How Do I Troubleshoot a Browser Hijack on a Mac?

Question

My Mac is getting weird redirects with Safari and Chrome, however not with Mozilla Firefox. Since I cannot find software to do malware removal on Apple products or any good information, I am at a loss as to how to proceed after uninstalling and re-installing the affected browsers and deleting all the plugins/extensions, which did not work.

If anybody can point me to next steps, I would be greatly appreciative. Otherwise I guess I'll have to wipe the hard drive and re-install everything, which would be a huge hassle.

Other information:

If I ping an affected domain in the Terminal, I get the IP of the unwanted redirect (i.e. if i paste that IP into firefox and go it brings me to the wrong website for the domain I entered).

I am running mavericks.

So... yes. How would one proceed? And... if you know... why would the issue affect two browsers and the ping command, but not Firefox?

Can you add a screenshot of the weird redirect? I have experienced [something like that](http://security.stackexchange.com/q/47443/9312) before too. — Question Overflow, Oct 11 '14 at 02:53

score 1 · Accepted Answer · answered Oct 11 '14 at 01:25

1

If ping is returning an unwanted IP address for a domain, it almost certainly means something is hijacking your DNS settings.

The first step to check would be the hosts file

/etc/hosts

Then look here to determine what server or process is resolving your DNS

/etc/resolv.conf

Alternatively, you can use this command

scutil --dns

Firefox may be working because it's configured to use a SOCKS proxy, but it's impossible to know for certain without more details.

answered Oct 11 '14 at 01:25

thanks for the advice! unfortunately /etc/hosts looks fine, and /etc/resolv.conf and $scutil -- dns show me pointing to opendns like I'm supposed to :( – sas08 Oct 11 '14 at 02:49
1

Are there any unfamiliar browser extensions installed? How about a system proxy (`scutil --proxy`)? Do other tools like `nslookup`, `dig` and `host` return evidence of DNS hijacking? – Oct 11 '14 at 03:10
I was kinda out of my depth when I first started looking into this so sorry for the late response. I have in fact, scrutinized scutil nslookup, dig, host, and lsof. I have deleted all extensions, for my browsers, reinstalled each of them... and used several antimalware programs including macscan adwareMedic and bitdefender's adware removal tool. The problem persists. I can't seem to figure it out. I noticed that my I had weird certificates from DigiNotar et al. in Firefox, so I deleted those manually. They came right back. ATM I'm focusing on that. – sas08 Feb 05 '15 at 05:34
Additionally I have tried changing my network location, booting in safemode, hard-resetting my router, flushing my dns cache, and working in a new user profile. Further information: my rasperry pi has come down with symptoms... althoug hmy roommate's OSX Mavericks laptop (identical to mine hardware wise) is not affected at all. I would guess the vector of infection for the pi is just physical media. Weird it runs across 2 different operating systems. I note (also) that Firefox now has the same issue as other browsers, since I foolishly upgraded it to 35. – sas08 Feb 05 '15 at 05:42
sas08: can you describe the symptoms of the problem a bit more? For example, what IP address are you seeing in the unwanted redirect? – Feb 06 '15 at 15:57
uwotm8 Although my roommate's system was not affected, and Firefox was not originally boned up... this turned out to be a definite modem/router issue. Replacing the hardware resolved my issue with redirects. To answer your question 204.246.150.204 for Seamless turned out to be the actual Seamless site address. I figured, not knowing a lot about this, that typing in the exact IP would exclude DNS hijacking... I assumed I was getting the wrong IP. For the record the url of the redirect phishing site was to www.seamless-uk.co.uk/bussiness/ – sas08 Feb 11 '15 at 14:17
Looks like the site has been up since 2012 from it's metadata... using a very old jQuery... Googling the email they listed on the site yields a bunch of documents in various languages... yeah... guess this guy has other sites too... – sas08 Feb 11 '15 at 14:21

score 1 · Answer 2 · answered Apr 18 '15 at 00:29

You may also want to look in ~/Library/LaunchAgents as well as ~Library/LaunchDaemons for a file consisting of a series of numbers and letters. The sequence of these characters will be the same in both directories. Send them both to the trash (you will be asked to login), then empty trash on restart.

Another method to unhijack the browser is to Force-Quit Safari, turn off wi-fi from the menu bar (or disconnect ethernet), open Safari while holding down shift, which will then bring up the "Can't connect to server" message. Go to Safari History in the menu and select Remove all History and Web Data, which will allow you to remove as much or little as you need. Quit Safari, reconnect wi-fi, reopen Safari while holding Shift, and that should get your browser back.

How Do I Troubleshoot a Browser Hijack on a Mac?

2 Answers2