User profile for user: Telea
Telea Author
User level: Level 1
0 points

SECURITY PROBLEM - Redirection URLs to www.internic.co.uk! How do I stop it

Is there a fix for this or Anti-Sypware, Anti-Virus Software for a Mac? this problem has persisted and I can only assume is from a Hacker who has Hijacked my Browser somehow. I have had this problem for a couple of months and did report it as a bug to Apple already. I thought I had solved it when I found an entry in localhost file that should not have been there, it looked like this :: 1localhost. I also found a certificate pretending to be Verisign/RSA secure Server CA. I emptied my cache, deleted all cookies, set Firefox to check all certificates via Google, set my browser to alert me before accepting cookies, downloaded the lates Apple updates. It was running OK for a while, now it is back and took over my Internet Banking website today! I found an article on DNS Poisoning : http://www.omnicron.com/~ford/dnspoison.html
Apple Macs are not supposed to get Spyware, so I can only assume that some Hacker has found a way to attach a programme to a Browser that then goes into the Cache and is repeated.

I am usually in UK, at the moment i am in North Cyprus until April. I have a satellite dish on my roof and connect to 'Extend Broadband' ISP (in Kyrenia) by Ethernet Cable connection.

PLEASE help me understand how this has got into my Mac Firefox Browser and HOW do i get rid of it for good!!!
You can email me direct, please put 'Apple Answers' in the subject. Thanks.
Telea Juna
teleajuna@yahoo.com

MacBook, Mac OS X (10.4.8), Tiger OS

Posted on Feb 8, 2007 3:51 AM

Reply
11 replies
User profile for user: Yann Bizeul
Yann Bizeul
User level: Level 4
1,355 points

Feb 8, 2007 4:39 AM in response to Telea

I thought I had solved it when I found an
entry in localhost file that should not have been
there, it looked like this :: 1localhost.

You should put it back. This is IPv6 loopback resolution

I also found a certificate pretending to be Verisign/RSA
secure Server CA.

Where ? In Keychain Access > X59Anchors ? This is normal, you won't be able to surf on many https web sites without warning if you remove it.

I emptied my cache, deleted all
cookies, set Firefox to check all certificates via
Google, set my browser to alert me before accepting
cookies, downloaded the lates Apple updates. It was
running OK for a while, now it is back and took over
my Internet Banking website today! I found an article
on DNS Poisoning :
http://www.omnicron.com/~ford/dnspoison.html

This has nothing to do with your problem, this is just a bug in very old versions of Bind name server.

Now, can you be more specific about the exact problem ? You can't connect to your bank web site ? My english is far from perfect but I can't see in your message a description of your problem.

--
Why reward points ?
Reply
User profile for user: Telea
Telea Author
User level: Level 1
0 points

Feb 10, 2007 11:42 AM in response to Yann Bizeul

I thought I had solved it when I found an
entry in localhost file that should not have been
there, it looked like this :: 1localhost.

You should put it back. This is IPv6 loopback
resolution

I also found a certificate pretending to be

Verisign/RSA
secure Server CA.

Where ? In Keychain Access > X59Anchors ? This is
normal, you won't be able to surf on many https web
sites without warning if you remove it.

I emptied my cache, deleted all
cookies, set Firefox to check all certificates via
Google, set my browser to alert me before

accepting
cookies, downloaded the lates Apple updates. It

was
running OK for a while, now it is back and took

over
my Internet Banking website today! I found an

article
on DNS Poisoning :
http://www.omnicron.com/~ford/dnspoison.html

This has nothing to do with your problem, this is
just a bug in very old versions of Bind name
server.

Now, can you be more specific about the exact problem
? You can't connect to your bank web site ? My
english is far from perfect but I can't see in your
message a description of your problem.

--
Why rewa
rd points ?


Ok - the problem is that the website www.internic.co.uk and www.MyFamily.com have somehow taken over my Firefox browser. It starts by redirecting one web site, then gradually redirects all websites I type in the URL. I don't know how it is done and i don't know how to stop it. I received a Browser alert saying that www.MyFamily.com was pretending to be Verisign/RSA/secure server CA and it was not a true certificate. So i went into Firefox Preferences, Security, Advanced, looked at the Certificates there and found this Certificate and deleted it. This stopped the problem for a while. then it came back and i checked the Certificates and the Certificate was back also.

Regarding the www.internic.co.uk I have been on various Forums and others know about this problem. It seems to occur when anyone incorrectly types in a web site address and it is redirected to www.internic.co.uk, it then goes into the Cache so that every time you type in that particular website it goes to internic instead of the website you want.

After I deleted all cookies and emptied my cache, etc. etc. my browser worked as usual for a while. Then, a few days ago I went to do my internet banking and typed in the address incorrectly, and internic was back!!!! Now I can't get rid of it and cannot do my banking online as it keeps going back to internic!!!

THIS IS A SERIOUS PROBLEM ! I cannot believe the company Internic or MyFamily would deliberately design a programme that would take over people's Browsers, they would not get any business that way - so i can only presume it is a melicious Hacker trying to cause trouble.

It has disabled my Mac so I cannot do any research work, every web site now goes to internic.

I want to know HOW it is happening and HOW to STOP it finally for good?

