Seems that hacker is inserting a foreign DNS into my computer, how to remove it?

Firewalldude89 · Jul 26, 2023, 10:26 AM

Hi all

Got a problem with a hacker that is appearantly inserting a foreign DNS into my computer..
How do I block him???

RobbieTT · Jul 26, 2023, 10:33 AM

@Netgate1100guy
With just a single sentence to go on, nobody can.

You could try a little harder with your technical narrative though.

️

Firewalldude89 · Jul 26, 2023, 10:43 AM

@RobbieTT There is often a secondary IPv6 address, which seems to be from hacker. Can Link Local IPv6 work
or what else? IPv6 seems necessary to be able to log into console.

johnpoz · Jul 26, 2023, 10:49 AM

@Netgate1100guy said in Seems that hacker is inserting a foreign DNS into my computer, how to remove it?:

There is often a secondary IPv6 address

Yeah devices love to use temp IPv6 address, and yeah all devices with IPv6 enable would have a link local address.

Not sure where you got the idea that IPv6 is necessary to log into console/pfsense? My current pc has no IPv6 and I can log into pfsense via ssh or web. Because my IPv4 address is allowed.. Did you setup some firewall rule to block IPv4, did you disable the anti-lock out rule?

Where exactly are you seeing this other dns set? You know browsers these days love to use doh without really any user permission.. So yeah its quite possible your browser is using some doh dns vs your local dns.

Firewalldude89 · Jul 26, 2023, 11:05 AM

@johnpoz Okay, that may explain. You may be able to help me fix this, technology is very complicated and can be frustrating these days.
Not very good with those firewalls and Netgate with pfSense may have almost 4-500 settings..

johnpoz · Jul 26, 2023, 11:13 AM

@Netgate1100guy happy to help - what exactly are you seeing.. Is your pc a windows machine? Can you post up say your ipconfig /all from this pc?

Example here is mine..

$ ipconfig /all                                                                           
                                                                                          
Windows IP Configuration                                                                  
                                                                                          
   Host Name . . . . . . . . . . . . : i9-win                                             
   Primary Dns Suffix  . . . . . . . : local.lan                                          
   Node Type . . . . . . . . . . . . : Broadcast                                          
   IP Routing Enabled. . . . . . . . : No                                                 
   WINS Proxy Enabled. . . . . . . . : No                                                 
   DNS Suffix Search List. . . . . . : local.lan                                          
                                                                                          
Ethernet adapter Local:                                                                   
                                                                                          
   Connection-specific DNS Suffix  . : local.lan                                          
   Description . . . . . . . . . . . : Killer E2600 Gigabit Ethernet Controller           
   Physical Address. . . . . . . . . : B0-4F-13-0B-FD-16                                  
   DHCP Enabled. . . . . . . . . . . : Yes                                                
   Autoconfiguration Enabled . . . . : Yes                                                
   IPv4 Address. . . . . . . . . . . : 192.168.9.100(Preferred)                           
   Subnet Mask . . . . . . . . . . . : 255.255.255.0                                      
   Lease Obtained. . . . . . . . . . : Monday, July 24, 2023 2:36:06 PM                   
   Lease Expires . . . . . . . . . . : Friday, July 28, 2023 2:36:06 PM                   
   Default Gateway . . . . . . . . . : 192.168.9.253                                      
   DHCP Server . . . . . . . . . . . : 192.168.9.253                                      
   DNS Servers . . . . . . . . . . . : 192.168.9.253                                      
   NetBIOS over Tcpip. . . . . . . . : Enabled

I currently do not have IPv6 enabled on this machine.. If your machine has Ipv6 enabled - it for sure can have more than just 1 gua IPv6 address and the link-local address. And if you have Ipv6, it would for sure like to use some IPv6 address as its dns..

Happy to help you figure out what is going on - but need some specifics to understand what is actually going on.

