OSX Mac Brower Hijack? Safari & Firefox!!!

General discussions about Little Snitch
NewLittleSnitchUser

OSX Mac Brower Hijack? Safari & Firefox!!!

Post by NewLittleSnitchUser » Sun Jan 07, 2007 4:15 am

HELP! Both our browsers keep being hijacked (safari & firefox) to a weird site while inside a members only log-in backdoor! It only happens when I press a 'search' button from within one section (URL would be like: www.domain.com/members/search.php).

So far it only happens within this one site and it happens whether we are in secure or unsecure http: or httpS: url location in this particular member site. The webmaster says it never happens on any others, he checked using various browsers and platforms and therefore that it has to be in my system.

Has anyone heard of this? I cannot figure it out, I don't find anything about this anywhere -- can littlesnitch stop it?

ANY help appreciated!

OH: after hitting 'search' in both safari and firefox the redirect/hijack goes to this URL

http://www.usuc.us/enter/goto.php

(we have tried it several times on different days and it always happens! I even got rid of all the cookies in firefox as a test -- still happened.) :?:

johannes
Objective Development
Objective Development
Posts: 815
Joined: Fri Nov 10, 2006 4:39 pm
Contact:

Post by johannes » Mon Jan 08, 2007 7:54 pm

You could of course add a Little Snitch rule to deny access to www.usuc.us, but this will not keep Safari or Firefox from trying to access that URL.

So it would for now make sure your browser does not connect to this site, but you'd still need to find out why it tries to...

Guest

apparently it's javascript related

Post by Guest » Sat Jan 13, 2007 1:52 pm

thanks-- good idea.

discovered that when i turn off javascript in both browsers the behavior (hijacking) stops. I don't know if this means the 'infection' is on my end or the host site or server or what.

If on my end, I don't know how to de-infect whatever it is, wherever it is.

Rick

Post by Rick » Fri Jan 26, 2007 4:17 pm

It would be good if you could give us the URL so we could look at the code. I don't understand why you didn't curl the URL and post the source here. I think as turning off JS turns off the exploit that it's clear where it's coming from but I'm not sure everyone will rest easy for that.

Please provide the URL that hijacked you so we can see what's going on. Better yet, provide the source to that web page if you still have it (and hopefully you have it).

Note a similar issue here brought to our attention.
http://www.macworld.com/forums/ubbthrea ... ber=473150

Cheers - and stay safe!

Fluffy
Rank 1
Rank 1
Posts: 23
Joined: Fri Nov 17, 2006 1:35 am

Post by Fluffy » Sun Jan 28, 2007 10:18 am

It is starting to look like OS X is experiencing the types of malware that has until now only affected Windows systems.
Everybody on Windows knows that viruses/malware are a fact of life.

However, everyone seems to think that OS X is immune from these problems...

In fact, there is a growing list of OS X exploits that are operating just 'blow the radar', but there are almost no security tools available to mitigate them.

I predict that things are going to get very bad for MacOS X users...

Guest

Post by Guest » Tue Jan 30, 2007 3:30 pm

Fluffy wrote:It is starting to look like OS X is experiencing the types of malware that has until now only affected Windows systems.
Everybody on Windows knows that viruses/malware are a fact of life.

However, everyone seems to think that OS X is immune from these problems...

In fact, there is a growing list of OS X exploits that are operating just 'blow the radar', but there are almost no security tools available to mitigate them.

I predict that things are going to get very bad for MacOS X users...


Your a fucking retard

Fluffy
Rank 1
Rank 1
Posts: 23
Joined: Fri Nov 17, 2006 1:35 am

Post by Fluffy » Tue Jan 30, 2007 10:29 pm

Your a fucking retard


I think what you meant to say is, "You're a fucking retard."

Your is the second person possessive of the pronoun 'you', as in:
Your mother should have had an abortion.

You're is a contraction for 'you are', as in: You're not worth the time it took to type this post.

FredB
Rank 2
Rank 2
Posts: 69
Joined: Sun Dec 31, 2006 8:19 am
Location: Liège, Belgium
Contact:

Post by FredB » Wed Jan 31, 2007 2:26 am

Fluffy wrote:I think what you meant to say is, "You're a fucking retard."

Your is the second person possessive of the pronoun 'you', as in:
Your mother should have had an abortion.

You're is a contraction for 'you are', as in: You're not worth the time it took to type this post.

