Jump to content


possible browser hijack on macbook air


  • Please log in to reply
30 replies to this topic

#1 OFFLINE   larrynose

larrynose

    Contributor

  • Members
  • PipPip
  • 25 posts

Posted 08 February 2014 - 09:45 AM

Hi,

I have a macbook air running OS X Lion ver 10.7.5 and had been having problems every time I try to open a ny site except the home page. It was either throwing a "not trusted connection" page thing(couldn't get past it no matter the exceptions) or getting redirected to facebook and some other unintelligible website. Since then, I had been using another laptop. This had been going on for over 3 months now.

However, since a couple of days back I am able to access the very same sites(on firefox) that were previously impossible to open except on the safari now. safari still seems to have some leftover hangups. Is it just browsers acting weird occassionally or somehow everythings cleaned up on its own?

Any help would be appreciated.
Thanks in advance.
Alas, a brawling lad I am not, but a mere woman. Thus my weapons must be my wit and tongue.

#2 OFFLINE   Corrine

Corrine

    The Mystical Rose

  • Forum Admins
  • 4,006 posts

Posted 08 February 2014 - 11:56 AM

Welcome to SNF!  I'm glad you were finally able to make it here.  Our Mac experts will do their best to help you.
Posted Image

Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

#3 OFFLINE   LilBambi

LilBambi

    Australisches Googler

  • Forum Admins
  • 22,509 posts

Posted 08 February 2014 - 03:57 PM

Welcome to SNF larrynose!

I have some questions first.

1.  Is your Mac OS X 10.7 up to date? You should be at: 10.7.5. If it is not, don't do it just yet.

2.  Flush your DNS cache

2.  Is Safari the one that was hit? Sounds like yes to me, but want to be sure. If Safari is the browser you were using when this happened have you done the following:

a. UNchecked the box next to Open "safe" files after downloading "safe" files including movies, pictures, sounds, PDF and text documents, and archives on the General Tab in Safari Preferences.

b. Backup your Bookmarks Safari 5.1, Safari 6 (just in case)

c. Reset Safari Settings:
1) From your Safari menu bar top of your screen click Safari > Preferences then select the Privacy tab.
2) Click:  Remove All Website Data.
3) Quit then relaunch Safari.
4) Open the Finder. From the Finder menu bar click Go > Go to Folder
5) Type this exactly as you see it here: ~/Library/Cookies.
6) Click Go.
7) Move the Cookies.binarycookies file from the Cookies folder to the Trash.
8) Disable the Lion resume feature: Open Apple, System Preferences > General.
9) Deselect:  Restore windows when quitting and re-opening apps
   10) Quit then relaunch Safari to test.

D. Do you have a cleaner application like:

Main Menu Pro 3 (pay to play - $19.99 for single user - note Standard version is only $5 less and gives you the Mac daily, weekly, etc.)

CCleaner (free) - has improved Safari Cleaning - and works well and is free.

3.  You may want to install VirusBarrier Express, a free app on the Mac App Store. It is an on demand antivirus software. Run that and take appropriate actions recommended if it finds something.

4.  If you have Java installed, make sure it is up to date. ALSO, important, go to Apple, System Preferences, Java and it will open a separate window for Java. Under the General Tab, check the Network Settings, and might want to change to Direct Connection instead of browser settings. Under Temporary Internet Files, Settings..., click delete files.

Will come back and see how you do with these items.

Edited by LilBambi, 08 February 2014 - 03:58 PM.

Bambi
AKA Fran

Posted Image
My Public Key for Email :: BambisMusings Blog :: Fran's Computer Services Blog :: MyPassionIsBooks Blog :: 5BuckReview :: CNIRadio
"The Net interprets censorship as damage and routes around it." ~John Gilmore (Time Magazine, Dec 6, 1993)

#4 OFFLINE   V.T. Eric Layton

V.T. Eric Layton

    Nocturnal Slacker

  • Forum Admins
  • 20,816 posts

Posted 08 February 2014 - 05:33 PM

Hiya, Larry!

I'm not one of the Mac people around here, but thought I'd pop in to welcome you to Scot's. :)

Have fun!

~Eric

EDIT: Wow! How many online boards can you go to where the first three replies to a new member are welcomes from Admins? ;)

#5 OFFLINE   ross549

ross549

    I live here.

