-
-
Notifications
You must be signed in to change notification settings - Fork 155
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
gatekeeper.tss.net #81
Comments
@xxcriticxx what do you mean it went crazy? I will have to see which input source this came from. |
@xxcriticxx it comes in from this source https://raw.githubusercontent.com/eladkarako/hosts.eladkarako.com/master/build/hosts_adblock.txt |
|
what is this domain used for? my pihole block about 2000 connections from domain |
google vaguely talks that this maybe spyware so i need to know if should worry or not |
Can you install |
Possibly even also scanning with clam too |
@xxcriticxx not sure if this is related or not > https://forums.malwarebytes.com/topic/191746-removal-instructions-for-tss-vince/ |
@xxcriticxx it is malware > Trojan Kuluoz --- See: http:https://www.malwareurl.com/ns_listing.php?as=AS7385 |
I suggest inspecting all your PC's, phones, tablets on your network very carefully to see if one of them is infected. Trojan seems aimed at Windoze systems so I would start there if you have any. |
i got pihole running on regular pc not pie3 |
any recommendation on program? |
Suggestion to download one or more of these bootable live antivirus / malware CD's and check the pc is not infected > https://www.lifewire.com/free-bootable-antivirus-tools-2625785 with a live CD you can boot from it and scan the entire drive without the OS loading. Only proper way to check as any malware will evade any malware scanners you try to load into the OS |
let me try first see what malwarebytes finds. then i go for live cd for deeper cleaning. |
Check also using AdwCleaner https://www.malwarebytes.com/adwcleaner/ |
@smed79 thats part of malwarebytes now right? |
@xxcriticxx If you never had your pihole and this list you would never have discovered this. When you say it went crazy it sounds like any malware that when you block it's outgoing conections it goes absolutely mental. Can you provide me with a full log of all things it blocked when it went crazy so I can analyze that. |
4 connections every 5 minutes or so
|
Hello there, All suggestion are great but are we talking about windows ? 🤔 If we're talking about windows then, you should execute |
@funilrys this send every 5 min i dont think connection would stay open that long |
@xxcriticxx Well with |
@funilrys i still dont know what am looking for gatekeeper ip? |
Yes repeating IP (from gatekeeper) then you get the PID of the programm :) Once you got the PID you can get the program name with something like |
its going be very funny if i dont find shit |
3 hr of scanning and found nothing :( |
@mitchellkrogza any order ideas How to catch this something |
@funilrys netstat only shows local ip not external |
ok this works going do rest of computer now |
file removed gatekeeper still in the logs |
My only solution and honest advice would be a clean slate. Wipe the box and reinstall Ubuntu. I would not honestly go any further not knowing my main Ubuntu box has a problem. Sorry not good news but that is what I would do personally. |
i dont think its ubuntu or windows its one of the iot calling home |
But they were all turned off NO? |
I can’t be any clearer
Leave each device up and running for at least 10-20 minutes while monitoring but then shut it down again before testing next one. This takes time and patience and is the ONLY way you will find the infected device. |
@mitchellkrogza i cant turn off fire alarms and thermostats they dont have off option everything that could off been turn off was turn off |
@funilrys any ideas here? This is showing the real downside of IOT devices and how problematic they can be and potential dangers of insecure ones |
@funilrys asleep by now by this long post |
Hello guys, Let me resume a bit ...
So if we are at that level, we have 2 options, monitor all the home or monitor each machine to find which one is "infected" So in ubuntu, it's simple if it's an outgoing connection:
give us a real-time outgoing connection (from that machine) For other machines it depends if you know the system and has access to them. Otherwise for the second point, to monitor all the house we need to understand how your router is set up which information we don't have if I read right ... P.S Is Pi-Hole connected directly to the router or is it the router? 🤔 P.S2 Our goals is to find an IP, a MAC, o program or everything related to that domain |
Pihole is plugin one of the ports on the back of the router Pihole ip is enter I dhcp field in the router |
@funilrys can we save this to txt file? |
@xxcriticxx you can also see all connected devices on your network by running |
Well you can keep it runing and output with |
I will try both shortly |
nmap only gives me list of my current clients not where they connect |
i think am going have to use pihole dhcp in order to assign ip to my clients so i can see what connects where |
@xxcriticxx probably a good idea. Does piHole (sorry never used it) not show you all local IP's and where they are connecting to ? |
Not right now. Router does dhcp right now. I have switch it around and let pihole do it. |
Great, keep us updated and really hope you find the culprit. |
plus i need to format few system as they are supper slooooooooooooooooow @mitchellkrogza you can install pihole on most linux system i recommend for weekend project |
@mitchellkrogza please provide me link to this article |
https://youtu.be/Op0tHjExST8 subscribe to their channel they talk a lot about IOT device hacking. This one might also interest you https://motherboard.vice.com/en_us/article/aekj9j/internet-of-things-ransomware-smart-thermostat |
clamav calls home over 500 in last hour probably update out |
@eladkarako Is there any recommendation out there? Cause I read elsewhere:
|
@mitchellkrogza or @funilrys what is this domain used for? my pihole went crazy on it. when was this added?
The text was updated successfully, but these errors were encountered: