Last night I was checking my router because I noticed some sluggishness with my connection. I opened a connections monitor and saw my computer was sending significant UDP traffic to an IP address on high port numbers. This wasn't immediately concerning because I was connected to a VPN, but I decided to check if the IP was indeed my VPN server. It was not. It was close, but off by a couple of digits in the last two octets. The IP in question is shown by Shodan and other services to be in Bulgaria and running a DHT service, but my own nmap scan did not show this. I shut off my VPN to see if the connection persisted, and it did for several minutes, but the connection monitor may have had a delay before dropping it off the list. Not to sound too paranoid, but I remembering running an nmap scan around when I started getting worried and saw some open ports, only to run one again half an hour later and see none.
All in all I saw that my machine sent around 170 MB to this server. After it dropped away I wondered if I somehow typo'd the IP of my actual VPN, but I could not rationalize how I did this given I just copy pasted it from my router control page.
While this was happening I checked locally on my machine for running process information, outgoing network traffic, etc. but found nothing relevant. In the end I could find not definitive way to rule out that my machine was compromised, nor any easy confirmation that it was, so I went ahead and reinstalled my system from scratch. Completely wiped my harddrive, started over. I already have backups of my important data so I didn't need to hesitate too long.
Unless I was indeed compromised, and by something particularly advanced, it seems likely my machine is now clean. I took the precaution of changing my password manager master password, and I do already have 2FA on basically every online account I use where it is possible. I have seen no signs of my online accounts getting compromised.
What can I do now? I feel like I lost the chance to analyze properly what had happened to my system, but in all honesty I don't know what I could have gained given my knowledge level from doing forensics on a potentially-potentially-not compromised machine. Is there any way for me to get more information about whether I was compromised, and to, within reason, be more vigilant going forward?