  • Forum MVP
  • 9,185 posts

Posted 08 February 2014 - 06:58 PM

Make it four- Hello and welcome!

Adam
I don't suffer from insanity, I enjoy it.
Posted Image Posted Image Posted Image Posted Image

#6 OFFLINE   V.T. Eric Layton

V.T. Eric Layton

    Nocturnal Slacker

  • Forum Admins
  • 20,816 posts

Posted 08 February 2014 - 09:11 PM

Is this a record?

#7 OFFLINE   larrynose

larrynose

    Contributor

  • Members
  • PipPip
  • 25 posts

Posted 09 February 2014 - 07:34 AM

Wow, what a welcome! Dead chuffed I am, thanks guys.

View PostLilBambi, on 08 February 2014 - 03:57 PM, said:

Welcome to SNF larrynose!

I have some questions first.

1.  Is your Mac OS X 10.7 up to date? You should be at: 10.7.5. If it is not, don't do it just yet.




Yeah its at 10.7.5.

View PostLilBambi, on 08 February 2014 - 03:57 PM, said:

2.  Is Safari the one that was hit? Sounds like yes to me, but want to be sure. If Safari is the browser you were using when this happened have you done the following:

a. UNchecked the box next to Open "safe" files after downloading "safe" files including movies, pictures, sounds, PDF and text documents, and archives on the General Tab in Safari Preferences.

b. Backup your Bookmarks Safari 5.1, Safari 6 (just in case)

c. Reset Safari Settings:
1) From your Safari menu bar top of your screen click Safari > Preferences then select the Privacy tab.
2) Click:  Remove All Website Data.
3) Quit then relaunch Safari.
4) Open the Finder. From the Finder menu bar click Go > Go to Folder
5) Type this exactly as you see it here: ~/Library/Cookies.
6) Click Go.
7) Move the Cookies.binarycookies file from the Cookies folder to the Trash.
8) Disable the Lion resume feature: Open Apple, System Preferences > General.
9) Deselect:  Restore windows when quitting and re-opening apps
   10) Quit then relaunch Safari to test.


Umm, actually, it was both safari and firefox but the latter seems to be working fine now. no issues.

And no, hadn't unchecked the "Open safe file..." option.


Don't have CCleaner on the laptops, but have installed it now.

Also, no Java.

Can't download VirusBarrier Express as it tries to open the browser and an invalid certificate message appears.

I am able to access sites now without getting redirected to facebook or some chinese sites. But, google and a couple of  sites throw up an invalid certificate page. Its the same on Firefox as well.
I hope that it doesn't mean the DNS is compromised;..just a case of bad security certificates or something.

Thanks again.
Alas, a brawling lad I am not, but a mere woman. Thus my weapons must be my wit and tongue.

#8 OFFLINE   LilBambi

LilBambi

    Australisches Googler

  • Forum Admins
  • 22,509 posts

Posted 09 February 2014 - 11:26 AM

If you suspect DNS being compromised, are you behind a NAT or Stateful Packet Firewalled router?

Have you tried changing DNS to OpenDNS servers: 208.67.222.222 and 208.67.220.220 ?

Or Google's DNS servers?


Quote

Configure your network settings to use the IP addresses 8.8.8.8 and 8.8.4.4 as your DNS servers or. Read our configuration instructions (IPv6 addresses supported too). If you decide to try Google Public DNS, your client programs will perform all DNS lookups using Google Public DNS.
Public DNS — Google Developers

https://developers.g...eed/public-dns/


Have you gone in to the Keychain and restored all the Root Certificates back to default? Particularly those with a red x on them?

Have you tried running Keychain First Aid?


Quote

To check keychains for problems using Keychain First Aid:

Open Keychain Access, located in the Utilites folder in the Applications folder.

Choose Keychain Access > Keychain First Aid.

Enter your user name and password.

Select Verify and click Start. Any problems found will be displayed.

If there are problems, select Repair, and then click Start.

To change the Keychain First Aid settings, choose Keychain Access > Preferences, and then click First Aid.



Last ditch effort so you can actually use your system to install programs, you might want to temporarily disable OSCP and CRL.

Open Keychain Access, Preferences, Certificates Tab, set both OCSP and CRL to Off.

NOW, see if you can login to the AppStore and install the VirusBarrier Express.

