|
Website Often Hijacked When Using Safari
Ain't sure if this has something to do with Safari but oftentimes when I surf a certain news site that I need to get into everyday, this annoying Web site BuyDomains.com keeps hijacking them. To stop this unnecesary interference, I trash the Safari preferences and delete all cookies and restart the browser. But this interloper keeps coming back. Does anyone know why this is happening? Any solution?
G4, OS 10.8, Safari 1.0 (v. 85.5). |
In the Safari prefs, in the 'Security' panel, what setting do you have for 'Accept Cookies'?
Also, do you have 'Block Pop-up Windows' enabled in the Safari application menu? |
Would help to know 'which site' to know if that's a general complaint. If it's just a pop-up window, then you can simply choose to block pop-up windows (under your Safari menu, or press command-K)
|
Yup, the Block Pop-Up Windows box is checked. As for the Cookies, I checked "Only From Sites You Navigate."
No, it's not just a pop-up window. It totally takes over the site. For instance, while the URL of the site I wish to access remains in the Address bar, it's the BuyDomains.com homepage that appears. When I click one of the links of this pest of a website, it leads you nowhere. Among the afflicted sites are the AP (worldtext.ap.org) and LA Times - Washington Post (www.latwp.com) sites, of which we are a subscriber. I've not observed this happening to our colleagues who also use the sites I've mentioned but not as heavily as I do. We're using a network which has a firewall. But I've observed that it could hijack any other site, including some forums that I frequently access. |
I'm not completely convinced that I understand what you are describing. Please explain in a detailed step by step manner what you are doing and what happens when. E.g. "I type in the following URL (mywww.wherever.com) in my Safari address field, then I hit Return and then ..."
Have you installed any web-related enhancement software? (e.g. download enhancers, search bars, etc.) Any other system-level "enhancements"? (e.g. haxies) Does this problem occur if you create a fresh new user account and log in as that user? Is the problem specific to certain URLs? Can your colleagues access those same URLs? |
<Have you installed any web-related enhancement software? (e.g. download enhancers, search bars, etc.)>
<Have you installed any web-related enhancement software? (e.g. download enhancers, search bars, etc.)> None, whatsoever. I frequently use Google, but that's just it. <Does this problem occur if you create a fresh new user account and log in as that user?> I'll try this when it occurs again. I've just cleared everything before posting my query. <Is the problem specific to certain URLs? Can your colleagues access those same URLs?> It happens with URLs that I access the most. My colleagues also access the same URLs and not one has complained about encountering the hijacking so far. To elaborate further, the hijacking usually happens when I'm in the midst of accessing links from within a site. For instance, I'm already logged in to the AP wire service site and when I click a link to view a news item, the BuyDomains.com comes out. When that happens, I close Safari and start it again. When I log in to the AP site, the BuyDomains.com comes out instead. I'm just using AP as one example. It's happening to several sites. I used to have no problems with all these sites. |
Quote:
|
Sounds like a wonky DNS server to me. You might try
Code:
$ dig www.latwp.com |
Hayne,
It comes randomly, no specific site or URL. I'll wait for the monster to come again and do as Douglas G. Stetner, UNIX Live Free Or Die, had said. I'll then post a feedback here. Thanks, everyone. |
Quote:
I understood previously that it comes "randomly". What I am suggesting is that you need to check if, at the time that it happens to you, does it happen with the exact same URL if one of your colleagues tries it. I.e. you need to check if the problem is something specific to your computer or if it might be common to all people at your company who happen to access that particular link at that time. |
Hayne,
Got it! Thanks. Will do that and report back the result. For the last 4 days, the monster hasn't come. |
This sort of thing can also occur if the domain (that's linked to), has lapsed and been re-registered by BuyDomains (or similar).
So my question would be are these links to internal AP pages or do they link to different domains? dD |
darndog,
The afflicted links are internal AP pages. There were times when the homepage of a certain site gets hit. Unfortunately, the problem hasn't shown up since I posted this query. I'm still waiting for the monster to come back. |
BuyDomains monster visited again
The BuyDomains.com monster came today and this time it was the Apple site (www.apple.com) that it rode on. When that happened, I opened the other sites that used to be afflicted and they did not exhibit the same behavior. I closed Safari and opened it again, logged on to www.apple.com and the monster was still there. I then opened cookies in Safari preferences and removed three named WEBTRENDS_ID and when I closed Safari and started it again, the monster was gone.
I forgot to do as Stetner had suggested but I managed to get a screenshot with the Apple URL shown but BuyDomains.com in action. If you are interested, please e-mail me at pinoy@arabnews.com and I'll send you the screenshot (300 kb). Or you may wanna try the URL that comes with the cookie: http://statse.webstrendslive.com. Probably you can better find out what the heck is going on. Thank you in advance for your help. |
For those who may have more questions, I would be able to answer tomorrow when i come back to our office. Thanks again.
|
your company might be spying on you?
Love a mystery! I did a little web browsing and it looks like WebTrends is a product by a company called netIQ.com which sells web logging software. They have a bunch of products for keeping track of web visitors. They also make products to spy on employee email and web activity.
Here is the link: http://www.netiq.com/products/log/default.asp The most likely possibility is that the system administrators where you work run this product in place of the DNS server. When you browse to a site, you go to their http proxy instead. They log what you browse (using their own cookies) and then do a server-push with the "real" content. It works just like when you plug into a for-pay ethernet jack in a hotel or airport (in the US anyway). Probably what is happening is that their windoze-based DNS server is overburdened and is dropping DNS cache. Possibly, there is an incompatibility with Safari with this scheme. Instead of returning an invalid DNS record, they insert a link to that commercial site. As much as I hate to recommend this, you might need to loosen restrictions on cookies. Otherwise, try Netscape or (ugh) IE for a while and see if they fare any better. You might be able to get around this if there are any open DNS servers you could staticly configure to outside of your local company (just don't get fired :-), but they probably have all the ports locked down at the router if they are that paranoid. Anyway, that's my best armchair detective work... Could be completely wrong, but there are very few ways some external site could hijack Safari as described. |
Love a good conspiracy theory! Worth looking into though.
