OSX Mac Brower Hijack? Safari & Firefox!!!

General discussions about Little Snitch
Posts: 4
Joined: Thu Jan 18, 2007 4:28 pm

Re: Browser compromised? - I highly doubt it

Post by zo219 » Mon May 07, 2007 3:30 am

Have you tried trashing your browsers preferences files and restarting? Preferences files become easily corrupted - as do browsers themselves, at times it's smartest to download a fresh copy.

Trashing all networking preferences is also a way to clean things up - you can write down any settings you're worried about losing.

In addition, do you have a regular maintenance routine? Empty caches, repair permissions, run Disk Warrior and/or Disk Utility from start up disk. ..

Posts: 1
Joined: Wed Jun 13, 2007 12:24 pm

Post by salman » Wed Jun 13, 2007 12:25 pm

Hi, This post is very informative, however I would like some specific information. If someone can help me then please send me a private message. Best Regards,

Dave Bourke
Rank 1
Rank 1
Posts: 38
Joined: Fri Nov 17, 2006 7:32 pm
Location: Ireland

Post by Dave Bourke » Wed Jun 13, 2007 1:41 pm

Hey salman, you left out the letters "ES" after the "L" in your name.

Kind regards.


Post by Guest » Fri Aug 03, 2007 6:16 pm

or your ISP could be hijacking your connection to serve you ads. Many ISPs do this. Some do it different ways (by poisoning DNS servers or by inserting javascript into every webpage).

If your ISP is doing it, the change is happening long, long before anything even touches your computer.


Post by Guest » Sat Sep 01, 2007 9:04 am


I've been a welded-on LS user for 3 years now, and have always been able to manage net access originating from scripts/apps on my hard drive to my complete satisfaction with LS.

But this problem is one that LS can't touch because it uses one of the more powerful - but also capable of misuse - tools in the web developer's kit: Javascript (not Java).

Javascript is useful to honest web developers because it makes web pages capable of very useful menu content and site manipulation for the user, as well as the owner. However, this power can also be very easily hijacked for manipulating users - with effects ranging from collection of ip detail to malicious hijacking of hard drive data and activity. The most recent example of this was the blogger.com comments hijack by an organised crime network. The effects ranged from the mildest to the worst - namely turning some affected computers into robots for the criminals' networks.
The security implications to MS operating systems were most critical, and were patched, but increasingly we see that it is social manipulation - not simply code manipulation, as in worm and package infections for example - that is a fertile field for criminals. A lot of people are now commenting on blogs and so the criminals are moving in to exploit networking tendencies in the same way as they have been doing with email for years.
And Javascript possibilites in web pages makes their job a lot easier.

The instance here is a hijacking of a milder, but still unethical, kind and there should always be an awareness of javascript possibilities when the user is inviting installations to enhance browser function - and when the user visits untrusted web pages.

Having used the NoScript extension for Firefox since its beta version, I can highly recommend it for learning what kinds of Javascript are useful and what to avoid.
It enables the user of the browser to control the most dangerous type of Javascript - Cross-site Scripting (by design, NoScript will block any suspicious cross-scripting and the developer is working hard to keep up with the newest examples) - as well as blocking all scripting on sites until the user puts the site on a whitelist.
I recommend it to anybody who wants to begin to come to grips with the understanding of Javascript as it is used by web sites - and for anybody who would like to better control their own web experience, while still keeping the functionality of Javascript when needed for trusted sites.
Of course, given the greater vulnerability of XP and Vista machines, I recommend that Firefox with NoScript is the safest way to **efficiently** negotiate the WWW on them. IE7 gives a lot of JavaScript control for sure, but not intuitively as NoScript and not with the Cross-site scripting controls that NoScript is working so hard to keep up-to-date.

My apologies for this long post, but I think that security-conscious groups should know about NoScript. There are also bonus controls for other privacy/security problems - Flash and Java.

I don't know why NoScript never shows up on the Firefox top recommended extensions, but I suspect that Google's revenue may have a little to do with Firefox's reluctance to advertise NoScript, the same as the removal of GUI fine control of third-party cookies in Firefox 2.0 was quietly done without much justification.


