http/email doesn't connect, ftp connects

[fivegrand]

I've got a weird one now with my G5. http services are totally blocked (somehow), email access is totally blocked (somehow), yet ftp connects immediately. This is true both wired to the router, wireless through the router, and direct to the modem. I've tested http access with Camino, Opera, Firefox, Flock and even IE5.2 to no avail.

Additionally, when I go to the Network pane in sysprefs, I get the "your network settings have been changed by another application" popup in an infinite loop. All the settings, however, appear to be correct.

I just finished running MacScan, it didn't find anything (a while back it found and isolated a trojan called DNSChanger).

My iBook functions just fine regardless of connection method.

Any thoughts?

 

[tyr2]

Try logging in as another user (create on if necessary) and see if the System Preferences problem persists.

If you can get into Sys Prefs check that Proxies settings (Advanced / Proxies) are blank.

 

[fivegrand]

I logged in as root, and the infinite loop message persists, as do the services denials. I'll check those settings now.

 

[fivegrand]

Ok, it just got weirder. I had it shut down for a few minutes. Restarted and went to sysprefs to check proxy settings (they are blank)...The infinite loop popup aside, it wouldn't let me do *anything* within the proxies tab. Clicking on anything (if I could do it fast enough between the popups) returned me to the TCP/IP tab.

Then: For the heck of it, I started Camino. Google loaded up just fine, this site loaded up just fine.

Ok...So I fired up Mail. Connected and downloaded new mail. Then - connection denial.

So I go back to Camino - yup, can't get anything to load up.

:wtf:

Restarted, and same thing, no access to mail or http services.

So NOW my though process is that sometime during the night I got something through Mail. BUT - why would whatever it is affect only the G5 and not the iBook? They are the same everything in terms of system (10.4.11) and software versions.

 

[fivegrand]

Another update lol:

in tinkering around, I found that if I can manage to click the Renew DHCP Lease button in the sysprefs network pane, I get services for about a minute.

So what would cause the DHCP lease to not renew? Obviously it's not a router problem, because I'm posting this through the same router from a different computer.

 

[4np]

Do you perhaps connect to an IP address when you use FTP and try to access a URL when browsing / mailing? If you had the DNS changer worm, maybe your DNS resolving is messed up....

First idea, execute the following commands and see what they return:

cat /etc/hosts
cat /etc/resolv.conf

 

[tyr2]

Also do 'dig http://www.google.com' in Terminal. If you don't get something similar (the IP's may be different) to the below then something is wrong with your DNS resolution.

eg

$ dig www.google.com

; <<>> DiG 9.4.2-P2 <<>> www.google.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58112
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 7, ADDITIONAL: 0

;; QUESTION SECTION:
;www.google.com.			IN	A

;; ANSWER SECTION:
www.google.com.		214434	IN	CNAME	www.l.google.com.
www.l.google.com.	300	IN	A	216.239.59.104
www.l.google.com.	300	IN	A	216.239.59.99
www.l.google.com.	300	IN	A	216.239.59.103

;; AUTHORITY SECTION:
l.google.com.		74684	IN	NS	b.l.google.com.
l.google.com.		74684	IN	NS	e.l.google.com.
l.google.com.		74684	IN	NS	g.l.google.com.
l.google.com.		74684	IN	NS	f.l.google.com.
l.google.com.		74684	IN	NS	a.l.google.com.
l.google.com.		74684	IN	NS	c.l.google.com.
l.google.com.		74684	IN	NS	d.l.google.com.

 

[fivegrand]

Also do 'dig http://www.google.com' in Terminal. If you don't get something similar (the IP's may be different) to the below then something is wrong with your DNS resolution.

eg

$ dig www.google.com

; <<>> DiG 9.4.2-P2 <<>> www.google.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58112
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 7, ADDITIONAL: 0

;; QUESTION SECTION:
;www.google.com.			IN	A

;; ANSWER SECTION:
www.google.com.		214434	IN	CNAME	www.l.google.com.
www.l.google.com.	300	IN	A	216.239.59.104
www.l.google.com.	300	IN	A	216.239.59.99
www.l.google.com.	300	IN	A	216.239.59.103

;; AUTHORITY SECTION:
l.google.com.		74684	IN	NS	b.l.google.com.
l.google.com.		74684	IN	NS	e.l.google.com.
l.google.com.		74684	IN	NS	g.l.google.com.
l.google.com.		74684	IN	NS	f.l.google.com.
l.google.com.		74684	IN	NS	a.l.google.com.
l.google.com.		74684	IN	NS	c.l.google.com.
l.google.com.		74684	IN	NS	d.l.google.com.

I got:

;; connection timed out; no servers could be reached

After manually renewing the DHCP lease, I got something closer to what you posted.

I just did it on my iBook as well, and got something different yet again. So I did it once more on the iBook, and got something different from the first time (on the iBook). So I guess a few minor differences between dig commands are to be expected?

The first three quads of the ip addresses in the answer section are showing the same on both machines.

 

[4np]

Sounds like you DNS resolving is messed up... try those commands I gave you as well..

 

[fivegrand]

Do you perhaps connect to an IP address when you use FTP and try to access a URL when browsing / mailing? If you had the DNS changer worm, maybe your DNS resolving is messed up....

I hadn't thought of that. Yes, I do connect to my server via the IP address. I'm lazy and never reset my ftp app to use the ftp url.

I don't know how the mail connects, other than that it's a standard POP mail account using Mail, not webmail.

First idea, execute the following commands and see what they return:

cat /etc/hosts
cat /etc/resolv.conf

cat /etc/hosts

127.0.0.1  localhost
255.255.255.255   broadcasthost
::1  localhost

cat /etc/resolv.conf

nameserver 85.255.113.198
nameserver 85.255.112.321

 

[fivegrand]

Aha!

How can an individual discover the DNSChanger Trojan on his system?

First, an up-to-date Anti-Virus engine needs to be in place. Our Secure Anti-Malware engine, for example, blocks this threat proactively as "Trojan.Dropper.Dldr.DNSChanger.Gen" already at the network perimeter. Next, users must not deploy routers, broadband modems or other networking equipment that comes with an administrative web interface, without changing the default password first.

A typical sign of infection with DNSChanger is that the DNS and DHCP servers are pointing to the IP address range 85.255.*.* .

This is true on the G5, not true on the iBook.

Aha, aha!

A cron job (scheduled task) will run every minute to restore the malicious DNS info, in case you change it.

Ok...So, problem solved (so far) thanks to http://www.securemac.com's free DNSChanger Removal Tool.

I still have the infinite loop message in the Network prefs pane, though.

 

[fivegrand]

Goody gumdrops. Its doing it again, this time with a couple of twists: first, neither computer can connect to urls. The resolv.conf command and hosts command in terminal both correct info on both machines. Next twist, email shows no errors, but can only receive and not send. Dnschanger removal tool came up clean on both machines. Like last time, ftp connects (via ip address) almost immediately, so I know my connection is up.

Any thoughts?

I've been poking lookiibng for new baddies that may be afoot, but frankly its a bit tedious surfing on my phone over edge (thankfully I have it though or I couldn't bug y'alls again)

 

[fivegrand]

Turns out my ISP had several servers go down, resulting in a mixed outage.

:facepalm: