gatekeeper.tss.net

[xxcriticxx]

@mitchellkrogza or @funilrys what is this domain used for? my pihole went crazy on it. when was this added?

[mitchellkrogza]

@xxcriticxx what do you mean it went crazy? I will have to see which input source this came from.

[mitchellkrogza]

@xxcriticxx it comes in from this source

https://raw.githubusercontent.com/eladkarako/hosts.eladkarako.com/master/build/hosts_adblock.txt

[mitchellkrogza]

./_HOSTS_AdBlock/domains.txt:cdn.gatekeeper.tss.net
./_HOSTS_AdBlock/domains.txt:gatekeeper.tss.net
./_HOSTS_AdBlock/domains.txt:www.gatekeeper.tss.net

[xxcriticxx]

what is this domain used for? my pihole block about 2000 connections from domain

[xxcriticxx]

google vaguely talks that this maybe spyware so i need to know if should worry or not

[mitchellkrogza]

Can you install rkhunter on your Pi and make sure everything is OK and it has never been compromised.

[mitchellkrogza]

Possibly even also scanning with clam too

[mitchellkrogza]

@xxcriticxx not sure if this is related or not > https://forums.malwarebytes.com/topic/191746-removal-instructions-for-tss-vince/

[mitchellkrogza]

@xxcriticxx it is malware > Trojan Kuluoz --- See: http://www.malwareurl.com/ns_listing.php?as=AS7385

[mitchellkrogza]

I suggest inspecting all your PC's, phones, tablets on your network very carefully to see if one of them is infected. Trojan seems aimed at Windoze systems so I would start there if you have any.

[xxcriticxx]

i got pihole running on regular pc not pie3

[xxcriticxx]

any recommendation on program?

[mitchellkrogza]

Suggestion to download one or more of these bootable live antivirus / malware CD's and check the pc is not infected > https://www.lifewire.com/free-bootable-antivirus-tools-2625785 with a live CD you can boot from it and scan the entire drive without the OS loading. Only proper way to check as any malware will evade any malware scanners you try to load into the OS

[xxcriticxx]

let me try first see what malwarebytes finds. then i go for live cd for deeper cleaning.

[smed79]

let me try first see what malwarebytes finds.

Check also using AdwCleaner https://www.malwarebytes.com/adwcleaner/

[xxcriticxx]

@SMed79 thats part of malwarebytes now right?

[mitchellkrogza]

@xxcriticxx If you never had your pihole and this list you would never have discovered this. When you say it went crazy it sounds like any malware that when you block it's outgoing conections it goes absolutely mental. Can you provide me with a full log of all things it blocked when it went crazy so I can analyze that.

[xxcriticxx]

we still dont know what it is lets hope i find it

this connection for right now

[xxcriticxx]

4 connections every 5 minutes or so

Oct 17 11:18:18 dnsmasq[4737]: /etc/pihole/gravity.list gatekeeper.tss.net is 192.168.1.131
Oct 17 11:18:18 dnsmasq[4737]: /etc/pihole/gravity.list gatekeeper.tss.net is 192.168.1.131
Oct 17 11:18:18 dnsmasq[4737]: /etc/pihole/gravity.list gatekeeper.tss.net is 192.168.1.131
Oct 17 11:18:18 dnsmasq[4737]: /etc/pihole/gravity.list gatekeeper.tss.net is 192.168.1.131

[funilrys]

Hello there,

All suggestion are great but are we talking about windows ? 🤔

If we're talking about windows then, you should execute netstat -b to get the PID of the program initiating the outgoing connections...

[xxcriticxx]

@funilrys this send every 5 min i dont think connection would stay open that long

[funilrys]

@xxcriticxx Well with netstat -b 5 >> C:\connections.txt you can set the timeout (in this example 5 seconds)

[xxcriticxx]

@funilrys i still dont know what am looking for gatekeeper ip?

[funilrys]

Yes repeating IP (from gatekeeper) then you get the PID of the programm :)

Once you got the PID you can get the program name with something like tasklist /fi "pid eq PIDOFTHEPROGRAM" (I used that only once in my life and it wasn't in the most recent build of Windows 😹 )

[xxcriticxx]

its going be very funny if i dont find shit

[xxcriticxx]

3 hr of scanning and found nothing :(

[xxcriticxx]

@mitchellkrogza any order ideas How to catch this something

[xxcriticxx]

@funilrys netstat only shows local ip not external

[mitchellkrogza]

No idea, truly sounds like something is hiding on your pc and hiding itself real good. How many of those different bootable virus scan discs have you tried?

[funilrys]

@xxcriticxx No ... I think you need a deep cleaning ... Cause the command I said give Remote adress not local adress ...

[xxcriticxx]

Zero am going try them today. I scanned my win pc and found only tracking cookies

[mitchellkrogza]

VITAL VITAL VITAL that you scan with a bootable virus and malware scanner CD, you cannot scan from inside the system at all, these things are FAR too clever and will hide themselves from every single scanner. Most of those things are so clever they rename themselves constantly and keep moving their malware to different locations on your HDD so detection becomes impossible.

[xxcriticxx]

Ok will do that today

Only if I knew what ip that used on the inside of the network then I would have less computers to scan

[mitchellkrogza]

It would never reveal that because the malware is simply trying to contact tss.gatekeeper.net using your local IP that's all.

[mitchellkrogza]

how many PC's do you have on your network?? Turn everything off. Then turn one on and watch, then turn it off. Then turn next one on and watch. Keep doing this until you find which PC or device is infected

[xxcriticxx]

few computers 6 maybe but i have lots iot devices (thermostats, fire alarm, cams)

[mitchellkrogza]

Going to be a long day for you when you get home, turn everything off and I mean everything and follow what I said to find what device is infected. Any IOT device could be easily infected, people's "intelligent" fridges and washing machines get hacked daily.

[mitchellkrogza]

Most IOT devices are horribly insecure ie. NO SECURITY at all

[mitchellkrogza]

Have you upgraded your wifi router firmware also against the KRACK / WPA2 flaw ???

[xxcriticxx]

no i am on dd wrt firmware

[mitchellkrogza]

Have you confirmed you have latest version and that it's not vulnerable to the NOONCE WPA2 flaw?

[xxcriticxx]

no i see ip connected to my router everything from inside the house

[mitchellkrogza]

That's great but understand with the KRACK flaw it's a MITM technique used to steal data from your wifi network without you knowing or without the person even connecting to your network, simply sitting in the middle scanning anything that's not encrypted.

[xxcriticxx]

yes this home network nothing major here

should i try wireshark?

[mitchellkrogza]

For now stay focused, don't go wasting time with wireshark. Check one device at a time as I described above, that's the only way you are going to find what device is doing that.

[xxcriticxx]

ok eveything is off looking on my pihole log for gatekeeper

[xxcriticxx]

@mitchellkrogza well its not windows related only machine on is pihole and i just got it in the logs

[mitchellkrogza]

So what are you running your pihole on ? windows ?

[xxcriticxx]

ubuntu 16.04

[mitchellkrogza]

Ok .... do you have rkhunter installed? and do you have clamav installed?