Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Query: Possible DNS Redirect Trojan
- Thread starter Slux
- Start date
- Sort by reaction score
Go to Preferences, then Network, then click the Advanced button. In the window that pops up there should be a "DNS" tab. This tab should contain a list of IP addresses.
Let us know the list of addresses you see there. If it is only one then it is likely to be your router.
Let us know the list of addresses you see there. If it is only one then it is likely to be your router.
That is very suspicious, it should not be changing.
I'd definitely run some antivirus over your mac. In addition, look up the DNS Changer Remover and see if that finds anything.
As mentioned earlier in the thread, there may also be some useful info in this thread.
I'd definitely run some antivirus over your mac. In addition, look up the DNS Changer Remover and see if that finds anything.
As mentioned earlier in the thread, there may also be some useful info in this thread.
I ran the DNS Changer Tool and it did not reveal any problems. However, I just noticed that one of my topsite links is showing up in topsites as the google search page. So,I tried that site in Firefox rather than Safari 5 and sure enough I get the Google page loading.
So, I rebooted my router and the page shows properly in topsites now and loads correctly in Safari as well as Firefox.
Here is the weird part, the 71.243.0.12 DNS address has changed to 4.2.2.2
Called Verizon tech and was told that both of my browsers must be the problem or that my typing is bad. They are totally useless.
I think I'm way overdue to switch to Comcast.
So,I'm not sure if this is a security breach and what to do about it.
So, I rebooted my router and the page shows properly in topsites now and loads correctly in Safari as well as Firefox.
Here is the weird part, the 71.243.0.12 DNS address has changed to 4.2.2.2
Called Verizon tech and was told that both of my browsers must be the problem or that my typing is bad. They are totally useless.
I think I'm way overdue to switch to Comcast.
So,I'm not sure if this is a security breach and what to do about it.
It wasn't clear if you know what the 4.2.2.2 address is. It's a common one. Here's a page that mentions it and also mentions Google' public DNS, which you can also use. I've used them in the past to deal with an Opera issue.
Hi EDWW,
Going by what angelwatt said above, it is possible that the DNS servers you have listed are either from your ISP or legit open DNS servers. However that doesn't explain why they are changing by themselves.
I'm no networking guru though, can anyone explain why that might happen?
In the meantime, you might want to try opening a Terminal and typing "sudo crontab -l" (you may be prompted for your admin password for this command, that's fine, just enter it).
Some DNS changer trojans will install a cron job to change the DNS settings periodically. This command should list any cron jobs currently running.
Let us know the results.
Going by what angelwatt said above, it is possible that the DNS servers you have listed are either from your ISP or legit open DNS servers. However that doesn't explain why they are changing by themselves.
I'm no networking guru though, can anyone explain why that might happen?
In the meantime, you might want to try opening a Terminal and typing "sudo crontab -l" (you may be prompted for your admin password for this command, that's fine, just enter it).
Some DNS changer trojans will install a cron job to change the DNS settings periodically. This command should list any cron jobs currently running.
Let us know the results.
Quick follow-up:
My problem seems to be resolved. It has not recurred since changing my DNS settings from the router to the DNS servers directly. So I am pretty confident that this was not a trojan/virus.
What caused the problem in the first place is left as an exercise to the reader!
My problem seems to be resolved. It has not recurred since changing my DNS settings from the router to the DNS servers directly. So I am pretty confident that this was not a trojan/virus.
What caused the problem in the first place is left as an exercise to the reader!
Interesting.
So in summary, based on those two data points, the DNS servers (or something in between) are getting confused when they get a bunch of DNS requests over a short period of time, and end up feeding the wrong IP associated with the wrong domain. Safari 5's DNS prefetching is generating enough queries over a short enough period of time to make them unhappy.
Kind of guessing these problems are related to the router getting confused somehow, rather than the DNS server itself, since those should be able to handle a lot of traffic, but either way if it's solved by manually entering a DNS address that narrows it down to a pretty specific problem.
OP: You just hardcoded your ISP's server, right? Which would indicate the router, not the server itself, since it would theoretically be the same server either way.
