Unwanted ads in Safari (nothing seems to work)

Step 1

Please back up all data.

Unlock the Network preference pane, if necessary, by clicking the lock icon in the lower left corner and entering your password.

Cllck Advanced and select the TCP/IP tab in the sheet that drops down. Near the top, you'll most likely see this:

Configure IPv4: Using DHCP

If that's not what you see, stop here and ask for instructions.

Otherwise, select the DNS tab and delete all the DNS Servers from the list on the left by selecting them and clicking the minus-sign button below. Click OK, then Apply. If the server addresses are grayed out and can't be deleted, go to Step 2.

Select the DNS tab again. The server list should have been automatically repopulated with at least one address, and you should have normal Internet access. If so, you can close the preference pane.

If the server list is empty, go back to the TCP/IP tab and click

Renew DHCP Lease

Check the DNS server list again. If it's still empty, click the plus-sign button and enter this:

8.8.8.8

That's Google DNS, which I don't recommend for more than temporary use. Click OK, then Apply, and ask for instructions.

Step 2

Your router has been hacked to direct DNS queries to a malicious server.

Follow the manufacturer's instructions to reset the router to the default state. Usually that involves inserting the end of a straightened paper clip or a similar tool into a pinhole somewhere in the back of the device, and pressing a switch inside for about 15 seconds. The pinhole may be marked "RESET."

Repeat the initial setup process. Make sure the router does not allow remote setup from the Internet (WAN port), if it has that feature—most do. The DNS servers should be set automatically by your ISP. If you still have trouble with those servers selected, contact your ISP.

Check the router manufacturer's website for a firmware update.

If you have a wireless network, it must be secured with WPA 2 encryption. The passwords for the network and the router must each be a string of at least 10 random upper- and lower-case letters and digits, and they should be different. Any password that you can remember is weak.

That's because your router has been hacked.

Maciek Lazowski wrote:

OK now the ads are showing up on Safari on my iPhone.

Yup, that's the final proof that your network hardware has been hacked. Your iPhone was probably using cached good DNS data, and thus was still working temporarily.

Note that the procedure for cleaning up your hardware will depend on which specific hardware was hacked (which may or may not be the wireless router, depending on your setup), as well as what that hardware is. Changing the password and restarting the device isn't sufficient. Upgrading the firmware usually is, but all network hardware varies, so there are no guarantees. If that does fix it, you may still need to reset the router's settings to remove the remaining traces of the hack.

As mentioned in that link that I sent you, the best way to deal with the problem is to first determine conclusively which device is at fault (if you have separate network devices, rather than one single comprehensive one), then contact the manufacturer of the device for further instructions.

Please remember that if you don't fix the vulnerability in the router, the same thing will probably happen again. No default or weak passwords, no insecure network, and no configuration from the Internet side.