IMPORTANT: UNcheck the box next to Open "safe" files after downloading "safe" files including movies, pictures, sounds, PDF and text documents, and archives on the General Tab in Safari Preferences.
This is an important security change that needs to be done. It can be circumvented by malware.


Does any of this help?

Edited by LilBambi, 09 February 2014 - 11:57 AM.
added line about Keychain First Aid and disabling OSCP and CRL

Bambi
AKA Fran

Posted Image
My Public Key for Email :: BambisMusings Blog :: Fran's Computer Services Blog :: MyPassionIsBooks Blog :: 5BuckReview :: CNIRadio
"The Net interprets censorship as damage and routes around it." ~John Gilmore (Time Magazine, Dec 6, 1993)

#9 OFFLINE   LilBambi

LilBambi

    Australisches Googler

  • Forum Admins
  • 22,509 posts

Posted 09 February 2014 - 12:01 PM

If none of this helps, you may have to run the OS X Recovery to run Disk Utility outside OS X to repair permissions.

Do you have a Lion install USB drive from Apple?
Bambi
AKA Fran

Posted Image
My Public Key for Email :: BambisMusings Blog :: Fran's Computer Services Blog :: MyPassionIsBooks Blog :: 5BuckReview :: CNIRadio
"The Net interprets censorship as damage and routes around it." ~John Gilmore (Time Magazine, Dec 6, 1993)

#10 OFFLINE   larrynose

larrynose

    Contributor

  • Members
  • PipPip
  • 25 posts

Posted 10 February 2014 - 10:27 AM

I am behind a NAT router.

I haven't attempted changing DNS servers yet. Wasn't sure if switching back and forth is easy to do cos all of the info that I had been reading was doing my head in.

I don't know how to restore the root certificates back to default.
I tried changing the google certificate to blue manually though, it still says certificate invalid.(not going through the keychain method that is). So, everytime I type in google I have to check the " always trust google.co.in ...." thing all over again. Not all sites work this way though.

Have tried Keychain First Aid. Found no problems.

Unable to connect to appstore even after setting OCSP and CRL off.

And lastly, don't have Lion install USB drive. Looks like I've lost the thing with all the moving out etc.

There's something else I need to ask. What are the token signing public keys??Two of those certificates are in red along with macupdate and some others. Could you tell me how to restore them back please?

Hoping to hear soon.
Alas, a brawling lad I am not, but a mere woman. Thus my weapons must be my wit and tongue.

#11 OFFLINE   LilBambi

LilBambi

    Australisches Googler

  • Forum Admins
  • 22,509 posts

Posted 10 February 2014 - 10:52 AM

Explanation of Token signing keys


You can't just do a one step 'set the root certificates back to default', I checked. ;) To me that would be the easiest but it's not available.


There is a huge conversation about this very topic here: Invalid Certificate on every secured website. Apparently it happened after the 10.7.4 update.

One thing that some were asking is that folks check the Date and Time on their Mac to ensure it's correct since certificates have dates they are valid. Some folks that was the case, but not a lot, but certainly worth checking on.

Here's the way one person fixed it on their wife's computer from this posting on the same topic:

Quote

I solved this on my wife's computer by resetting the security certificate settings.  This might help others:
Close all windows.

Keychain Access ->  click on System Roots on the left, and then click on Certifcates on the bottom left.

Check to see if any of the certificates on the right have the blue "+" symbol - this means they have custom trust settings.

There is a bug in changing the policies, so you'll have to change them via the method below.  Changing them just by changing the access to "system defaults" doesn't seem to save.  The method below worked for me.

Double-click on each certificate with the custom setting (blue "+"), expand the section labled "trust".  Change the "Secure Sockets Layer (SSL)" setting to "no value specified".  Close window - you should be prompted for the password.  Double-click on the certificate again, expand trust, change the "When using this certificate" setting to "Use System Defaults".  Close window, and re-enter password.

If you didn't re-enter your password upon closing the window, the setting didn't take.  The blue "+" should disappear after a few seconds when it's set back to default.  Once all of the certificates are changed back to default, restart Safari.


This solved all of the problems for my wife's computer with these issues and OSX 10.7.4

I found the same 'bug' when I was trying to save changes to certificates on my Mac noted in bold above.

Edited by LilBambi, 10 February 2014 - 10:53 AM.

