Windows 11 / 6100 PfSense continues to be hacked and can't stop it

I can’t eliminate the script or whatever continues to run and escalate privileges after reformatting and starting a clean version of Windows. I found a RDP log prior to formatting and noticed several interfaces inside my PfSense firewall that didn’t show up in the PfSense GUI arp table or interface listings. Static IP addresses are being used under the following subnets: 172.24.224.0/24, 172.22.32.1/24, 172.28.80.1/24, 10.5.0.2. My networks were 192.168.220.0/24, 192.168.150.0/24. The common static IP addresses appearing under each interface are 239.255.250.250 & 239.255.255.250.

Why can’t I see these interfaces inside Pfsense and why are these IP addresses able to hide from the firewall’s diagnostic tools? Any help would be greatly appreciated.

Don’t open up RDP to the public internet, addresses starting with a number between 224 and 239 are used for IP multicast and the 172.X and 10.X addresses are RFC1918 private addresses. If these addresses are not defined in pfsense they don’t route through pfsense but they may show up in the ARP list if some device on the network is using them.

it is possible that the DNSBL (DNS Blackhole list) is configuring an internal IP address in the 10.x.y.z range. The default address is [ 10.10.10.1 ]. Check the settings under /pfblockerng/pfblockerng_dnsbl.php
Are you sure that your installation media is not compromised (check digest)?
Are you restoring a backup configuration or building new from scratch?

Thanks for your quick response and my apologies for my delayed response.

How to make certain RDP is closed to the public internet and eliminate the IP multicast?

RDP is closed by default unless you open it.

I noticed I have rule set that states “let out anything IPv4 from firewall host itself” and “let out anything from firewall host itself”. Both are showing quite a bit of activity. It’s listed as rule 56 & 57…How do I find those particular rules and modify them?

Appreciate your help!!

Send a screenshot on what you’re talking about? By default, the lan interface will allow everything but the incoming traffic coming into WAN will be blocked.