Undetectable Spyware or Pi-Hole bug?


#12

Do your block lists contain any Cryptomining address’s.
Try this one it has just been updated from https://twitter.com/smokingwheels/status/958184008025649153

https://smokingwheels.github.io/Pi-hole/allhosts

There is a bigger list if you go thru this post I concatenated every BlockList I could find

Try to start capture with (DNS host or name resolution?) it makes it easier.


#13

@tuba Your issue sounds exactly like this bug. What is the output of pihole -v and cat /etc/dnsmasq.d/01-pihole.conf


#14

Here’s what’s happening:

PC using Pi-Hole for DNS (nothing on Blacklist):
Pi-Hole shows my PC accessing the primewire and 123netflix domains every 2 minutes even when my web browsers are closed. This made me think malware was responsible.

WireShark is a packet analyzer. It lets you see all traffic to and from your network interface.

Wireshark running on my PC also shows access to primewire and 123netflix but lists the IP Address as the Pi-Hole. It seems that Wireshark is recording more frequent access to these domains than listed on the Pi-Hole but I need to double check this.

When I use my browser to intentionally access primewire and 123netflix domains then WireShark info is different - It shows the IP Address as the actual IP Addresses of these domains, NOT the IP Address of my Pi-Hole.

PC bypassing Pi-Hole for DNS on my PC and using WireShark shows no connections to the primewire and 123netflix domains after 4 minutes of monitoring.

This leads me to believe the repeated access to these domains every 2 minutes is my PC accessing the Pi-Hole but labelling it (both internally and on the Pi-Hole) with the wrong domain names of primewire and 123netflix.

This leads me to believe the DNS info is corrupted.

I’m going to nuke my Pi-Hole by doing a complete re-install with a different MicroSD Card, flushing my PC DNS cache and then checking the Dashboard for domain access before adding anything to the Blacklist.

@smokingwheels - Why do you think a Cryptomining address might be relevant?


#15

Mcat12 - Thank you for responding!

I assume ‘-v’ will show the version of my install and cat will show the contents of the 01-pihole.conf file.

I’ll run those commands tonight before nuking my install and post back.


#16

Its a bit of a problem some sites use your hardware and resources for bitcoin mining to put in there own pockets.


#17

Ah, I see. Yes, I’m aware of that.

But I really think it’s a glitch in the pi-hole and not actual malware (or implanted mining software).


What Really Happens On Your Network? Part Seven
#18

Here you go:

pi@raspberrypi:~ $ pihole -v
  Pi-hole version is v3.2.1 (Latest: v3.2.1)
  AdminLTE version is v3.2.1 (Latest: v3.2.1)
  FTL version is v2.13.2 (Latest: v2.13.2)


pi@raspberrypi:~ $ cat /etc/dnsmasq.d/01-pihole.conf
# Pi-hole: A black hole for Internet advertisements
# (c) 2015, 2016 by Jacob Salmela
# Network-wide ad blocking via your Raspberry Pi
# http://pi-hole.net
# dnsmasq config for Pi-hole
#
# Pi-hole is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 2 of the License, or
# (at your option) any later version.

###############################################################################
#      FILE AUTOMATICALLY POPULATED BY PI-HOLE INSTALL/UPDATE PROCEDURE.      #
# ANY CHANGES MADE TO THIS FILE AFTER INSTALL WILL BE LOST ON THE NEXT UPDATE #
#                                                                             #
#        IF YOU WISH TO CHANGE THE UPSTREAM SERVERS, CHANGE THEM IN:          #
#                      /etc/pihole/setupVars.conf                             #
#                                                                             #
#        ANY OTHER CHANGES SHOULD BE MADE IN A SEPERATE CONFIG FILE           #
#                        OR IN /etc/dnsmasq.conf                              #
###############################################################################

addn-hosts=/etc/pihole/gravity.list
addn-hosts=/etc/pihole/black.list
addn-hosts=/etc/pihole/local.list


localise-queries


no-resolv



cache-size=10000

log-queries
log-facility=/var/log/pihole.log

local-ttl=2

log-async
server=8.8.8.8
server=8.8.4.4
interface=eth0
pi@raspberrypi:~ $

#19

@Mcat12
Does my post, above, shed any light on this issue?


#20

Sorry, I was away from Discourse for a few days. It looks like you’re clear of the previous hostname issue. Can you find the log lines in /var/log/pihole.log where dnsmasq resolves those domains?


#21

No worries. I’m not one to complain about free tech support on free software!

Do I just ‘cat’ that file and look for the domains at issue and copy/post the results here?


#22

You can run pihole -t or tail -F /var/log/pihole.log to follow the log as it’s written to. More info here:


#23

I pulled the old 4GB microSD card and installed Raspbian and pihole on a brand new 32GB microSD card. Still seeing primewire and 123netflix every 2 mins.

Pulled 32GB card, reformatted, flushed DNS, cleared cookies and everything else from all browsers. Installed Raspbian and pihole. Still seeing primewire and 123netflix every 2 mins.

