Novice - Code.Yengo.Com vanishing act 1
Credentials: https://www.linkedin.com/in/nick-kinn... Summary: It is a deep read but based on my exposure to Microsoft .Net codebase, I feel my suspicions are somewhat accurate.
To begin with, I have noticed when I downloaded an old code base that my AntiForgeryToken, in the context of web development, was compromised as I received an error of Invalid Token Argument Exception. I was on a new box and it made little sense. Once I popped open some tools I noticed a certificate mismatch with code. yengo. com. The supposed fix was to add 127.0.0.1 code. yengo. com to my drivers/etc/hosts file due to the fact that my AntiForgeryToken exception disappeared after doing so.
The dark turn.
Once I noticed this activity I put my computer in an isolated guest wifi network to block any further damage. I assigned myself to a single IP range and left no room for any other machines to enter, or so I think. Then NBNS requests start flooding my computer. I tried my best and eventually acquiesced defeat and was forced to reinstall. This occurred about a dozen times due to the fact I must download an update when reinstalling Windows 11.
The short version to this was my audio driver update was being updated to a malicious RealTech driver. ---The reason I know the windows updated driver was a malicious 'ReachTek' driver was that my isolation storage turned off on my machine because of a .inf file being corrupted. I had to use further powershell knowledge to delete the driver from my box, which proved to be too late as a ghost was already in the machine causing problems. Not DISM, I mean another method I have forgotten.
I defeated this piece of the puzzle after 5 reinstalls, to eventually fire up 2 user accounts and isolate windows update to also ignore windows update drivers using powershell.
More dark turns. At this point, I have code.yengo.com blocked, so I thought. I ended up maintaining all of the drivers/etc, firewalls, nbns disabled for ipv4 as ipv6 is completely disabled. It looked to be working, until I downloaded Baldurs Gate III from steam "slash" ran some Windows Azure create container resources. I cannot tell when the url started reappearing as I did both within the same hour.
Wireshark says this, which I do not understand. https://mail.google.com/mail/u/0?ui=2... It continues to go completely bonkers, like a trapped bee in a jar. https://mail.google.com/mail/u/0?ui=2...
Apologies on the formatting
- 32457 1532.477589 code.yengo.com code.yengo.com TCP 44 64210 > → ddi-tcp-1(8888) [ACK] Seq=8260 > Ack=15585 Win=311808 Len=0 > 32458 1532.482585 code.yengo.com code.yengo.com TLSv1.3 79 Application > Data
- > 32459 1532.482626 code.yengo.com code.yengo.com TCP 44 ddi-tcp-1(8888) > → 64210 [ACK] Seq=15585 Ack=8295 > Win=2152960 Len ...
TLDR; 1. Setup localhost to redirect code.yengo 2. Start Wireshark to capture loopback 3. Open Steam and watch wireshark go bonkers 4. $Profit