You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

DNS = 85.255.113.114?

Grayed-out, this and a second DNS server address appear in System Prefs > Network > Ethernet > DNS servers on a MacBook Pro running OS 10.5.8. Servers appear to be in Amsterdam, might be connected to Netflix? In any case, I cannot change/delete these as they seem to be reset every few minutes when machine is online. They go away when offline.


Added OpenDNS servers hoping they'd replace these two, but they were only added below grayed-entries then disappeared.

Suggestions anybody?


<Edited by Host>

Posted on Feb 29, 2012 10:56 AM

Reply
Question marked as Top-ranking reply
7 replies
Question marked as Top-ranking reply

Feb 29, 2012 5:13 PM in response to BDAqua

You're right, it's a nasty, persistent lil' bugger.

Thank you for putting me on the right track, BD.


Appears to be two critters onboard: "plugins.setting" and "Mozillaplug.plugins" - no sign of 3rd "sendreq" file. Nothing else running/pending that I can find. We'll see what MacScan does.


(MacScan no longer appears to be posted on Apple's site for some reason.)

Apple store-listed utility apps (all):

http://store.apple.com/us/browse/home/shop_mac/software/utilities?s=alpha


Thinking OS upgrade with new/current security would help (10.6+ at least), along with anti-virus app (for those who might download a trojan). Been a walk down memory lane reading about Mac malware past and present, haven't missed all that jive, but here we are.....


DNS IP addresses were edited out of my post, but there are a dozen of 'em listed by Symantec in a nice writeup about the RSPlug-A/Puper trojan (2007): http://www.symantec.com/security_response/writeup.jsp?docid=2007-110101-2320-99& tabid=2


Thanks again! Workin' on it.....

;-)

Mar 1, 2012 4:22 PM in response to BDAqua

Quick followup here.....

MacScan ran all afternoon but found nothing. :-(


Gray DNS Server entries keep coming back - as soon as ethernet or Airport is connected.

Meanwhile, Console's System log shows a new entry every minute, over and over:

"...Could not setup Mach task special port 9: (os/kern) no access"

"...Could not setup Mach task special port 9: (os/kern) no access"

"...Could not setup Mach task special port 9: (os/kern) no access"

"...Could not setup Mach task special port 9: (os/kern) no access"


Tried the suggested chrontab commands, result was the same in all cases: "Command not found."


DNS server entries finally went away after deleting three known problem files:

/Library/Internet Plug-Ins/plugins.settings

/Library/Internet Plug-Ins/Mozillaplug.plugins

/Library/Internet Plug-Ins/QuickTime.xpt

(plus the "sendreq" file that apparently deletes itself)


However, those "...Could not setup Mach task special port 9: (os/kern) no access" error messages keep coming to System log each and every minute.

Next step will an upgrade from OS 10.5.8 to the top of 10.6 Snow Leopard which should eliminate those error messages and better secure DNS entries, yes?


More info on this annoying problem may be found here:

"Mach port 9 trouble" thread:

https://discussions.apple.com/thread/1593565?answerId=7543410022#7543410022&messageID=7543410#7543410?messageI D=7543410


"Could not setup Mach task special port 9" thread:

https://discussions.apple.com/thread/2094558?tstart=0


MacWorld article about the OSX.RSPlug.A trojan:

http://www.macworld.com/article/60823/2007/10/trojanhorse.html

Mar 1, 2012 6:21 PM in response to BDAqua

Four machines connected to router (+1 wireless), none of them have the "85.xxx.113.xxx" and "85.xxx.112.xxx" DNS server addresses except the one (infected, 10.5.8) notebook. All other machines have correct ATT server/network info. But, whathaheck, no harm in resetting router. (Have to do that periodically anyway, seems like.)


Those "85" servers only disappeared (on the one notebook) when I got rid of the 3rd and last Internet Plug-In file, QuickTime.xpt. No doubt about it, you were right, BD. That machine had the DNS trojan x3 going back to 2009 and possibly back to 2007 (along with a slew of other crud!).


BTW: I've had lil'Snitch onboard for years - amazing how much background traffic goes on these days. Probably enough to scare most folks, and not without reason. Might havta pull the ethernet plug when offline ;-)

As for security, yeah, hard to find suspects with so many places to hide now - especially with no help from Spotlight.


Thanks again for all your help over the years!

DNS = 85.255.113.114?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.