|
#1
November 11th, 2007, 04:51 PM
| |||
| |||
| Phishing & out of date certificates I posted here when I first got my mac because I had been hacked using windows, and was still paranoid. You calmed my fears and I've felt safe until recently. Hopefully, you can either calm my fears again, or help me resolve my problems. Both of my kids use Windows and have gotten horrible viruses and trojans from using myspace. We use the same router to connect to the internet, but don't share files or connections. Now suddenly, I think I'm being redirected to spoofed sites. I've had certificates pop-up that I can't shut down without force quitting my browser, and I've tried it with all 3 browsers, Safari, Firefox, and Opera. I'm also having java problems. The first time it happened, a certificate warning popped up, and I was stupid enough to click on whether or not to verify it. It was of course out of date. And this is the same problems that I'd been having when I got hacked using windows. Or at least this is how it began, and then it escalated into several other users logged on when I was supposed to be the only one. One other thing that was common is the redirection to sites that are Eastern European or Asian. So is it still paranoia? I really appreciate the good work you guys do! Doctors for the paranoid patients!  |
|
#2
November 12th, 2007, 11:40 AM
| ||||
| ||||
| OK. I am not sure short of reformatting the Windows machines. first you want to stop anything from pointing your web address into another direction. So go to OpenDNS.com and follow the directions for changing the DNS (Domain Name Server) in YOUR ROUTER. OpenDNS.com will walk you through in setting up changing where you get your DNS names. The best part of this service is it is FREE. I urge you to sign up for an account so your can block phishing sites as well as site YOU designate that you don't want your kids looking at. Doing OpenDNS.com doesn't change anything in your computers and your kids will know nothing happened at all. For your Trojan problems on the Windows machines, wipe them and reformat the machines. This is the only safe way of making sure you get rid of all the problems. Plus make sure you keep the latest VIRUS protection on the Windows machines. You can even get pretty good free ones like AVG. Good Luck.
__________________ PowerMac G5 Dual 1.8(Rev A.), , 7 Gig RAM, Pioneer DVR-110, ATI X800XT, OS X 10.4.11 & 10.5.3, 23'' HD LCD Mac Book Pro Core 2 Duo 2.16Mhz, SuperDrive, ATI X1600, 2GB RAM, OS X 10.5.3 Tibook 400Mhz, DVD drive, 1024 RAM, ATI Rage, OS X 10.4.7 1TB Time Capsule 5g iPod 30Gig White |
|
#4
November 12th, 2007, 12:17 PM
| ||||
| ||||
| There was recently a trojan horse released for OS X that could change your Mac's DNS server. DNS servers are what resolve domain names (e.g., www.apple.com) to actual internet addresses, so having it changed to something malicious could send you to fake sites when you enter trusted URLs like www.apple.com or something like that. For info on how to detect if you have this trojan and how to remove it if you do, see http://www.macworld.com/2007/10/firs...orse/index.php This is, as far as I know, the first (and only) case of malware for OS X in the wild.
__________________ Mac mini — 1.25GHz G4, 1GB RAM — OS 10.5.2 I'm now a four-browser man. How on earth did this happen?! Useful programs: PithHelmet, Butler, ffmpegX, VLC, Perian, Tofu, Wcalc |
|
#5
November 16th, 2007, 12:03 PM
| |||
| |||
 Mikuro, thanks for the information re the trojan. As soon as I finish posting here, I'll check out the info, as that may very well be what I have going on. I'm unable to update my router using OpenDNS.com. I've tried to modify some settings, but then I'm unable to log in, and I've had to do an archive and install. I should probably do a clean install, but I have too many things that I need to save, and haven't had the time to back it all up. My router settings show my DHCP Server as 10.228.192.1. Which means it's not coming through rr, right? Lookup says BLACKHOLE-1.IANA.ORG, which sounds really scary....... And can anyone tell me what this is? /private/tftpboot/private/tftpboot The last tftpboot is a symlink to my entire harddrive. xxxxx-computer:~ xxxx$ sysctl -A vfs | sort vfs.cd9660 has 0 mounted instances vfs.devfs has 1 mounted instance vfs.fdesc has 1 mounted instance vfs.generic.nfs.client.initialdowndelay: 12 vfs.generic.nfs.client.nextdowndelay: 30 vfs.generic.vfsidlist: Format:S,fsid Length:40 Dump:0x0200000e11000000745f880213000000... vfs.hfs has 2 mounted instances vfs.nfs has 1 mounted instance vfs.ufs has 0 mounted instances vfs.union has 0 mounted instances vfs.volfs has 1 mounted instance I don't really understand all of this, so sorry if this is normal. I had a rootkit on my Windows machine that allowed other users to own it. And today I find this in my console log-- Assert failed: /Users/dave/dev/flash/player/FlashPlayer/platform/mac/plugins/../../generic/genericjpeg.cpp:85 ......Whos's dave? |