Here is the log info:
Feb 4 00:12:00 dnsmasq[9095]: query[A] primewire.ag from 192.168.1.15
Feb 4 00:12:00 dnsmasq[9095]: cached primewire.ag is 104.31.17.3
Feb 4 00:12:00 dnsmasq[9095]: cached primewire.ag is 104.31.16.3
Feb 4 00:12:00 dnsmasq[9095]: query[A] 123netflix.com from 192.168.1.15
Feb 4 00:12:00 dnsmasq[9095]: cached 123netflix.com is 104.25.84.57
Feb 4 00:12:00 dnsmasq[9095]: cached 123netflix.com is 104.25.83.57

I’m really at a loss right now. :tired_face:

If it helps, I have an Asus RT-N66U Router with stock firmware. LAN DNS set to my pihole’s IP address.
WAN DNS Server1 set to pihole’s IP address and DNS Server2 set to 8.8.8.8.

Win7 PC that continues to access primewire and 123netflix every 2 mins has a static IP address, hardwired ethernet cable to my router and adapter IPv4 Preferred DNS Server set to the pihole’s IP address.

EDIT: I noticed the log time is 5 hours ahead. My PCs are set to the correct date, time and timezone. Checked it with browsers on 2 different computers. Odd.

EDIT 2: Fixed the time issue by going into ‘sudo raspi-config’ and setting the proper timezone.


#24

I’m not sure what might be causing the PC to access those domains so often, but I think there are tools to find which programs are making DNS requests on Windows.


#25

Might/looks be some infection on your pc.
Just add the domains to the blacklist and clean your pc.


#26

That’s where I started 2 weeks ago. But I tried it again and made some headway.

I kept track of when the Pi-Hole showed access to the two domains from my PC every 2 minutes.

Ran Process Monitor (to show Network Activity) and Wireshark both as Admin. Opened Windows Powershell as Admin and typed:

tasklist /svc /fi “imagename eq svchost.exe”

Then I waited and clicked enter on the command exactly when my PC was accessing those 2 domains.

Checked Wireshark for the same time and found the packets being sent to the pi-hole to check the DNS of those two domains.

Double clicked the packets and scrolled down to find the Source Port numbers:
57098 and 65208

Switched to Process Monitor and located the processes captured during the same time that was using those same Source Port numbers.

Double clicked and now I had:

  • the PID (1576),
  • the Path (C:\Windows\system32),
  • the Command Line parameters (-k NetworkService) and
  • the process name (svchost.exe)

Unfortunately, it’s the ubiquitous svchost.exe

Switch to Windows Powershell and checked out the results from when I ran the tasklist command.
PS C:\Users\MyPC> tasklist /svc /fi “imagename eq svchost.exe”

Image Name                     PID Services
========================= ======== ============================================
svchost.exe                   1576 CryptSvc, Dnscache, LanmanWorkstation,
                                   NlaSvc

Now I have the Services behind svchost.exe.

Then I went into the Registry and found the Registry Entries for each of the 4 Services and that gave me the DLL files and the file paths. They’re all under %SystemRoot%\System32:

CryptSvc = cryptsvc.dll
Dnscache = dnsapi.dll
LanmanWorkstation = wkssvc.dll
NlaSvc = nlasvc.dll

Ran system filechecker with command

sfc /scannow
Windows Resource Protection did not find any integrity violations.

Scanned each file with MalwareBytes and Avira.
Nothing found.

Decided to check each service’s Display Name and Description:
CryptSvc = Cryptographic Services = Provides four management services: Catalog Database Service, which confirms the signatures of Windows files and allows new programs to be installed; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; Automatic Root Certificate Update Service, which retrieves root certificates from Windows Update and enable scenarios such as SSL; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.

Dnscache = DNS Client = The DNS Client service (dnscache) caches Domain Name System (DNS) names and registers the full computer name for this computer. If the service is stopped, DNS names will continue to be resolved. However, the results of DNS name queries will not be cached and the computer’s name will not be registered. If the service is disabled, any services that explicitly depend on it will fail to start.

LanmanWorkstation = Server = Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

NlaSvc = Network Location Awareness = Collects and stores configuration information for the network and notifies programs when this information is modified. If this service is stopped, configuration information might be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

Now I’m stumped. Do I stop each service and see if it stops access? Or bypass Pi-Hole and see if my PC is still accessing these domains every minute?


#27

Hi,

Unless your wimdows install is complicated …jank in the dvd or usb key and re-install your pc.
Thats much faster.
Unless you like troubleshooting.


#28

At this point, I need to find the issue and resolve it. It’s a matter of pride. Never been beaten by a computer issue in the past, though this is one of the toughest I’ve encountered.

Going to try a clean boot on the PC and see if that helps.


#29

OK,

have fun, but as far as this forum concerend this ticket should be closed.


#30

Sounds a bit harsh.
Sounds like those commercial companies that treat you like a number :smiley:
My opinion, if it can contribute to others finding an answer, it can stay open indefinitely.


#31

Matter of opinion.
He/she has received the answer: machine is compromised. Has nothing to do with pihole anymore.
Personaly I would not even risk booting this machine on the network without a re-image.
I see the challenge, but its’a waste of time.