EDWW: Good that that's a solution, but since from the sound of it that 4.2.2.2 server isn't necessarily one you want to be using, you might consider using 8.8.8.8 and 8.8.4.4, which are Google's freely-available ones:
http://code.google.com/speed/public-dns/
So in summary, based on those two data points, the DNS servers (or something in between) are getting confused when they get a bunch of DNS requests over a short period of time, and end up feeding the wrong IP associated with the wrong domain. Safari 5's DNS prefetching is generating enough queries over a short enough period of time to make them unhappy.
Kind of guessing these problems are related to the router getting confused somehow, rather than the DNS server itself, since those should be able to handle a lot of traffic, but either way if it's solved by manually entering a DNS address that narrows it down to a pretty specific problem.
OP: You just hardcoded your ISP's server, right? Which would indicate the router, not the server itself, since it would theoretically be the same server either way.
EDWW: Good that that's a solution, but since from the sound of it that 4.2.2.2 server isn't necessarily one you want to be using, you might consider using 8.8.8.8 and 8.8.4.4, which are Google's freely-available ones:
http://code.google.com/speed/public-dns/
I'm also getting odd redirects, such as trying to go to imdb, and instead getting google, or going to youtube and getting some other site.
My DNS settings are though my router, and of course changing to go to use Google's DNS seems fine.
I'm on the latest versions of Safari and Mac Os X.
My DNS settings are though my router, and of course changing to go to use Google's DNS seems fine.
I'm on the latest versions of Safari and Mac Os X.
It sounds like a safari 5 problem to me. I get very strange errors including complete redirects, and then an error saying safari has been redirected too many times. Each time, 'refreshing' the dns by entering in the google public dns fixes it.
I can't leav it on the google dns however, as I can no longer access iTunes store when I use the google one.
I thought the prefetching issues were fixed on 5.0.1? However, I still get redirects. Doing a ClamXAV to see if I have anything, and may reset router to factory settings to check that later.
I can't leav it on the google dns however, as I can no longer access iTunes store when I use the google one.
I thought the prefetching issues were fixed on 5.0.1? However, I still get redirects. Doing a ClamXAV to see if I have anything, and may reset router to factory settings to check that later.
Will, look at the article OSX.RSPlug.A Trojan Horse for Mac OS X to see if you are getting DNS forwards.
It appears this has happened to my fathers computer. He is very likely to have downloaded and installed something he shouldn't have. I'll post what happened when I find out more info.
Update: I used the SecureMac's DNSchanger removal tool to find and remove it. Hopefully all will be well now. My father says that he doesn't remember installing anything anywhere near the time that the problems started happening, but knowing his computer skills and memory it wouldn't surprise me if he had and forgot.
Also, my router died completely when he came to my house and accessed my wireless using his infected computer. I doubt the two events are related, but I don't really know enough about malware capabilities to have any idea what is and is not possible.
Anyway, I thought people should know that this trojan is still out there and infecting people.
Update: I used the SecureMac's DNSchanger removal tool to find and remove it. Hopefully all will be well now. My father says that he doesn't remember installing anything anywhere near the time that the problems started happening, but knowing his computer skills and memory it wouldn't surprise me if he had and forgot.
Also, my router died completely when he came to my house and accessed my wireless using his infected computer. I doubt the two events are related, but I don't really know enough about malware capabilities to have any idea what is and is not possible.
Anyway, I thought people should know that this trojan is still out there and infecting people.
Last edited:
Slux, I need your help. Can you elaborate more on your post last June 21, 2010?
"My problem seems to be resolved. It has not recurred since changing my DNS settings from the router to the DNS servers directly. So I am pretty confident that this was not a trojan/virus."
What do you mean "from the router to the DNS servers directly"?
"My problem seems to be resolved. It has not recurred since changing my DNS settings from the router to the DNS servers directly. So I am pretty confident that this was not a trojan/virus."
What do you mean "from the router to the DNS servers directly"?
Slux hasn't been on the site for a couple months, so you may or may not get a response from them.
Read the section "Why am I being redirected to other sites?" in the link above.
Thank you GGJstudios for the quick response. Some of my DNS addresses are greyed out, I'll try to remove them using the link you sent me.