Firewalldude89 · Jul 26, 2023, 11:27 AM

@johnpoz Okay good, I use Mac though so different details on ipconfig, but you may still help me?

johnpoz · Jul 26, 2023, 11:33 AM

@Netgate1100guy sure - but need some details of what exactly you are seeing, and what is happening that you think shouldn't be happening.

Normally with Ipv6 you will have temp IPv6 or sometimes call privacy Ips..

Firewalldude89 · Jul 31, 2023, 3:15 PM

@johnpoz

ifconfig

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
	options=1203<RXCSUM,TXCSUM,TXSTATUS,SW_TIMESTAMP>
	inet 127.0.0.1 netmask 0xff000000 
	inet6 ::1 prefixlen 128 
	inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 
	nd6 options=201<PERFORMNUD,DAD>
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
stf0: flags=0<> mtu 1280
anpi1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	options=400<CHANNEL_IO>
	ether a6:bf:9d:78:5b:a2 
	inet6 fe80::a4bf:9dff:fe78:5ba2%anpi1 prefixlen 64 scopeid 0x4 
	nd6 options=201<PERFORMNUD,DAD>
	media: none
	status: inactive
anpi0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	options=400<CHANNEL_IO>
	ether a6:bf:9d:78:5b:a1 
	inet6 fe80::a4bf:9dff:fe78:5ba1%anpi0 prefixlen 64 scopeid 0x5 
	nd6 options=201<PERFORMNUD,DAD>
	media: none
	status: inactive
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	options=50b<RXCSUM,TXCSUM,VLAN_HWTAGGING,AV,CHANNEL_IO>
	ether 4c:20:b8:a7:f2:61 
	inet 192.168.1.100 netmask 0xffffff00 broadcast 192.168.1.255
	inet6 fe80::c17:77f:669f:7409%en0 prefixlen 64 secured scopeid 0x6 
	nd6 options=201<PERFORMNUD,DAD>
	media: autoselect (1000baseT <full-duplex,energy-efficient-ethernet>)
	status: active
en4: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	options=400<CHANNEL_IO>
	ether a6:bf:9d:78:5b:81 
	nd6 options=201<PERFORMNUD,DAD>
	media: none
	status: inactive
en5: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	options=400<CHANNEL_IO>
	ether a6:bf:9d:78:5b:82 
	nd6 options=201<PERFORMNUD,DAD>
	media: none
	status: inactive
en2: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
	options=460<TSO4,TSO6,CHANNEL_IO>
	ether 36:a0:3e:97:62:00 
	media: autoselect <full-duplex>
	status: inactive
en3: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
	options=460<TSO4,TSO6,CHANNEL_IO>
	ether 36:a0:3e:97:62:04 
	media: autoselect <full-duplex>
	status: inactive
bridge0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	options=63<RXCSUM,TXCSUM,TSO4,TSO6>
	ether 36:a0:3e:97:62:00 
	Configuration:
		id 0:0:0:0:0:0 priority 0 hellotime 0 fwddelay 0
		maxage 0 holdcnt 0 proto stp maxaddr 100 timeout 1200
		root id 0:0:0:0:0:0 priority 0 ifcost 0 port 0
		ipfilter disabled flags 0x0
	member: en2 flags=3<LEARNING,DISCOVER>
	        ifmaxaddr 0 port 9 priority 0 path cost 0
	member: en3 flags=3<LEARNING,DISCOVER>
	        ifmaxaddr 0 port 10 priority 0 path cost 0
	media: <unknown type>
	status: inactive
ap1: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
	options=400<CHANNEL_IO>
	ether 6e:20:b8:a8:41:a8 
	media: autoselect
en1: flags=8822<BROADCAST,SMART,SIMPLEX,MULTICAST> mtu 1500
	options=400<CHANNEL_IO>
	ether 4c:20:b8:a8:41:a8 
	media: autoselect
	status: inactive
awdl0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
	options=6463<RXCSUM,TXCSUM,TSO4,TSO6,CHANNEL_IO,PARTIAL_CSUM,ZEROINVERT_CSUM>
	ether ae:fb:7d:02:66:2a 
	inet6 fe80::acfb:7dff:fe02:662a%awdl0 prefixlen 64 scopeid 0xe 
	nd6 options=201<PERFORMNUD,DAD>
	media: autoselect (<unknown type>)
	status: inactive
llw0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	options=400<CHANNEL_IO>
	ether ae:fb:7d:02:66:2a 
	inet6 fe80::acfb:7dff:fe02:662a%llw0 prefixlen 64 scopeid 0xf 
	nd6 options=201<PERFORMNUD,DAD>
	media: autoselect
	status: inactive
utun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1380
	inet6 fe80::539a:143b:2cea:5964%utun0 prefixlen 64 scopeid 0x10 
	nd6 options=201<PERFORMNUD,DAD>
utun1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 2000
	inet6 fe80::f1cd:d392:cf63:9f22%utun1 prefixlen 64 scopeid 0x11 
	nd6 options=201<PERFORMNUD,DAD>
utun2: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1000
	inet6 fe80::ce81:b1c:bd2c:69e%utun2 prefixlen 64 scopeid 0x12 
	nd6 options=201<PERFORMNUD,DAD>

