DNS settings hacked?

Discussion in 'Mac Basics and Help' started by Darth Cow, Aug 18, 2011.

  1. Darth Cow macrumors newbie

    Joined:
    Jul 27, 2008
    #1
    I came back from lunch today to discover that my the DNS server on my Mac (v10.6.7) spontaneously changed to 188.229.89.121, so that every website loads the text "This page does not support your version of browser" with a link to download "updbrowser20110819.exe".

    Obviously this is a rather poorly constructed virus/hack, but any ideas how this happened? I reset my DNS and changed my login password but I wonder if there are any other preventative measures I could take to prevent this from happening again.
     
  2. LostSoul80 macrumors 68020

    LostSoul80

    Joined:
    Jan 25, 2009
    #2
    The end user shouldn't know about the DNSs being chosen.
    How did you find out that information?
     
  3. Darth Cow thread starter macrumors newbie

    Joined:
    Jul 27, 2008
    #3
    I found that address listed under Network > Airport > DNS > DNS Servers.
     
  4. GGJstudios macrumors Westmere

    GGJstudios

    Joined:
    May 16, 2008
    #4
    No viruses exist in the wild that can run on Mac OS X, and there never have been any, since it was released 10 years ago. The handful of trojans that exist can be easily avoided with some basic education, common sense and care in what software you install:

    Read the section "Why am I being redirected to other sites?" in the link above.

    That's not true at all. Any user can know what DNS they're using, and can change it.
     
  5. Knoodles macrumors 6502

    Knoodles

    Joined:
    Feb 2, 2003
    Location:
    Gone to the Beach
    #5
    Work+Leave for lunch=coworker prank? :D
    Password protect your Mac for sleep and screensaver mode.
     
  6. Darth Cow thread starter macrumors newbie

    Joined:
    Jul 27, 2008
    #6
    I was working from home today, so my computer was alone.

    According to VirusTotal.com, the file on the server I was redirected to is Windows Trojan of some sort:
    http://www.virustotal.com/file-scan...c43c2493d2f5546cc07231acbc2730ab0a-1313731161

    I'm still mystified as to how it got into my DNS settings, but I suppose it must have been something I downloaded.
     
  7. LostSoul80 macrumors 68020

    LostSoul80

    Joined:
    Jan 25, 2009
    #7
    I have never said the user can't know or can't change the DNSs he/she is using.
    I said the user shouldn't know about it, because most of the time the default and automatically set DNSs work just fine.
     
  8. Tumbleweed666 macrumors 68000

    Joined:
    Mar 20, 2009
    Location:
    Near London, UK.
    #8
    CG, that link explains how to change the DNS settings but it doesn't explain how they were altered in the first place. Any ideas?
     
  9. riled macrumors newbie

    Joined:
    May 10, 2011
    #9
    same DNS issue today

    Same thing happened to me today; same DNS change, same browser 'error' message with link to exe file. I changed the DNS setting back and all seems fine but I'd be interested in hearing any info about this issue.
     
  10. boxerfangg, Aug 20, 2011
    Last edited: Aug 20, 2011

    boxerfangg macrumors newbie

    Joined:
    Aug 20, 2011
    #10
    I just signed up to say that this just happened to me today as well, except it was on my Ubuntu box... The only thing I downloaded today was the WoW client from the official site and was running it in Wine. I did run Wireshark from the Ubuntu repos with root privileges though. It seems this could be serious.

    EDIT: I tried to edit etc/resolv.conf and replace the dns with my router, but every time I restart Ubuntu, it is changed back... Can anyone help?
     
  11. Intell macrumors P6

    Intell

    Joined:
    Jan 24, 2010
    Location:
    Inside
    #11
    All those that have had malicious DNS issues: post your router model, your ISP, affected operating system, and the browser you used the most. There may be a common thing between them.
     
  12. boxerfangg macrumors newbie

    Joined:
    Aug 20, 2011
    #12
    My router is: Ambit Broadband, Hardware Version : 4.25, Software Version : 5.105.1003. There is very little information about it, it came with the Charter service.

    My ISP is: Charter (http://charter.com/)
    My affected operating is Ubuntu 11.04 (Codename: natty)
    The browser I used the most was Firefox 6.0
     
  13. vogonistic macrumors newbie

    Joined:
    Aug 22, 2011
    #13
    I had exactly the same problem. cat /etc/resolv.conf showed this line:
    Code:
    nameserver 188.229.89.121
    We figured out that there was an infected machine on the network by doing this:

    1. Turn on verbose logging for dhcp:
    Code:
    sudo ipconfig setverbose 1
    2. Follow the log by opening it in Console.app or running this in the terminal:
    Code:
    tail -F /var/log/com.apple.IPConfiguration.bootp
    3. Unplug and replug ethernet (and/or WLAN)

    4. Keep your eyes up for a block that ends with:
    Code:
    domain_name_server (ip_mult): {188.229.89.121}
    On our network, the real IP of that machine was in the server_identifier (ip) field of the log. After this, we used tcpdump to find the MAC address, logged in to the switch, found the port, followed the cable in that port to the patch panel, located the office and unplugged the windows machine.

    Our network is now clean, at least temporarily.

    Happy hunting =)
     

Share This Page