Jump to content

possible browser hijack on macbook air


larrynose

Recommended Posts

Hi,

 

I have a macbook air running OS X Lion ver 10.7.5 and had been having problems every time I try to open a ny site except the home page. It was either throwing a "not trusted connection" page thing(couldn't get past it no matter the exceptions) or getting redirected to facebook and some other unintelligible website. Since then, I had been using another laptop. This had been going on for over 3 months now.

 

However, since a couple of days back I am able to access the very same sites(on firefox) that were previously impossible to open except on the safari now. safari still seems to have some leftover hangups. Is it just browsers acting weird occassionally or somehow everythings cleaned up on its own?

 

Any help would be appreciated.

Thanks in advance.

Link to comment
Share on other sites

Guest LilBambi

Welcome to SNF larrynose!

 

I have some questions first.

 

1. Is your Mac OS X 10.7 up to date? You should be at: 10.7.5. If it is not, don't do it just yet.

 

2. Flush your DNS cache

 

2. Is Safari the one that was hit? Sounds like yes to me, but want to be sure. If Safari is the browser you were using when this happened have you done the following:

 

a. UNchecked the box next to Open "safe" files after downloading "safe" files including movies, pictures, sounds, PDF and text documents, and archives on the General Tab in Safari Preferences.

 

b. Backup your Bookmarks Safari 5.1, Safari 6 (just in case)

 

c. Reset Safari Settings:

1) From your Safari menu bar top of your screen click Safari > Preferences then select the Privacy tab.

2) Click: Remove All Website Data.

3) Quit then relaunch Safari.

4) Open the Finder. From the Finder menu bar click Go > Go to Folder

5) Type this exactly as you see it here: ~/Library/Cookies.

6) Click Go.

7) Move the Cookies.binarycookies file from the Cookies folder to the Trash.

8) Disable the Lion resume feature: Open Apple, System Preferences > General.

9) Deselect: Restore windows when quitting and re-opening apps

10) Quit then relaunch Safari to test.

 

D. Do you have a cleaner application like:

 

Main Menu Pro 3 (pay to play - $19.99 for single user - note Standard version is only $5 less and gives you the Mac daily, weekly, etc.)

 

CCleaner (free) - has improved Safari Cleaning - and works well and is free.

 

3. You may want to install VirusBarrier Express, a free app on the Mac App Store. It is an on demand antivirus software. Run that and take appropriate actions recommended if it finds something.

 

4. If you have Java installed, make sure it is up to date. ALSO, important, go to Apple, System Preferences, Java and it will open a separate window for Java. Under the General Tab, check the Network Settings, and might want to change to Direct Connection instead of browser settings. Under Temporary Internet Files, Settings..., click delete files.

 

Will come back and see how you do with these items.

Edited by LilBambi
Link to comment
Share on other sites

V.T. Eric Layton

Hiya, Larry!

 

I'm not one of the Mac people around here, but thought I'd pop in to welcome you to Scot's. :)

 

Have fun!

 

~Eric

 

EDIT: Wow! How many online boards can you go to where the first three replies to a new member are welcomes from Admins? ;)

  • Like 1
Link to comment
Share on other sites

Wow, what a welcome! Dead chuffed I am, thanks guys.

 

Welcome to SNF larrynose!

 

I have some questions first.

 

1. Is your Mac OS X 10.7 up to date? You should be at: 10.7.5. If it is not, don't do it just yet.

 

 

 

 

Yeah its at 10.7.5.

 

2. Is Safari the one that was hit? Sounds like yes to me, but want to be sure. If Safari is the browser you were using when this happened have you done the following:

 

a. UNchecked the box next to Open "safe" files after downloading "safe" files including movies, pictures, sounds, PDF and text documents, and archives on the General Tab in Safari Preferences.

 

b. Backup your Bookmarks Safari 5.1, Safari 6 (just in case)

 

c. Reset Safari Settings:

1) From your Safari menu bar top of your screen click Safari > Preferences then select the Privacy tab.

2) Click: Remove All Website Data.

3) Quit then relaunch Safari.

4) Open the Finder. From the Finder menu bar click Go > Go to Folder

5) Type this exactly as you see it here: ~/Library/Cookies.

6) Click Go.

7) Move the Cookies.binarycookies file from the Cookies folder to the Trash.

8) Disable the Lion resume feature: Open Apple, System Preferences > General.

9) Deselect: Restore windows when quitting and re-opening apps

10) Quit then relaunch Safari to test.

 

 

Umm, actually, it was both safari and firefox but the latter seems to be working fine now. no issues.

 

And no, hadn't unchecked the "Open safe file..." option.

