Seems that hacker is inserting a foreign DNS into my computer, how to remove it?
-
ifconfiglo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 options=1203<RXCSUM,TXCSUM,TXSTATUS,SW_TIMESTAMP> inet 127.0.0.1 netmask 0xff000000 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 nd6 options=201<PERFORMNUD,DAD> gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280 stf0: flags=0<> mtu 1280 anpi1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500 options=400<CHANNEL_IO> ether a6:bf:9d:78:5b:a2 inet6 fe80::a4bf:9dff:fe78:5ba2%anpi1 prefixlen 64 scopeid 0x4 nd6 options=201<PERFORMNUD,DAD> media: none status: inactive anpi0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500 options=400<CHANNEL_IO> ether a6:bf:9d:78:5b:a1 inet6 fe80::a4bf:9dff:fe78:5ba1%anpi0 prefixlen 64 scopeid 0x5 nd6 options=201<PERFORMNUD,DAD> media: none status: inactive en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500 options=50b<RXCSUM,TXCSUM,VLAN_HWTAGGING,AV,CHANNEL_IO> ether 4c:20:b8:a7:f2:61 inet 192.168.1.100 netmask 0xffffff00 broadcast 192.168.1.255 inet6 fe80::c17:77f:669f:7409%en0 prefixlen 64 secured scopeid 0x6 nd6 options=201<PERFORMNUD,DAD> media: autoselect (1000baseT <full-duplex,energy-efficient-ethernet>) status: active en4: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500 options=400<CHANNEL_IO> ether a6:bf:9d:78:5b:81 nd6 options=201<PERFORMNUD,DAD> media: none status: inactive en5: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500 options=400<CHANNEL_IO> ether a6:bf:9d:78:5b:82 nd6 options=201<PERFORMNUD,DAD> media: none status: inactive en2: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500 options=460<TSO4,TSO6,CHANNEL_IO> ether 36:a0:3e:97:62:00 media: autoselect <full-duplex> status: inactive en3: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500 options=460<TSO4,TSO6,CHANNEL_IO> ether 36:a0:3e:97:62:04 media: autoselect <full-duplex> status: inactive bridge0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500 options=63<RXCSUM,TXCSUM,TSO4,TSO6> ether 36:a0:3e:97:62:00 Configuration: id 0:0:0:0:0:0 priority 0 hellotime 0 fwddelay 0 maxage 0 holdcnt 0 proto stp maxaddr 100 timeout 1200 root id 0:0:0:0:0:0 priority 0 ifcost 0 port 0 ipfilter disabled flags 0x0 member: en2 flags=3<LEARNING,DISCOVER> ifmaxaddr 0 port 9 priority 0 path cost 0 member: en3 flags=3<LEARNING,DISCOVER> ifmaxaddr 0 port 10 priority 0 path cost 0 media: <unknown type> status: inactive ap1: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500 options=400<CHANNEL_IO> ether 6e:20:b8:a8:41:a8 media: autoselect en1: flags=8822<BROADCAST,SMART,SIMPLEX,MULTICAST> mtu 1500 options=400<CHANNEL_IO> ether 4c:20:b8:a8:41:a8 media: autoselect status: inactive awdl0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500 options=6463<RXCSUM,TXCSUM,TSO4,TSO6,CHANNEL_IO,PARTIAL_CSUM,ZEROINVERT_CSUM> ether ae:fb:7d:02:66:2a inet6 fe80::acfb:7dff:fe02:662a%awdl0 prefixlen 64 scopeid 0xe nd6 options=201<PERFORMNUD,DAD> media: autoselect (<unknown type>) status: inactive llw0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500 options=400<CHANNEL_IO> ether ae:fb:7d:02:66:2a inet6 fe80::acfb:7dff:fe02:662a%llw0 prefixlen 64 scopeid 0xf nd6 options=201<PERFORMNUD,DAD> media: autoselect status: inactive utun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1380 inet6 fe80::539a:143b:2cea:5964%utun0 prefixlen 64 scopeid 0x10 nd6 options=201<PERFORMNUD,DAD> utun1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 2000 inet6 fe80::f1cd:d392:cf63:9f22%utun1 prefixlen 64 scopeid 0x11 nd6 options=201<PERFORMNUD,DAD> utun2: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1000 inet6 fe80::ce81:b1c:bd2c:69e%utun2 prefixlen 64 scopeid 0x12 nd6 options=201<PERFORMNUD,DAD> -
@Netgate1100guy There are no IPv6 addresses there, only Ipv6 link-local..