|
#6
November 19th, 2007, 11:25 PM
| |||
| |||
| I'm not certain that I found the problem. but I think I'm getting down to it. I must have a variant of the trojan mentioned by Mikuro. I followed the link that he posted and followed the directions. But I'm unable to shutdown anything. It restarts almost immediately. I've managed to cripple cron for now,by hacking the files, but I see it waiting for me to reboot. If I delete something it returns as a .gz file hidden in a man folder, then restores itself at boot. I also found a file named Conf.plist in /Library/Receipts/Essentials.pkg/Contents/Resources/. <key>ConfFilesToMigrate</key> <dict> <key>/private/etc/httpd/httpd.conf</key> <dict> <key>UpdatableChecksums</key> <array> <string>1163449114</string> <string>1659306689</string> <string>2345894286</string> <string>2038725909</string> </array> <key>UpdateBehavior</key> <string>LeaveInstalledCopyActive</string> </dict> <key>/private/etc/cups/cupsd.conf</key> <dict> <key>UpdatableChecksums</key> <array> <string>273726302</string> <string>1438806504</string> <string>2397287665</string> <string>1484694433</string> <string>1508800307</string> </array> <key>UpdateBehavior</key> <string>LeaveUserCopyActive</string> </dict> <key>/private/etc/cups/printers.conf</key> <dict> <key>UpdatableChecksums</key> <array> <string>2550502157</string> <string>4206362881</string> </array> <key>UpdateBehavior</key> <string>LeaveUserCopyActive</string> </dict> <key>/private/etc/cups/classes.conf</key> <dict> <key>UpdatableChecksums</key> <array> <string>919518434</string> <string>3003026938</string> <string>1009940033</string> </array> <key>UpdateBehavior</key> <string>LeaveUserCopyActive</string> </dict> <key>/private/etc/cups/client.conf</key> <dict> <key>UpdatableChecksums</key> <array> <string>839651443</string> <string>1721921387</string> <string>344085176</string> </array> <key>UpdateBehavior</key> <string>LeaveUserCopyActive</string> </dict> <key>/private/etc/sudoers</key> <dict> <key>UpdatableChecksums</key> <array> <string>1950132601</string> </array> <key>UpdateBehavior</key> <string>LeaveUserCopyActive</string> </dict> Activity monitor shows-- kernel_task launchd - dynamic_pager, kextd, KernelEventAgent, mDNSResponder, netinfod, syslogd configd - blued coreaudiod diskarbitrationd memberd securityd notifyd distnoted DirectoryService update loginwindow - pbs coreservicesd WindowServer- Dock, SystemUIServer, UniversalAccessApp, AppleSpell, Safari, Finder Activity Monitor- pmTool WindowServer- Dock, SystemUIServer, UniversalAccessApp Terminal - login sh ATSServer crashreporterd mds cupsd lookupd ntpd nfsiod rpc.lockd automount automount And some of my files are wine files I think--plist shows MerlotPackageData. That really makes me nervous because on windows I had some sort of FreeBSD rootkit, and many of the files were wine. Can anyone tell me what to do? Or maybe, just tell me it's all normal......... |
|
#7
November 20th, 2007, 09:48 AM
| ||||
| ||||
| All of that (from both of the last two posts) looks normal enough. At least, it's pretty much in line with the results I get, and nothing's wrong with my system. I don't know who Dave is, but he's not part of OS X. Is there any folder called "dave" in the /Users folder? Maybe from a previous owner of the machine? What about in the Accounts section of System Preferences? The /Library/Receipts/Essentials.pkg/Contents/Resources/Conf.plist file you posted is identical to mine. It shouldn't be a problem. What happened when you ran the commands detailed in that article ("sudo crontab -l" and the scutil command to show DNS servers)? I've never heard of MerlotPackageData, but then I've never used Wine, so I guess I wouldn't have. What plist referred to this?
__________________ Mac mini — 1.25GHz G4, 1GB RAM — OS 10.5.2 I'm now a four-browser man. How on earth did this happen?! Useful programs: PithHelmet, Butler, ffmpegX, VLC, Perian, Tofu, Wcalc |
|
#8
November 21st, 2007, 06:27 PM
| |||
| |||
| I finally was able to update using OpenDNS.com, and now I get the message "no crontab for root", and scutil shows the open DNS addresses. Before, I got the message that I had to log in as root, or something to that affect, even thought I ran it with sudo. But I'm still not sure everything is resolved. What is NFS.StartupItem found in /private/var/run? I opened it, and it only has a 0. Sorry for dumb questions. Thanks for all your help! |
