed to #4-ProtonVPN App as they appeared almost simultaneously, but then #3 appeared a lot yesterday.
Also, I noticed just now that #4-ProtonVPN App and #1-Authentication Password Required both use the word authentication, but….
@Mauser Which one do you think is the system password dialog box?
I'm not aware of this, what is it. I'm aware of the browser keylog passwords or whatever they're called, but these don’t' appear to be the same. Also, and I don't know, but I thought that Adrian and Stevo would have recognized this in previous replies. I do appreciate the reply.
Jed, I mean @clampett
I looked quickly yesterday, I don't know what to look for, but I'll follow Mauser's suggestion and write down the exact times when it happens again, and check that log again - thanks.@Stevo, and others, sorry, I didn't post my QSI originally or again yesterday, should have posted QSI previously - MX-21.3_ahs Xfce
Code: Select all
Snapshot created on: 20220812_1130
System: Kernel: 6.6.4-1-liquorix-amd64 [6.6-5~mx21ahs] x86_64 bits: 64 compiler: gcc v: 10.2.1
parameters: audit=0 intel_pstate=disable rcupdate.rcu_expedited=1
BOOT_IMAGE=/boot/vmlinuz-6.6.4-1-liquorix-amd64 root=UUID=<filter> ro quiet splash
Desktop: Xfce 4.18.1 tk: Gtk 3.24.24 info: xfce4-panel wm: xfwm 4.18.0 vt: 7
dm: LightDM 1.26.0 Distro: MX-21.3_ahs_x64 Wildflower November 22 2021
base: Debian GNU/Linux 11 (bullseye)
Machine: Type: Laptop System: ASUSTeK product: VivoBook_ASUSLaptop X512DA_F512DA v: 1.0
serial: <filter>
Mobo: ASUSTeK model: X512DA v: 1.0 serial: <filter> UEFI: American Megatrends
v: X512DA.310 date: 12/24/2019
Battery: ID-1: BAT0 charge: 16.9 Wh (60.8%) condition: 27.8/37.1 Wh (74.9%) volts: 7.8 min: 7.8
model: ASUSTeK ASUS Battery type: Li-ion serial: N/A status: Not charging cycles: 18
CPU: Info: Dual Core model: AMD Ryzen 3 3200U with Radeon Vega Mobile Gfx bits: 64
type: MT MCP arch: Zen family: 17 (23) model-id: 18 (24) stepping: 1 microcode: 8108102
cache: L2: 1024 KiB
flags: avx avx2 lm nx pae sse sse2 sse3 sse4_1 sse4_2 sse4a ssse3 svm bogomips: 20761
Speed: 2717 MHz min/max: 1400/2600 MHz boost: enabled Core speeds (MHz): 1: 1692
2: 1692 3: 1693 4: 1693
Vulnerabilities: Type: gather_data_sampling status: Not affected
Type: itlb_multihit status: Not affected
Type: l1tf status: Not affected
Type: mds status: Not affected
Type: meltdown status: Not affected
Type: mmio_stale_data status: Not affected
Type: retbleed mitigation: untrained return thunk; SMT vulnerable
Type: spec_rstack_overflow mitigation: Safe RET
Type: spec_store_bypass mitigation: Speculative Store Bypass disabled via prctl
Type: spectre_v1 mitigation: usercopy/swapgs barriers and __user pointer sanitization