And your IPv4 address of 192.168.1.100
-
@johnpoz Yes, I cannot log in to console
-
@Netgate1100guy you mean you can not access the pfsense web gui at what address? What IP does pfsense have?
Is this 192.168.1.x network from your above output pfsense lan network?
Can you ping pfsense IPv4 address? or do you mean you can not ssh to pfsense - for you to ssh to pfsense you would of had to enable ssh..
-
@johnpoz I cannot log in to the admin console to configure firewall by using web
-
@Netgate1100guy and can you ping pfsense IP, it would default to 192.168.1.1.. Do you get any page, and your login is just failing?
Are you trying to access it via the actual IP or using some fqdn in your browser?
I think there was threads about where web page was not available after update to 2.7? Is this a clean install, did you upgrade from some previous pfsense version? Did it ever work?
-
@johnpoz via the actual IP.
Think there was a very recent upgrade. -
@Netgate1100guy dude why does it feel like am I needing to pull teeth here?
Do you get a blank page? Does it show you a login but login not working - or seems to stall after login?
Can you ping pfsense IP? Had you enabled ssh, can you ssh to it? Can you console in, ie use console cable? Can you ping some public IP? say 8.8.8.8 from your PC, is internet actually still working.
How does the pfsense web gui won't load via IP address have anything to do with some hacker inserting dns?
-
@johnpoz you have the patience of a saint
-
@Netgate1100guy said in Seems that hacker is inserting a foreign DNS into my computer, how to remove it?:
There is often a secondary IPv6 address, which seems to be from hacker. Can Link Local IPv6 work
or what else?????
Where are you seeing the link local address? Every IPv6 capable device has one. However, given they're not routeable, they'd be pretty much useless for an attacker.
-
@johnpoz It shows me a login page but it stalls.
-
@Netgate1100guy turn off the firewall and keep it off for 9 days. That should solve it. Come back and let us know if that works.
Also, as a last resort try turning off the cable modem just in case. You should be clear from the hacker after that. Worked for me -
@Netgate1100guy said in Seems that hacker is inserting a foreign DNS into my computer, how to remove it?:
It shows me a login page but it stalls.
Stalls? If pfsense has no working dns then yes the login page can be very slow.. From what you posted before - pfsense has only an actual IP on 1 interface - so hard to image that it would have working dns.. So yeah the login is prob going to be very slow.
-
@Netgate1100guy said in Seems that hacker is inserting a foreign DNS into my computer, how to remove it?:
@johnpoz It shows me a login page but it stalls.
Connect via the console.
Tell your 1100 to reboot.
Attempt a GUI login again.
Does the console report any errors?
However as @johnpoz notes if your WAN isn't connected or your DNS upstream isn't working pages can take some time to load. Also loading the initial dashboard from the LAN also can take time to load but other pages afterwards are quick to load.
Try loading a subpage after logging in from your URL history. This is how I bypass the 30-second wait.
-
@michmoor said in Seems that hacker is inserting a foreign DNS into my computer, how to remove it?:
You should be clear from the hacker after that. Worked for me
Not helpful...
-
@rcoleman-netgate There is seeking help and then there is trolling. We crossed that boundary several posts ago. If there is no attempt by the OP to seek assistance then how is my attempt at helping any different than others? Plus they stopped responding.
-
@michmoor said in Seems that hacker is inserting a foreign DNS into my computer, how to remove it?:
We crossed that boundary several posts ago.
Then you can walk away and turn off notifications on the post.
-
@rcoleman-netgate thats a great option.
-
Hi all, I can now log into admin site on web and it is better now.
Link Local for IPv6 seems to be great and can make a hacker intrusion much less likely.A few simple questions:
On Suricata and Snort, should I enable interface for both LAN and WAN or just one of them,
which of them? Because I have often blocked myself actually and maybe thats because of interface enabled
for both LAND and WAN..I have accepted that SSL Inspection or Interception is not that necessary or ideal for blocking a hacker,
seems that fine tuned Snort and Suricata settings are far more important.
SSL Inspection is used for only clients connected to the LAN network, but not for anyone from the outside,
incoming from the web? Is SSL Inspection useless for stopping hackers?What other packages are important for blocking hackers? How can I for example block DoS and DDoS attacks?
-
@Firewalldude89 said in Seems that hacker is inserting a foreign DNS into my computer, how to remove it?:
On Suricata and Snort, should I enable interface for both LAN and WAN or just one of them,
which of them? Because I have often blocked myself actually and maybe thats because of interface enabled
for both LAND and WAN..Best to post this type of question in the IDS/IPS section.