Post by Guest » Fri Sep 07, 2007 2:44 pm

Fluffy made me laugh. You're just utter boredom. As in 'TWIT'. Go Fluffy!


update on apparent javascript injection/bot

Post by Guest » Sat Sep 15, 2007 6:05 am

i still don't know what caused the original redirects. I now have netbarrier and have placed usuc.us in the permanent stop list.

I just found these posts below which discuss it -- I found others similar but this seemed best (most quasi-understandable) explanation to me.

It has to do with people injecting javscript into a form or something and it resides on the ISPs server from what I was told by someone else. So they are saying it's on the ISP server/cache somewhere, not the host of the site it first showed up on during a 'search' of an sql database. Although it also appeared when not using that site or searching that database too. I still don't know if this is true, it's just what i was told.

note: the only 2 toolbars we have ever downloaded were for firefox -- netcraft's anti-phish security tool bar and google's search toolbar. could they be the source? I have no idea, not according to what I read below and a couple other places on webmaster sites.

http://forums.sixapart.com/lofiversion/ ... 61662.html
"that was the domain that a particularly nasty javascript comment
spammer was pumping. They were actually stuffing it into mt-search
and creating entries in the activity logs which would execute if
you read the log entry. This was fixed in SA securtiy patch last

"you'll have to clear your MT Log (System Overview... Activity

" Here's what I put in my .htaccess

RewriteCond %{QUERY_STRING} search=http
RewriteRule mt-search[.]cgi /sand-trap.php [last]

This redirected any search that starts with "http:" to a sand-trap
file I have. I recommend setting up a similar error page and
redirecting to that."

http://teldata.wordpress.com/2006/12/04 ... cript-bot/


don't know if these make anysense but probably will to people (not me) who understand javscript/programming/sql/php/perl etc.


Post by Guest » Sat Nov 24, 2007 12:00 pm

Amusing thread.

OSX malware will be bad... very bad... there are uber-geek unix tools hidden deeply within the Mac OS that could be used, but the majority of Mac users I know are technophobes to begin with... if it hasn't got a slick GUI that thinks for them, they don't want it--that's why they bought a Mac rather than a PC to begin with. As far as I can tell, anyone who thinks that the average Mac user can/will use these cryptic (and dare I say ancient) commandline tools to secure their system is seriously confused.

And while I'm throwing sand in the faces of the true believers, the Mac OS is just as horribly insecure as Windoze just in different ways. I have to type my password in on the Mac all of the time to get anything done. Grabbing the keys to the kingdom is a walk in the park on the Mac--it is no better than on Windoze.

FYI, the only OS ever deemed "unhackable" at DEFCON was VMS (at DEFCON 9... look it up for yourselves).


Post by Guest » Sun Dec 09, 2007 11:48 pm

Guest wrote:or your ISP could be hijacking your connection to serve you ads. Many ISPs do this. Some do it different ways (by poisoning DNS servers or by inserting javascript into every webpage).

If your ISP is doing it, the change is happening long, long before anything even touches your computer.

i think this is exactly the problem: the ISP is inept and full of incompetents.


Re: OSX Mac Brower Hijack? Safari & Firefox!!!

Post by Guest » Thu Jan 17, 2008 7:19 pm

[quote="Anonymous"]Did you know google cached this "Post a Reply" page?[/quote] :cry:

Posts: 2
Joined: Sun Jul 08, 2007 10:30 pm

Re: update on apparent javascript injection/bot

Post by vovtz » Sat Jan 19, 2008 6:19 am

Anonymous wrote:[...]

don't know if these make anysense but probably will to people (not me) who understand javscript/programming/sql/php/perl etc.

Here's the URL for Wikipedia's explanation, less specific and thus perhaps more comprehensible?



Possible DNSChanger Trojan?

Post by Guest » Sat Jan 19, 2008 7:11 am

Run this free application: DNSChanger Removal Tool by SecureMac. I was having anomalies, and I ran MacScan, that I bought on one of the promos, and I could not believe it when two of these files appeared! They were both hidden in a NewsFire cache from two different sites I used to download RSS feeds from. I was foolish and didn't take the time to trace the sites as I simply deleted the folder with the files in it, so I had to run the apps and simply eliminate feeds I thought might be the ones.

Long story short, all matters are back in order. BTW MacScan makes the free app to check, and no I have no affiliations with MacScan. Also, I know that David Watanabe has been getting shit for things, but I do not believe he had anything to do with the trojans being involved in NewsFire.

Post Reply