Type: spectre_v2 mitigation: Retpolines, IBPB: conditional, STIBP: disabled, RSB
filling, PBRSB-eIBRS: Not affected
Type: srbds status: Not affected
Type: tsx_async_abort status: Not affected
Graphics: Device-1: AMD Picasso/Raven 2 [Radeon Vega Series / Radeon Vega Mobile Series]
vendor: ASUSTeK driver: amdgpu v: kernel bus-ID: 02:00.0 chip-ID: 1002:15d8
class-ID: 0300
Device-2: IMC Networks USB2.0 HD UVC WebCam type: USB driver: uvcvideo bus-ID: 1-6.2:6
chip-ID: 13d3:56dd class-ID: 0e02 serial: <filter>
Display: x11 server: X.Org 1.20.14 compositor: xfwm4 v: 4.18.0 driver: loaded: amdgpu
display-ID: :0.0 screens: 1
Screen-1: 0 s-res: 1920x1080 s-dpi: 96 s-size: 508x285mm (20.0x11.2")
s-diag: 582mm (22.9")
Monitor-1: eDP res: 1920x1080 hz: 60 dpi: 142 size: 344x193mm (13.5x7.6")
diag: 394mm (15.5")
OpenGL: renderer: AMD Radeon Vega 3 Graphics (raven2 LLVM 14.0.5 DRM 3.54
6.6.4-1-liquorix-amd64)
v: 4.6 Mesa 22.0.5 direct render: Yes
Audio: Device-1: AMD Raven/Raven2/Fenghuang HDMI/DP Audio driver: snd_hda_intel v: kernel
bus-ID: 02:00.1 chip-ID: 1002:15de class-ID: 0403
Device-2: AMD ACP/ACP3X/ACP6x Audio Coprocessor driver: snd_pci_acp3x v: kernel
alternate: snd_rn_pci_acp3x,snd_pci_acp5x,snd_pci_acp6x,snd_acp_pci,snd_rpl_pci_acp6x,snd_pci_ps,snd_sof_amd_renoir,snd_sof_amd_rembrandt,snd_sof_amd_vangogh
bus-ID: 02:00.5 chip-ID: 1022:15e2 class-ID: 0480
Device-3: AMD Family 17h/19h HD Audio vendor: ASUSTeK driver: snd_hda_intel v: kernel
bus-ID: 02:00.6 chip-ID: 1022:15e3 class-ID: 0403
Device-4: Texas Instruments PCM2902 Audio Codec type: USB
driver: hid-generic,snd-usb-audio,usbhid bus-ID: 1-2:2 chip-ID: 08bb:2902
class-ID: 0300
Sound Server-1: ALSA v: k6.6.4-1-liquorix-amd64 running: yes
Sound Server-2: PulseAudio v: 14.2 running: yes
Sound Server-3: PipeWire v: 0.3.19 running: no
Network: Device-1: Intel Wireless 8265 / 8275 driver: iwlwifi v: kernel modules: wl
bus-ID: 01:00.0 chip-ID: 8086:24fd class-ID: 0280
IF: wlan0 state: up mac: <filter>
IF-ID-1: ipv6leakintrf0 state: unknown speed: N/A duplex: N/A mac: <filter>
IF-ID-2: pvpnksintrf0 state: unknown speed: N/A duplex: N/A mac: <filter>
IF-ID-3: tun0 state: unknown speed: 10000 Mbps duplex: full mac: N/A
Bluetooth: Device-1: Intel Bluetooth wireless interface type: USB driver: btusb v: 0.8
bus-ID: 1-6.1:5 chip-ID: 8087:0a2b class-ID: e001
Report: hciconfig ID: hci0 rfk-id: 3 state: up address: <filter> bt-v: 2.1 lmp-v: 4.2
sub-v: 100 hci-v: 4.2 rev: 100
Info: acl-mtu: 1021:4 sco-mtu: 96:6 link-policy: rswitch hold sniff
link-mode: slave accept service-classes: rendering, capturing, audio
Drives: Local Storage: total: 119.24 GiB used: 76.47 GiB (64.1%)
SMART Message: Unable to run smartctl. Root privileges required.