Bambi
AKA Fran

Posted Image
My Public Key for Email :: BambisMusings Blog :: Fran's Computer Services Blog :: MyPassionIsBooks Blog :: 5BuckReview :: CNIRadio
"The Net interprets censorship as damage and routes around it." ~John Gilmore (Time Magazine, Dec 6, 1993)

#12 OFFLINE   LilBambi

LilBambi

    Australisches Googler

  • Forum Admins
  • 22,509 posts

Posted 10 February 2014 - 11:17 AM

BTW: I do not have ANY specific Google Certificates. I do a search on certificates and there are none specifically for Google. Google's Crt's are signed by GeoTrust Global CA as noted at this link. If you have one, perhaps you installed it and it's since expired? Check the certs from the link if that's the case.
Bambi
AKA Fran

Posted Image
My Public Key for Email :: BambisMusings Blog :: Fran's Computer Services Blog :: MyPassionIsBooks Blog :: 5BuckReview :: CNIRadio
"The Net interprets censorship as damage and routes around it." ~John Gilmore (Time Magazine, Dec 6, 1993)

#13 OFFLINE   larrynose

larrynose

    Contributor

  • Members
  • PipPip
  • 25 posts

Posted 11 February 2014 - 12:23 PM

Okay, I've tried all that. Doesn't seem to be working. In Safari,for the page to load, I simply have to hit on the continue button everytime I type in google or some other site that it says certificate is invalid for etc.. Firefox is mucking up now for google and related sites.

The Geo Trust certs seems to be ok. Theres another google (Google Internet Authority G2)that is not yet valid. A couple of apple certs are also the same.

Oh and I need to check with you again. Mac OSX version is at 10.7.5 and Safari at 6.0 something. But, when I tried to run updates it stopped about one -thirds into downloading/installing with a message saying "none of the selected updates could be installed.The update could not be verified. It may have been corrupted during downloading."
What does it mean by that?
Alas, a brawling lad I am not, but a mere woman. Thus my weapons must be my wit and tongue.

#14 OFFLINE   LilBambi

LilBambi

    Australisches Googler

  • Forum Admins
  • 22,509 posts

Posted 11 February 2014 - 07:19 PM

I am sorry we haven't been able to fix this. We have covered all the bases possible and it just doesn't work.

You can't even update your operating system. Your DNS appears to be hosed, your Certificates are mucked up and you don't even know if you are getting to the right places or if you are being sent to strange mimics of websites to make things worse.

I would not trust a system that is acting this way. If it were me, I would backup my data on an external hard drive and do a reinstall of the system as noted repeatedly for these types of problems.

First, since you can not find your Lion USB drive, I would give Apple a call. Lion is the last OS that can be installed via USB installation drive. So I would see about getting that so you can reinstall the system.

Sorry...wish more could be done.
Bambi
AKA Fran

Posted Image
My Public Key for Email :: BambisMusings Blog :: Fran's Computer Services Blog :: MyPassionIsBooks Blog :: 5BuckReview :: CNIRadio
"The Net interprets censorship as damage and routes around it." ~John Gilmore (Time Magazine, Dec 6, 1993)

#15 OFFLINE   larrynose

larrynose

    Contributor

  • Members
  • PipPip
  • 25 posts

Posted 12 February 2014 - 02:57 AM

Right. I'll call Apple and see how that goes. Thanks for your effort anyway.
Alas, a brawling lad I am not, but a mere woman. Thus my weapons must be my wit and tongue.

#16 OFFLINE   ross549

ross549

    I live here.

  • Forum MVP
  • 9,185 posts

Posted 12 February 2014 - 10:23 AM

There is the recovery mode.... when booting, hit Cmd-R.

This will reinstall your OSX. Please make sure your data is backed up first.

Adam
I don't suffer from insanity, I enjoy it.
Posted Image Posted Image Posted Image Posted Image

#17 OFFLINE   LilBambi

LilBambi

    Australisches Googler

  • Forum Admins
  • 22,509 posts

Posted 12 February 2014 - 11:37 AM

Yes, there is that too. But I would contact Apple first. They may have something for this since it appears to be a problem injected on some Macs with the Lion 10.7.4 update.

And not all Macs have that recovery partition. It's an oddity but true.

Edited by LilBambi, 12 February 2014 - 11:40 AM.