Are you aware that there is more than one language on earth?
Maybe english is his language anyway, but I hate people making the assumption that everybody should speak english perfectly.

BTW, your previous post is total FUD.

Not everyone thinks OS X is immune, but denying that OS X is more secure than windows by design is simply dishonest.
There are a lot of security tools. (Native OS X utilities or UNIX/Linux ports.)
there is a growing list of OS X exploits that are operating just 'blow the radar'

I think what you meant to say is 'below the radar'. (Easy, huh?)
Having 3 proofs of concepts instead of 2 is in fact a growing list. Bravo.

Please, keep your doom predictions for you, thanks.

Guest

Post by Guest » Wed Jan 31, 2007 5:08 pm

This is not a prediction of doom. Browser hijacks via Javascript are a fact of the Windows world, and there is no reason why they shouldn't start turning up on Macs now that the platform's popularity is growing.

Things may in time turn out not to be as bad as they have become on Windows since the Mac browsers may be less insecure than IE* but this is definite a rumbling of thunder, if not the apocalypse.

Also note that both the above-quoted hijacks, if true as reported, cause a modification of OS X System Preferences. This (once again, if verified true) is serious; the hijack is reaching beyond the browser's internal prefs to those of the system-wide Network Preferences panel.

OS X is a great desktop OS, but that doesn't mean it's immune to attack. Check out the Month of Apple Bugs if you need proof.


diem
(currently evaluating LittleSnitch as a result of this thread!)



* don't depend on it - Macintosh has always been about ease of user experience, and unfortunately this often does not play well with strong security. The advice may well be to use

Diegus83

Post by Diegus83 » Wed Feb 07, 2007 4:43 pm

My guess is this has more to do with the user giving his admin password to third party "un-trusted" applications, maybe a search-bar, a browser plug-in, etc.

Guest

Re: OSX Mac Brower Hijack? Safari & Firefox!!!

Post by Guest » Thu Feb 08, 2007 1:26 am

Did you know google cached this "Post a Reply" page?

Nigeltech

Browser compromised?

Post by Nigeltech » Thu Feb 08, 2007 9:30 pm

Hi there, I'm in a similar situation
If I attempt to connect to any Google site, or sites with a google connection (eg mozilla.com) I get a timeout message (after the timeout of course)
This happens with Firefox (2.0.0.1) and Safari (2.0,4)
Running OSX 10.4.8
Connect to internet on broadband DSL.
The odd thing is the problem occurs with my mac mini and my G4 iBook.
I am using my daughters iBook and it connects OK
When she took my iBook to her place it will not connect to google, but is OK with everything else.

I cannot connect to my bank site either.
I can connect to www.nzcity.co.nz, but when i click thru to "tv listings" the connection times out. Note starts to load OK, then it stalls at the point the status line reads "waiting for pagead2.googlesyndication.com".
I have cleared cache (I think)
Cleared all history
Turned off Java
Changed DNS to a configured one my ISP says is the one to use.
No change.
Any ideas? Have I been blocked?

nigeltech

Re: Browser compromised?

Post by nigeltech » Sat Feb 10, 2007 10:45 pm

Nigeltech wrote:Hi there, I'm in a similar situation...

Well, it appears my problem has resolve itself, no idea what happened, but my best guess is the problem was with my ISP.

maxplanar

No, but then the sky hasn't fallen yet either...

Post by maxplanar » Wed Feb 14, 2007 1:37 am

Anonymous wrote:This is not a prediction of doom


Sounds like it to me. You know what? No-one in their right mind believes that ANY OS is totally secure, yet the OS security picture as of mid-Feb 2007 continues to be:

A) There are no known viruses, worms or trojans for OSX in the wild. Tentative 'how-it-might-happen's have been shown, but nothing has happened.

B) On the other hand, Windows is known to have at least a few hundred thousand viruses, worms and trojans.

And OSX is five years old. You may choose the OS that is riddled with problems, or you may choose the OS that has none yet. Your choice.

People have been parading placards screaming "The End of The World is Nigh" for decades, but there's not a single normal person who looks at them with anything other than a gentle, patronising smile, and a curiousity at how they sleep at night.

bosrino

OSX Mac Brower Hijack? Safari & Firefox!!!

Post by bosrino » Sun Mar 25, 2007 4:31 am

LOL someone states their browser is being hacked on a mac computer and then you start talking about DOOMS day? Wow you're not right in the head at all.

Post Reply