ID-1: /dev/sda maj-min: 8:0 vendor: SanDisk model: SD9SN8W128G1102 size: 119.24 GiB
block-size: physical: 512 B logical: 512 B speed: 6.0 Gb/s type: SSD serial: <filter>
rev: 6002 scheme: GPT
Partition: ID-1: / raw-size: 24 GiB size: 23.46 GiB (97.73%) used: 13.65 GiB (58.2%) fs: ext4
dev: /dev/sda2 maj-min: 8:2
ID-2: /boot/efi raw-size: 1024 MiB size: 1022 MiB (99.80%) used: 440 KiB (0.0%)
fs: vfat dev: /dev/sda1 maj-min: 8:1
ID-3: /home raw-size: 16.01 GiB size: 15.67 GiB (97.86%) used: 4.68 GiB (29.9%)
fs: ext4 dev: /dev/sda3 maj-min: 8:3
ID-4: /tmp raw-size: 4 GiB size: 3.84 GiB (96.10%) used: 19.6 MiB (0.5%) fs: ext4
dev: /dev/sda6 maj-min: 8:6
Swap: Kernel: swappiness: 15 (default 60) cache-pressure: 100 (default)
ID-1: swap-1 type: partition size: 2 GiB used: 0 KiB (0.0%) priority: -2 dev: /dev/sda4
maj-min: 8:4
Sensors: System Temperatures: cpu: 59.0 C mobo: N/A gpu: amdgpu temp: 58.0 C
Fan Speeds (RPM): cpu: 2400
Repos: Packages: 2530 note: see --pkg apt: 2518 lib: 1246 flatpak: 12
No active apt repos in: /etc/apt/sources.list
Active apt repos in: /etc/apt/sources.list.d/brave-browser-release.list
1: deb [arch=amd64] https://brave-browser-apt-release.s3.brave.com/ bullseye main
Active apt repos in: /etc/apt/sources.list.d/debian-stable-updates.list
1: deb http://deb.debian.org/debian bullseye-updates main contrib non-free
Active apt repos in: /etc/apt/sources.list.d/debian.list
1: deb http://deb.debian.org/debian bullseye main contrib non-free
2: deb http://security.debian.org/debian-security bullseye-security main contrib non-free
Active apt repos in: /etc/apt/sources.list.d/google-chrome.list
1: deb [arch=amd64] https://dl.google.com/linux/chrome/deb/ stable main
Active apt repos in: /etc/apt/sources.list.d/librewolf.list
1: deb [arch=amd64] http://deb.librewolf.net bullseye main
Active apt repos in: /etc/apt/sources.list.d/megasync.list
1: deb [signed-by=/usr/share/keyrings/meganz-archive-keyring.gpg] https://mega.nz/linux/repo/Debian_11/ ./
Active apt repos in: /etc/apt/sources.list.d/mx.list
1: deb http://mxrepo.com/mx/repo/ bullseye main non-free
2: deb http://mxrepo.com/mx/repo/ bullseye ahs
Active apt repos in: /etc/apt/sources.list.d/protonvpn-stable.list
1: deb [arch="all", signed-by=/usr/share/keyrings/protonvpn-stable-archive-keyring.gpg] https://repo.protonvpn.com/debian stable main
Active apt repos in: /etc/apt/sources.list.d/spotify.list
1: deb http://repository.spotify.com stable non-free
Active apt repos in: /etc/apt/sources.list.d/vivaldi.list
1: deb [arch=amd64] https://repo.vivaldi.com/stable/deb/ stable main
Info: Processes: 353 Uptime: 1h 38m wakeups: 2 Memory: 9.67 GiB used: 2.84 GiB (29.4%)
Init: SysVinit v: 2.96 runlevel: 5 default: 5 tool: systemctl Compilers: gcc: 10.2.1
alt: 10 Client: shell wrapper v: 5.1.4-release inxi: 3.3.06
Boot Mode: UEFII assume that SDM themes must be a KDE item and not an Xfce item.
Regarding your comment, "That's the only similar thing I have seen that's legit.", that seems concerning as I first noticed it while opening many SearXNG instances and also had LibRedirect operating.
Each SearXNG instance requires some trust, and each SearXNG instance has many links within, so with SearXNG having VERY roughly 20 instances, times VERY conservatively 20 links/sites within each instance, well I may have been open to
++EDIT++ 400 – 1,000 links/sites. I doubt that it would be this many as many of the instances use many of the same links/sites and I don't know that all of the links can be manipulated, or how difficult it may be to do so. END EDIT
I'm still not sure that it's not the ProtonVPN app. Maybe I'll try browsing without the ProtonVPN app or with a different browser to eliminate something.
Since the ProtonVPN app is very new (~1month), maybe I'll contact them - hint at some form of notification identification.
Still can't believe a legitimate notification doesn't include some form of self-identification.
Thanks all, and I'm still open to more suggestions if something strikes anyone.
I copy & paste to the terminal. Liars, Wiseguys, Trolls, and those without manners will be added to my ignore list. 
