DNS settings hacked?

[Darth Cow]

I came back from lunch today to discover that my the DNS server on my Mac (v10.6.7) spontaneously changed to 188.229.89.121, so that every website loads the text "This page does not support your version of browser" with a link to download "updbrowser20110819.exe".

Obviously this is a rather poorly constructed virus/hack, but any ideas how this happened? I reset my DNS and changed my login password but I wonder if there are any other preventative measures I could take to prevent this from happening again.

 

[LostSoul80]

The end user shouldn't know about the DNSs being chosen.
How did you find out that information?

 

[Darth Cow]

I found that address listed under Network > Airport > DNS > DNS Servers.

 

[GGJstudios]

Obviously this is a rather poorly constructed virus/hack, but any ideas how this happened? I reset my DNS and changed my login password but I wonder if there are any other preventative measures I could take to prevent this from happening again.

No viruses exist in the wild that can run on Mac OS X, and there never have been any, since it was released 10 years ago. The handful of trojans that exist can be easily avoided with some basic education, common sense and care in what software you install:

Mac Virus/Malware Info​

Read the section "Why am I being redirected to other sites?" in the link above.

The end user shouldn't know about the DNSs being chosen.

That's not true at all. Any user can know what DNS they're using, and can change it.

 

[Knoodles]

Work+Leave for lunch=coworker prank?
Password protect your Mac for sleep and screensaver mode.

 

[Darth Cow]

Work+Leave for lunch=coworker prank?
Password protect your Mac for sleep and screensaver mode.

I was working from home today, so my computer was alone.

According to VirusTotal.com, the file on the server I was redirected to is Windows Trojan of some sort:
http://www.virustotal.com/file-scan...c43c2493d2f5546cc07231acbc2730ab0a-1313731161

I'm still mystified as to how it got into my DNS settings, but I suppose it must have been something I downloaded.

 

[LostSoul80]

That's not true at all. Any user can know what DNS they're using, and can change it.

I have never said the user can't know or can't change the DNSs he/she is using.
I said the user shouldn't know about it, because most of the time the default and automatically set DNSs work just fine.

 

[Tumbleweed666]

Read the section "Why am I being redirected to other sites?" in the link above.

CG, that link explains how to change the DNS settings but it doesn't explain how they were altered in the first place. Any ideas?

 

[riled]

same DNS issue today

Same thing happened to me today; same DNS change, same browser 'error' message with link to exe file. I changed the DNS setting back and all seems fine but I'd be interested in hearing any info about this issue.

 

[boxerfangg]

I just signed up to say that this just happened to me today as well, except it was on my Ubuntu box... The only thing I downloaded today was the WoW client from the official site and was running it in Wine. I did run Wireshark from the Ubuntu repos with root privileges though. It seems this could be serious.

EDIT: I tried to edit etc/resolv.conf and replace the dns with my router, but every time I restart Ubuntu, it is changed back... Can anyone help?

 

[Intell]

All those that have had malicious DNS issues: post your router model, your ISP, affected operating system, and the browser you used the most. There may be a common thing between them.

 

[boxerfangg]

All those that have had malicious DNS issues: post your router model, your ISP, affected operating system, and the browser you used the most. There may be a common thing between them.

My router is: Ambit Broadband, Hardware Version : 4.25, Software Version : 5.105.1003. There is very little information about it, it came with the Charter service.

My ISP is: Charter (http://charter.com/)
My affected operating is Ubuntu 11.04 (Codename: natty)
The browser I used the most was Firefox 6.0

 

[vogonistic]

I had exactly the same problem. cat /etc/resolv.conf showed this line:

nameserver 188.229.89.121

We figured out that there was an infected machine on the network by doing this:

1. Turn on verbose logging for dhcp:

sudo ipconfig setverbose 1

2. Follow the log by opening it in Console.app or running this in the terminal:

tail -F /var/log/com.apple.IPConfiguration.bootp

3. Unplug and replug ethernet (and/or WLAN)

4. Keep your eyes up for a block that ends with:

domain_name_server (ip_mult): {188.229.89.121}

On our network, the real IP of that machine was in the server_identifier (ip) field of the log. After this, we used tcpdump to find the MAC address, logged in to the switch, found the port, followed the cable in that port to the patch panel, located the office and unplugged the windows machine.

Our network is now clean, at least temporarily.

Happy hunting =)