Your not paranoid, everyone IS out to get you! :D :D |
Slacker,
You got it! The administrator said they are, indeed, using a Webtrend product. And I've learned from some guys in other departments that they did get the same monster using IE. Now, I'm gonna try your recommendations. Thanks a lot. |
Elementary, my dear Watson. :-)
I can imagine that "only accept cookies from sites I browsed to" might not like what your sysadmins are doing to your web connection. However, I bet the machine they are using is just plain overloaded. You got to love it when a mechanism to "ensure productivity" actually hurts it (but don't get me started on the mentality of sysadminazis). I've never tried this, but you might be able to configure your DNS server network setting to one of the open-root servers. Here is a list and instructions are on the page. However, performance might be slow and you may be violating your office security policy (but how can you get in trouble for bypassing a monitoring mechanism they didn't disclose in the first place?). http://support.open-rsc.org/.servers/ Best of luck. |
Quote:
|
Great suggestion! A million thanks.
|
Hi, I'm a recently new user of a Mac. Unfortunatly my web browsers have been hijacked also. Although I'm not entirely familiar with the mac interface, I am A+ certified in PCs. Im not a regular for these forums but i just couldnt leave unsaid that you guys are all ENTIRELY WRONG about what hijacking is.
Hijacking is when you visit a website (a bad one with malware) and you somehow end up installing or accidentally accepting some kind of bad program etc. From there, your BROWSER (not the web, the server or anything of that sort...) gets basically hacked. You can almost call it a virus that has only 1 purpose : Redirect any site you visit to a desired site. This process IS random and most of the time has NOTHING to do with the site you are visiting. FOR EXAMPLE: apple.com has never been infected by this bug/virus. It IS LOCAL ON YOUR MACHINE therefore it is impossible for this to be duplicated on a collegue's machine unless he also has been hijacked. How to fix it? Well I have fixed a few cases of this on PCs but never faced this problem on a mac. On pcs, you basically sort through the running processes in the background (the registry) and you remove the suspicious ones until the hijacking has stopped. On pcs, it is also OFTEN resorted to reformatting the harddrive and re-installing windows as a last case scenario but I don't even know if that's possible on a mac. I hope this gives you a better idea in order to set you onto the right track, because right now you guys are way off. |
Welcome to the forum 2ocenT. You are correct that windows computers can be hijacked in the way you describe, but you'll find that most malware targets windows machines because of lax security in IE. This doesn't happen as easily in Safari on a mac.
It's theoretically possible to install malware with Safari (there are some known exploits), but there are no known instances of this in the wild as far as I am aware of. I could put an application on a web site that changes all of your web settings, but not without you pretty explicitly running it and possibly typing in your login password to specifically allow it. Actually, the right answer *was* the WebTrend product run by his company doing things to the DNS server to monitor and control web browsing access. When that server timed out on the DNS request, it gave a bogus IP address to a "buy domains" site. This is contrary to the DNS specification, but lots of ISPs use this trick to drive traffic to their advertising. It is possible to do this on the server side without a local malware exploit because the domain name service on your computer talks to a specific server with a numeric IP address. This server translates host names to IP addresses. These host name / address translations are cached locally. Some companies use a DNS server that filters IP addresses from prohibited domains (even home routers can filter DNS). Every registered domain has a TTL (time to live) field associated with it, so some site addresses will cache for a day before asking the server again, others will cache only for an hour, so are more likely to appear hijacked. So, we were on the right track, but your point about what it means to be hijacked is usually valid for windows computers. |
Quote:
[says strangeblood, who is also A+ certified, for all the good it does] |
Wow, nice gravedig.
Seeing as it hasn't been mentioned, a lot of redirects these days are also caused by rogue flash ads or unparsed javascript injected into the comments or content. If you get unexpectedly redirected to somewhere unrelated, try turning off javascript or plugins* and reloading the original page. Note if it's a rogue flash ad it will be in rotation along with a load of legitimate advertising so redirects will be random and simply reloading the original page will often avoid the redirect. If it is a javascript or flash exploit fire a message to the site owner letting them know that they have a problem with the page or ad, don't forget the url and details. * will disable flash. |
Annoying Adware
Hi,
My mate recommended I join this forum to get rid of this adware that has attached itself to my Mac OSX4. Basically, on every website where this a space for ads, it has this one ad popping up. This is most apt as it is about getting a bigger penis, johnson, wifes best friend. Not only is it annoying, but after 3 months of bombardment I am starting to feel inadequate... and I was known as The Monster in my better days. It is on Firefox, Safari, and Camino. I tried deleting dodgy looking cookies but ended up messing up Googlemail and God knows what else. Can anyone help free me from this nonsense, please. Would be much appreciated. Bimble |
Would a redirect issue persist after clearing all of the Conduit, etc. plug-ins from the target system, even years later in Mavericks?
|
I can't say.
Redirects (after all these years!) tend to be the result of adware. Try the good tool from this site to do a quick scan for adware. http://www.thesafemac.com/art/ Also, check in your Safari/Preferences/Extensions for bogus-looking items that you can remove. |
| All times are GMT -5. The time now is 10:37 AM. |
Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.
Site design © IDG Consumer & SMB; individuals retain copyright of their postings
but consent to the possible use of their material in other areas of IDG Consumer & SMB.