Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Mac OSX 10.6.8 web browsing hijacked

I seem to have contracted some sort of trojan or malware, or have some sort of DNS changer that I inadvertently installed... or somehow got on my system.


When browsing in any browser (i have used Safari, Chrome, and Firefox), i am often redirected to a chinese advertisement site (should be too suprising, as Ilive in China). At first, i thought it was the ISP that was redirecting, but after having experienced this issue over the past week at numerous locations, i'm pretty sure my machine has a problem that need to be figured out.


I have tried MacScan and DNSchanger removal tool. I have tried dumping the cash in the terminal. I have deleated my flash cookies and all browsing histlry/cache files. I've tried a few other things that I thought might work as I found them on older posts for similar issues. None of these have resolved the issue.


The only thing i can think that may have caused it is i was recently staying at a hotel and having issue with their internet. They sent an "IT" guy to fix it and he made some changes to the network settings (i wasn't paying close enough atention to what he was doing).... in the end, the internet never worked at that hotel and from that point forward, i've had this problem. I can't say there is cause and effect with that, but corrolation for sure.


The site i'm being directed to is: nfdnserror5.wo.com.cn:8080/issueunziped/baidunf120718/index1.jsp?sf=&UserUrl=ww w.facebook.com


I'm runing a MacBook pro 13"

Mac OSX 10.6.8

All my browsers are up to date.


Any ideas? Am I forgetting any important details?

Mac Pro, Mac OS X (10.6.8)

Posted on Jul 30, 2012 4:21 AM

Reply
23 replies

Nov 7, 2012 5:43 PM in response to daav2001

Hi all,


I am living in China and getting the same thing. Its very recent but it seems ChinaUnicom are trying to takover Google, BBC, NYT and other URL's and point you to their own web services (of course fully supported by the Chinese Government). Behaviour is very sporadic, sometimes Chrome, but mostly Firefox. I have checked host files, dns, everything and the only way to stop it is to delete all cookies and history from the browser after infection and restart. Its a total pain as I have the Google double sign in system turned on and I have to re-authenticate twice to get into my Gmail.


I also have the greyed out DNS entries but they are legit servers - Google 8.8.8.8 and our company one. Maybe they are taking over the google 8.8.8.8 in the Great firewall of China? However once infected and I am in my office (has a tunnel throught the Chinese Firewall) I still get the re-direct and from reading this thread users returning to the USA still are infected so it can not be the GFC!


The thing that makes me think its not DNS is, on the same system I can have it happen in Firefox but not Chrome at the same time, unless the cookies can somehow override DNS.


I can also see that a site actually begins to load and then sometime through the page load (before it completes) the redirect happens.


I would love to know how they are doing this but I dont want to share my cookies with the world! I am 90% convinced this is where its happening.


Any ideas from any of the big brains out there.

Jul 30, 2012 5:00 AM in response to herger

Herger, thanks for your quick response!


I am not sure what you mean by rebuilding my Internet connection. I have tried creating a new "location" thinking that may reset the ip/DNS settings, it didn't work.


I have tried it via LAN cable, wifi, and using my iPads 3G and tethering vis USB. All of which have the same problems, though the USB tethering seems to have th least issue (occurrences of being redirected are more seldom)

Jul 30, 2012 5:55 AM in response to daav2001

Open the System Preferences and click on Network. With your Ethernet connection in the left column selected, click Advanced at the lower right. Click on the DNS tab. If there are any DNS Server addresses there other than your router's address, delete them. Your router will always be a local domain, the same as, or similar to 192.168.0.1. Leave that one and remove any others.

Jul 30, 2012 12:39 PM in response to daav2001

Just add the new ones above; the greyed out ones will be ignored or even replaced. I would suggest the DNS servers from OpenDNS, which are patched against DNS poisoning/redirects.


You don't need to go to the OpenDNS site to use OpenDNS. Simply open Network>Advanced>DNS in Sys Prefs and enter the following numbers for the interface you use, e.g. Airport or Ethernet,


208.67.222.222


208.67.220.220


Hit OK and then Apply. Make sure those numbers are entered above any others you may have there.


To check to see if it's working


http://www.opendns.com/welcome/


EDIT: The greyed out ones are from China Telecom. That would appear to explain the redirects.