johnpoz · Jul 26, 2023, 12:07 PM

@Netgate1100guy There are no IPv6 addresses there, only Ipv6 link-local..

And your IPv4 address of 192.168.1.100

Firewalldude89 · Jul 26, 2023, 12:09 PM

@johnpoz Yes, I cannot log in to console

johnpoz · Jul 26, 2023, 12:20 PM

@Netgate1100guy you mean you can not access the pfsense web gui at what address? What IP does pfsense have?

Is this 192.168.1.x network from your above output pfsense lan network?

Can you ping pfsense IPv4 address? or do you mean you can not ssh to pfsense - for you to ssh to pfsense you would of had to enable ssh..

Firewalldude89 · Jul 26, 2023, 12:34 PM

@johnpoz I cannot log in to the admin console to configure firewall by using web

johnpoz · Jul 26, 2023, 1:23 PM

@Netgate1100guy and can you ping pfsense IP, it would default to 192.168.1.1.. Do you get any page, and your login is just failing?

Are you trying to access it via the actual IP or using some fqdn in your browser?

I think there was threads about where web page was not available after update to 2.7? Is this a clean install, did you upgrade from some previous pfsense version? Did it ever work?

Firewalldude89 · Jul 26, 2023, 1:23 PM

@johnpoz via the actual IP.
Think there was a very recent upgrade.

johnpoz · Jul 26, 2023, 1:28 PM

@Netgate1100guy dude why does it feel like am I needing to pull teeth here?

Do you get a blank page? Does it show you a login but login not working - or seems to stall after login?

Can you ping pfsense IP? Had you enabled ssh, can you ssh to it? Can you console in, ie use console cable? Can you ping some public IP? say 8.8.8.8 from your PC, is internet actually still working.

How does the pfsense web gui won't load via IP address have anything to do with some hacker inserting dns?

michmoor · Jul 26, 2023, 2:13 PM

@johnpoz you have the patience of a saint

JKnott · Jul 26, 2023, 6:38 PM

@Netgate1100guy said in Seems that hacker is inserting a foreign DNS into my computer, how to remove it?:

There is often a secondary IPv6 address, which seems to be from hacker. Can Link Local IPv6 work
or what else?

????

Where are you seeing the link local address? Every IPv6 capable device has one. However, given they're not routeable, they'd be pretty much useless for an attacker.

Firewalldude89 · Jul 29, 2023, 10:46 AM

@johnpoz It shows me a login page but it stalls.

michmoor · Jul 31, 2023, 3:17 PM

@Netgate1100guy turn off the firewall and keep it off for 9 days. That should solve it. Come back and let us know if that works.
Also, as a last resort try turning off the cable modem just in case. You should be clear from the hacker after that. Worked for me