LeadingChannelSearch Profile?

fracai

macrumors member
Original poster
Jul 2, 2004
51
0
I just worked through troubleshooting a network issue for my mother-in-law. Her symptoms were that after rebooting her Mac she could get to one website through Safari, then no other requests complete. I was able to start a screen sharing connection and I could then ping and use curl to access other sites from her machine, but all browser traffic would fail. I found a SOCKS proxy enabled that was redirecting all web traffic to localhost:8080. There was an exclusion for 169.254/16, but that looks like it's a default. I disabled the proxy and web traffic resumed. There was also a Profile installed on March 15th that was titled "LeadingChannelSearch". I'm kicking myself because I didn't copy down the info that was listed, which did include an update web address.

She then informed me that this all started around the 15th when she was at a restaurant. She was using the WiFi and a bunch of windows started popping up so she shut everything down.

So, I'm assuming that she connected to a malicious hotspot that prompted her to install the profile and changed her proxy settings. I'm guessing that there may be a proxy server still running on her machine.

Does anyone have any tips on where to search next or where I can look for more info on this. "LeadingChannelSearch" has zero hits, so I'm guessing that is a random title.

Any suggestions or ideas where else to look?
 

Brian33

macrumors 6502a
Apr 30, 2008
757
43
USA (Virginia)
According to my notes, you can check for running processes that are listening on a specific port with the following command:

sudo lsof -i :8080

If anything turns up, it will give you the PID which you can trace to the executable with the 'ps' command.

Kudos on figuring out the problem!
 

fracai

macrumors member
Original poster
Jul 2, 2004
51
0
Ah, yes, excellent tip. I hadn't thought of that. I'll check it out. Thanks.
 

fracai

macrumors member
Original poster
Jul 2, 2004
51
0
Thanks, I also had a recommendation for Malwarebytes. I'll give those a try.