 

 

Don't have CCleaner on the laptops, but have installed it now.

 

Also, no Java.

 

Can't download VirusBarrier Express as it tries to open the browser and an invalid certificate message appears.

 

I am able to access sites now without getting redirected to facebook or some chinese sites. But, google and a couple of sites throw up an invalid certificate page. Its the same on Firefox as well.

I hope that it doesn't mean the DNS is compromised;..just a case of bad security certificates or something.

 

Thanks again.

Link to comment
Share on other sites

Guest LilBambi

If you suspect DNS being compromised, are you behind a NAT or Stateful Packet Firewalled router?

 

Have you tried changing DNS to OpenDNS servers: 208.67.222.222 and 208.67.220.220 ?

 

Or Google's DNS servers?

 

 

Configure your network settings to use the IP addresses 8.8.8.8 and 8.8.4.4 as your DNS servers or. Read our configuration instructions (IPv6 addresses supported too). If you decide to try Google Public DNS, your client programs will perform all DNS lookups using Google Public DNS.

Public DNS — Google Developers

 

https://developers.g...eed/public-dns/

 

 

Have you gone in to the Keychain and restored all the Root Certificates back to default? Particularly those with a red x on them?

 

Have you tried running Keychain First Aid?

 

 

To check keychains for problems using Keychain First Aid:

 

Open Keychain Access, located in the Utilites folder in the Applications folder.

 

Choose Keychain Access > Keychain First Aid.

 

Enter your user name and password.

 

Select Verify and click Start. Any problems found will be displayed.

 

If there are problems, select Repair, and then click Start.

 

To change the Keychain First Aid settings, choose Keychain Access > Preferences, and then click First Aid.

 

 

 

Last ditch effort so you can actually use your system to install programs, you might want to temporarily disable OSCP and CRL.

 

Open Keychain Access, Preferences, Certificates Tab, set both OCSP and CRL to Off.

 

NOW, see if you can login to the AppStore and install the VirusBarrier Express.

 

IMPORTANT: UNcheck the box next to Open "safe" files after downloading "safe" files including movies, pictures, sounds, PDF and text documents, and archives on the General Tab in Safari Preferences.

This is an important security change that needs to be done. It can be circumvented by malware.

 

 

Does any of this help?

Edited by LilBambi
added line about Keychain First Aid and disabling OSCP and CRL
Link to comment
Share on other sites

I am behind a NAT router.

 

I haven't attempted changing DNS servers yet. Wasn't sure if switching back and forth is easy to do cos all of the info that I had been reading was doing my head in.

 

I don't know how to restore the root certificates back to default.

I tried changing the google certificate to blue manually though, it still says certificate invalid.(not going through the keychain method that is). So, everytime I type in google I have to check the " always trust google.co.in ...." thing all over again. Not all sites work this way though.

 

Have tried Keychain First Aid. Found no problems.

 

Unable to connect to appstore even after setting OCSP and CRL off.

 

And lastly, don't have Lion install USB drive. Looks like I've lost the thing with all the moving out etc.

 

There's something else I need to ask. What are the token signing public keys??Two of those certificates are in red along with macupdate and some others. Could you tell me how to restore them back please?

 

Hoping to hear soon.

Link to comment
Share on other sites

Guest LilBambi

Explanation of Token signing keys

 

 

You can't just do a one step 'set the root certificates back to default', I checked. ;) To me that would be the easiest but it's not available.

 

 

There is a huge conversation about this very topic here: Invalid Certificate on every secured website. Apparently it happened after the 10.7.4 update.

 

One thing that some were asking is that folks check the Date and Time on their Mac to ensure it's correct since certificates have dates they are valid. Some folks that was the case, but not a lot, but certainly worth checking on.

 

Here's the way one person fixed it on their wife's computer from this posting on the same topic:

 

I solved this on my wife's computer by resetting the security certificate settings. This might help others:

Close all windows.

 

Keychain Access -> click on System Roots on the left, and then click on Certifcates on the bottom left.

 

Check to see if any of the certificates on the right have the blue "+" symbol - this means they have custom trust settings.

 

There is a bug in changing the policies, so you'll have to change them via the method below. Changing them just by changing the access to "system defaults" doesn't seem to save. The method below worked for me.

 

Double-click on each certificate with the custom setting (blue "+"), expand the section labled "trust". Change the "Secure Sockets Layer (SSL)" setting to "no value specified". Close window - you should be prompted for the password. Double-click on the certificate again, expand trust, change the "When using this certificate" setting to "Use System Defaults". Close window, and re-enter password.

 

If you didn't re-enter your password upon closing the window, the setting didn't take. The blue "+" should disappear after a few seconds when it's set back to default. Once all of the certificates are changed back to default, restart Safari.

 

This solved all of the problems for my wife's computer with these issues and OSX 10.7.4

 

I found the same 'bug' when I was trying to save changes to certificates on my Mac noted in bold above.

Edited by LilBambi
Link to comment
Share on other sites

Guest LilBambi

BTW: I do not have ANY specific Google Certificates. I do a search on certificates and there are none specifically for Google. Google's Crt's are signed by GeoTrust Global CA as noted at this link. If you have one, perhaps you installed it and it's since expired? Check the certs from the link if that's the case.

Link to comment
Share on other sites

Okay, I've tried all that. Doesn't seem to be working. In Safari,for the page to load, I simply have to hit on the continue button everytime I type in google or some other site that it says certificate is invalid for etc.. Firefox is mucking up now for google and related sites.

 

The Geo Trust certs seems to be ok. Theres another google (Google Internet Authority G2)that is not yet valid. A couple of apple certs are also the same.

 

Oh and I need to check with you again. Mac OSX version is at 10.7.5 and Safari at 6.0 something. But, when I tried to run updates it stopped about one -thirds into downloading/installing with a message saying "none of the selected updates could be installed.The update could not be verified. It may have been corrupted during downloading."

What does it mean by that?

Link to comment
Share on other sites

Guest LilBambi

I am sorry we haven't been able to fix this. We have covered all the bases possible and it just doesn't work.

 

You can't even update your operating system. Your DNS appears to be hosed, your Certificates are mucked up and you don't even know if you are getting to the right places or if you are being sent to strange mimics of websites to make things worse.

 

I would not trust a system that is acting this way. If it were me, I would backup my data on an external hard drive and do a reinstall of the system as noted repeatedly for these types of problems.

 

First, since you can not find your Lion USB drive, I would give Apple a call. Lion is the last OS that can be installed via USB installation drive. So I would see about getting that so you can reinstall the system.

 

Sorry...wish more could be done.

Link to comment
Share on other sites

Guest LilBambi

Yes, there is that too. But I would contact Apple first. They may have something for this since it appears to be a problem injected on some Macs with the Lion 10.7.4 update.

 

And not all Macs have that recovery partition. It's an oddity but true.

Edited by LilBambi
Link to comment
Share on other sites

Guest LilBambi

But even if it has been created, rather than go off and do that without contacting Apple to see if they have a fix that's not been posted anywhere, might not be a good idea.

 

Could save time and frustration if a simple call to Apple is done first.

 

Certainly couldn't hurt.

Link to comment
Share on other sites

Apple service is quite ****ty where I live. Its taken a thousand calls(yeah, I am pretty sure it must be a thousand) to get them to say anything meaningful. I was told that they would see about trying the usb option which you mentioned but I would have to bring the laptop to the store etc.. That's scheduled for next week and Ill let you know how it goes.

Link to comment
Share on other sites

Hello,

 

Out of curiosity, have you tried running an anti-malware program on the Mac to see if it reported anything? Some of them check for other things besides OS X worms and trojans (which are very scarce), such as malicious browser plugins, DNS redirecting scripts and so forth.

 

AVG, ClamXav and Sophos all offer free versions, and many other vendors like BitDefender, Dr. Web, ESET, F-Secure, Intego, Kaspersky, McAfee, Symantec and Trend Micro offer commercial programs for which free evaluation copies are available.

 

Perhaps one of those programs will turn up something.

 

Regards,

 

Aryeh Goretsky

  • Like 1
Link to comment
Share on other sites

Hello,

 

Out of curiosity, have you tried running an anti-malware program on the Mac to see if it reported anything? Some of them check for other things besides OS X worms and trojans (which are very scarce), such as malicious browser plugins, DNS redirecting scripts and so forth.

 

AVG, ClamXav and Sophos all offer free versions, and many other vendors like BitDefender, Dr. Web, ESET, F-Secure, Intego, Kaspersky, McAfee, Symantec and Trend Micro offer commercial programs for which free evaluation copies are available.

 

Perhaps one of those programs will turn up something.

 

Regards,

 

Aryeh Goretsky

 

Nah. Didn't think of it. I was under the "perception" that macs dont really need any av's or am's as there are no mass exploits that you hear about. I'll run them up before I take it to the store though.

 

Speaking of Antivirus software for the Mac. ESET Cybersecurity is awesome and one I actually use.

 

But there is also a free one in the App Store called Virus Barrier Express. It is an on demand antivirus.

 

I think I'll go for ESET once the mac is all clean. Thanks again for the tips guys.

  • Like 1
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...