Anyway, I also noticed that when using Speedtest.net, it stops when getting the upload speed. It keeps saying "connecting". There's no problem with the download speed. Also, I can't access Facebook, Twitter, Schwab, and some other sites. I can't also compose or reply emails in Yahoo Mail, but I can read emails. Gmail works fine.
Do you think my problem has something to do with the DNS?
Anyway, I also noticed that when using Speedtest.net, it stops when getting the upload speed. It keeps saying "connecting". There's no problem with the download speed. Also, I can't access Facebook, Twitter, Schwab, and some other sites. I can't also compose or reply emails in Yahoo Mail, but I can read emails. Gmail works fine.
Do you think my problem has something to do with the DNS?
If you can access the speedtest.net site, but it stops while loading certain pages, the problem isn't likely DNS. If it were a DNS issue, you wouldn't be able to access the site at all. Check to see what ad-blockers you may have installed. Also reset your browser, clearing cache and cookies.
Thanks for the clarification. So it's not the DNS that's the problem. Resetting the browser didn't work too. I can go to the Facebook main page, but I can't do anything after logging in. And I don't have any adblockers or AV software installed.
Anyway, I just reinstalled OS X but the problem still persists. I don't think my MBP is the problem, I think it's my ISP. When I bring my laptop to work or any other place, it works perfectly. It's only here at home that I experience this. By the way, my wife's MacBook also has the exact same problem. But my iPhone and my friend's Windows laptop work perfectly fine here at home.
I'm confused.
Anyway, I just reinstalled OS X but the problem still persists. I don't think my MBP is the problem, I think it's my ISP. When I bring my laptop to work or any other place, it works perfectly. It's only here at home that I experience this. By the way, my wife's MacBook also has the exact same problem. But my iPhone and my friend's Windows laptop work perfectly fine here at home.
I'm confused.
Probable Solution
Hello all. I was looking through these different theories about DNS and viruses/malware, etc etc etc.
Fortunate for me, my friend and I have the exact same router with the exact same ISP. Only difference is that his router is on the default access settings while I created a different password for the control panel. Oddly enough, I only really noticed the google redirect or redirecting issue at his house...
Then I figured, ok, www.google.com is supposed to take me to the Google Website's server(s) at 74.125.127.99. So I typed 74.125.127.99 into my browser and got to google. I then searched something and all the results were correct and the URLs were correct.
Remembering the default login info for our routers, I logged into his router and upgraded the firmware. Once I did so, I restored default settings (can be accomplised via the control panel software or via holding the reset button with a paper clip for about 20 seconds).
After reconnection, the problem was gone and (I bet) will stay gone.
This problem was occurring on my 3 year old macbook, my friend's BRAND NEW macbook pro, and his brother's new macbook, all using Firefox. No sense why it didn't happen in Safari, but oh well.
To solve the problem:
-upgrade your router firmware
-reset/restore your router to default settings
-change the password for your router's control panel (not the WEP/WPA/"Wifi" password)
Hello all. I was looking through these different theories about DNS and viruses/malware, etc etc etc.
Fortunate for me, my friend and I have the exact same router with the exact same ISP. Only difference is that his router is on the default access settings while I created a different password for the control panel. Oddly enough, I only really noticed the google redirect or redirecting issue at his house...
Then I figured, ok, www.google.com is supposed to take me to the Google Website's server(s) at 74.125.127.99. So I typed 74.125.127.99 into my browser and got to google. I then searched something and all the results were correct and the URLs were correct.
Remembering the default login info for our routers, I logged into his router and upgraded the firmware. Once I did so, I restored default settings (can be accomplised via the control panel software or via holding the reset button with a paper clip for about 20 seconds).
After reconnection, the problem was gone and (I bet) will stay gone.
This problem was occurring on my 3 year old macbook, my friend's BRAND NEW macbook pro, and his brother's new macbook, all using Firefox. No sense why it didn't happen in Safari, but oh well.
To solve the problem:
-upgrade your router firmware
-reset/restore your router to default settings
-change the password for your router's control panel (not the WEP/WPA/"Wifi" password)