See


http://macs.about.com/od/networking/qt/configure-your-macs-dns.htm


Message was edited by: WZZZ

Jul 30, 2012 5:10 PM in response to WZZZ

Thanks WZZZ,


After trying out a bunch of things, I was still having the issue of searches being redirected, but I discovered that the issue now seems to be only when using MS's BING search engine. Google and Yahoo don't seem to be redirected any more. I guess China just hates microsoft?


Also, using my VPN (Astrill) prevents the redirect from occurring. Very strange problem that i think i can manage now (just don't use Bing).


If any of you have more thoughts on this, please share! But for now... I'm going to give up trying to figure it out as it was starting to feel like I was beeting my head against the wall.


Thanks all!

Jul 30, 2012 6:31 PM in response to daav2001

There are no OpenDNS servers in China., closest is Singapore.



Run all of the free 10.6 OnyX maintainence and cache cleaning routines and reboot at the end.


http://joel.barriere.pagesperso-orange.fr/dl/106/OnyX.dmg



Disconnect from the network, create a new Admin account, log into it and create a new location and then connect directly to the router and reset it so it gets a new IP address.


Run through the list of fixes here, especially #8 Reinstall Just OS X then Software update fully.


Step by Step to fix your Mac

Jul 31, 2012 1:41 AM in response to daav2001

daav2001 wrote:


I'm seeing the infamous 'greyed out' DNS addresses showing up. I can't delete them, or at least i don't know how. They are 202.96.199.133 and 202.96.209.5.

They appear to be legit DNS servers belonging to CHINANET Shanghai province network, almost certainly provided by your ISP.


There could be entries in your hosts file for Bing which will override DNS.


In the Finder select Go->Go to Folder... and type "/etc/" without the quotes in the "Go to

In the "Go to the folder:" box type "/etc/" without quotes and click the "Go" button.

Select "hosts" and double-click to open it in TextEdit. If it says more than:

##

# Host Database

#

# localhost is used to configure the loopback interface

# when the system is booting. Do not change this entry.

##

127.0.0.1 localhost

255.255.255.255 broadcasthost

::1 localhost

fe80::1%lo0 localhost

you are infected. Copy and paste the rest of what you see here.

Oct 16, 2012 4:54 PM in response to MadMacs0

Just had a corporate user come back from China with the same issue on his Lion MacBook Air. Same wo.com.cn URL up to the end part, where it referenced our corporate reporting site rather than facebook. Using Chrome, anytime he tried to access the reports it took him to the same Chinese website with popups and popunder windows. The corporate report URL could be used just fine in Safari, and I checked the Network Pref pane Advanced settings to confirm that no proxy settings were changed systemwide. So the problem was just the single redirected the link in Chrome.


Fix was to delete all browsing data (which includes cookies) in Chrome and restart Chrome. I tried just deleting all the cookies from the wo.com.cn site and restarting Chrome, but that didn't work. So the scope was different from what was reported above by the OP, but the problem was the same basic URL from using hotel networks in China.

Nov 7, 2012 6:16 PM in response to daav2001

I have now opened the cookies.sqlite-wal and found a load of code in there with the same URL as my redirect - http://lndnserror2.wo.com.cn:8080/issueunziped/baiduln121107/index2.jsp?UserUrl= mail.google.com close to references to BBC, Google, Youtube etc.


As I said I dont want to publically share my cookies contents as I am paranoid about security but I am now 99.9% sure the cookies are being altered in the browsers to redirect all traffic to google / BBC and others. Lovely, lovely China.


Why cant the guys at anonymous do something usefull and bring down the Chinese internet system!


Cheers.


oh - just in case anyone is reading this - delete your cookies and restart the browser, only way to fix the problem.

Nov 7, 2012 6:24 PM in response to daav2001

HOLD THE PRESS!


Just spotted something else in firefox.


Go to the help menu, troubleshooting information


In the displayed list look at your important modified preferences. I had a modified preference for Keyword seach which looked very strange, anyway I pressed the "reset firefox" button and voila all fixed without deleting cookies.


Cool, lets hope I have found an easy fix for firefox.


Cheers

Mac OSX 10.6.8 web browsing hijacked

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.