DOES ANYONE OUT THERE HAVE A SOLUTION TO THIS SERIOUS SECURITY PROBLEM PLEASE?
Reply
User profile for user: Yann Bizeul
Yann Bizeul
User level: Level 4
1,355 points

Feb 10, 2007 12:03 PM in response to Telea

Several thing I do not understand on your post :
1) When you type an incorrect web site URL, you get redirected to internic.co.uk, while this is unusuall, I know some ISP does provide default entries when the server is not found, which make you go on internic.co.uk.
2) Then you type the right address for the web site, which, technically speaking, does have nothing related to the wrong one, so it can't be a cache effect. You said that after fixing the site URL, you still get internic.co.uk ?
3) Does this happen with both Firefox and Safari ?

Solutions :
1) Check in network preferences / Firefox preferences if there is any proxy setup.
2) Be sure you have no ad blocker installed or any tool related to tweaking internet connection
3) Complain to your ISP, since he is responsible of giving good answers when a domain is asked.

--
Why reward points ?
Reply
User profile for user: Camelot
Camelot
User level: Level 9
58,575 points

Feb 10, 2007 12:23 PM in response to Telea

> I can only assume is from a Hacker who has Hijacked my Browser somehow

Your interpretation is incorrect. This has nothing to do with anything on your machine.

The 'problem' lies at your DNS server, or more likely at the co.uk root server.

You are entering hostnames that cannot be resolved for some reason. Whether this is because of a typo, a weak network connection or a misconfigured DNS server (or something else) is not clear.

When you try to lookup the site, the DNS server is essentially saying "sorry, I don't know that site - go here instead". Since internic.co.uk is one of the UK domain registrars they're probably hoping to catch people looking to register unknown domains. A sleazy tactic, at best.

There was some uproar in the US a year or so ago when Verisign (one of the largest internet registrars) did a similar thing. The eventually backed off after much complaining, but it sounds like your servers are doing the same thing.

What can you do about it? Not a lot. Complain to your ISP. Complain to internic. Double-check your URLs for spelling.
Reply
User profile for user: Telea
Telea Author
User level: Level 1
0 points

Feb 10, 2007 1:16 PM in response to Camelot

So - Is it something my ISP (Extend Broadband) in North Cyprus here is doing deliberately, or is it something that has got into their system that is potentially polluting everyones' computers as they are logged on to this Server? The strange thing is, even if I clicked a link within a webpage, or used my Bookmarks, it still went to internic. it is not only typos it is also when I type in a website that I want to find e.g. typing in 'BBC' or BBC.com instead of co.uk. etc. etc. If it is not typed in exactly it goes to internic. When I empty my Cache, delete Verisign Cert., clear browser history etc. it stops for a while - then comes back! I have read on other forums about this problem and other people have had the same experience, though no solutions offered. Shall I contact my ISP? I sent an email to internic though i didn't get a reply!
Reply
User profile for user: Yann Bizeul
Yann Bizeul
User level: Level 4
1,355 points

Feb 11, 2007 3:01 AM in response to Telea

So - Is it something my ISP (Extend Broadband) in
North Cyprus here is doing deliberately, or is it
something that has got into their system that is
potentially polluting everyones' computers as they
are logged on to this Server?

I think this is a miscnfiguration on their side, after making sure you are using their DNS servers.

The strange thing is,
even if I clicked a link within a webpage, or used my
Bookmarks, it still went to internic.

Ok, this is abnormal and you should complain.

it is not only
typos it is also when I type in a website that I want
to find e.g. typing in 'BBC' or BBC.com instead of
co.uk. etc. etc. If it is not typed in
exactly it goes to internic.

Yes, that is expected behavior in this situation, because the DNS answer if fake. When you type "bbc", your browser typically tries to resolve what you said "bbc" and get a NXDOMAIN, which means the domain does not exists, it then tries to add ".com" and go ther. But because your DNS server answers an IP address (which brings you to internec.co.uk) the browser thinks the URL was OK.

When I empty my Cache, delete Verisign Cert., clear
browser history etc. it stops for a while - then
comes back! I have read on other forums about this
problem and other people have had the same
experience, though no solutions offered. Shall I
contact my ISP? I sent an email to internic though i
didn't get a reply!

I don't see what's wrong about verisign certificate tho.

Hope that helps.

--
Why reward points ?
Reply
User profile for user: Telea
Telea Author
User level: Level 1
0 points

Feb 11, 2007 6:08 AM in response to Yann Bizeul

Jann - After I set my Browsers (Firefox and Safari) to check all certificates and webpages through Google, I received a warning that the Certificate Verisign/RSA Secure Server CA was directed to www.MyFamily.com and was NOT Verisign, the host is MyFamily.com. So I set it to Block this Certificate and all Cookies from MyFamily and Internic. After I deleted all Verisign/RSA Certificates MyFamily could not redirect any more websites (so far...). So they hijacked this Certificate and pretended to be Verisign (or they are working with Verisign!). Internic is a different problem and I now think it comes from my ISP here in North Cyprus.

BDAqua - Before I go into TCP/IP/DNS and add the DNS nos. I want to be sure this will work on a MAC and will not disrupt anything else, more info. on that please? Will it prevent websites being redirected and load the correct ones? Thanks.

MacBook Mac OS X (10.4.8) Tiger OS
Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

SECURITY PROBLEM - Redirection URLs to www.internic.co.uk! How do I stop it

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up