Bambi
AKA Fran

Posted Image
My Public Key for Email :: BambisMusings Blog :: Fran's Computer Services Blog :: MyPassionIsBooks Blog :: 5BuckReview :: CNIRadio
"The Net interprets censorship as damage and routes around it." ~John Gilmore (Time Magazine, Dec 6, 1993)

#18 OFFLINE   ross549

ross549

    I live here.

  • Forum MVP
  • 9,185 posts

Posted 12 February 2014 - 11:39 AM

Only the most recent Macs have it. ;) I think it was Mountain Lion and Mavericks that have it.

Adam

Edited by ross549, 12 February 2014 - 11:40 AM.

I don't suffer from insanity, I enjoy it.
Posted Image Posted Image Posted Image Posted Image

#19 OFFLINE   LilBambi

LilBambi

    Australisches Googler

  • Forum Admins
  • 22,509 posts

Posted 12 February 2014 - 11:43 AM

Lion has it too. But there are some odd situations when it's not created.
Bambi
AKA Fran

Posted Image
My Public Key for Email :: BambisMusings Blog :: Fran's Computer Services Blog :: MyPassionIsBooks Blog :: 5BuckReview :: CNIRadio
"The Net interprets censorship as damage and routes around it." ~John Gilmore (Time Magazine, Dec 6, 1993)

#20 OFFLINE   ross549

ross549

    I live here.

  • Forum MVP
  • 9,185 posts

Posted 12 February 2014 - 11:46 AM

I see.....

Adam
I don't suffer from insanity, I enjoy it.
Posted Image Posted Image Posted Image Posted Image

#21 OFFLINE   LilBambi

LilBambi

    Australisches Googler

  • Forum Admins
  • 22,509 posts

Posted 12 February 2014 - 11:54 AM

But even if it has been created, rather than go off and do that without contacting Apple to see if they have a fix that's not been posted anywhere, might not be a good idea.

Could save time and frustration if a simple call to Apple is done first.

Certainly couldn't hurt.
Bambi
AKA Fran

Posted Image
My Public Key for Email :: BambisMusings Blog :: Fran's Computer Services Blog :: MyPassionIsBooks Blog :: 5BuckReview :: CNIRadio
"The Net interprets censorship as damage and routes around it." ~John Gilmore (Time Magazine, Dec 6, 1993)

#22 OFFLINE   ross549

ross549

    I live here.

  • Forum MVP
  • 9,185 posts

Posted 12 February 2014 - 12:06 PM

Certainly true, if the warranty is still in force....

Adam
I don't suffer from insanity, I enjoy it.
Posted Image Posted Image Posted Image Posted Image

#23 OFFLINE   LilBambi

LilBambi

    Australisches Googler

  • Forum Admins
  • 22,509 posts

Posted 12 February 2014 - 12:10 PM

Yes, that may also come into play, but not always. Not just for questions.
Bambi
AKA Fran

Posted Image
My Public Key for Email :: BambisMusings Blog :: Fran's Computer Services Blog :: MyPassionIsBooks Blog :: 5BuckReview :: CNIRadio
"The Net interprets censorship as damage and routes around it." ~John Gilmore (Time Magazine, Dec 6, 1993)

#24 OFFLINE   LilBambi

LilBambi

    Australisches Googler

  • Forum Admins
  • 22,509 posts

Posted 20 February 2014 - 09:21 AM

How are things going with this, larrynose?
Bambi
AKA Fran

Posted Image
My Public Key for Email :: BambisMusings Blog :: Fran's Computer Services Blog :: MyPassionIsBooks Blog :: 5BuckReview :: CNIRadio
"The Net interprets censorship as damage and routes around it." ~John Gilmore (Time Magazine, Dec 6, 1993)

#25 OFFLINE   larrynose

larrynose

    Contributor

  • Members
  • PipPip
  • 25 posts

Posted 25 February 2014 - 03:07 AM

Apple service is quite ****ty where I live. Its taken a thousand calls(yeah, I am pretty sure it must be a thousand) to get them to say anything meaningful. I was told that they would see about trying the usb option which you mentioned but I would have to bring the laptop to the store etc.. That's scheduled for next week and Ill let you know how it goes.
Alas, a brawling lad I am not, but a mere woman. Thus my weapons must be my wit and tongue.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users