Malware loads URL at random
 

In any user, any browser (Firefox or IE) a web site with URL beginning http://welcome.sh.vnet.cn.... loads randomly. On average it is about half of the time when a page changes but there is no exact pattern.I created a new admin user and that user has the same issue. Even though it occurs in both browsers, I removed all files from the profile of Firefox but the issue remains. Using Terminal, I have found no unusual hidden files at root of the drive volume, library or system. From root Library, I removed Preferences folder, Internet Plug-Ins, Caches and Startupitems. Tried starting in SafeBoot but issue persisted. The obvious question is, short of erasing the drive volume, how can I find and delete the file(s) that is causing this hyjack?

What about Safari ?
What OS version do you run ?
Stop using IE, it is stale and broken.

Do you remember installing any software/run any programs from questionable sources around the time the problem started ?

Do you have an unaffected bootable backup, that would help a lot to locate the problematic file.

Are you in any way networked with a Windows based server or computer? I did a few searches, and this seems to be a Windows problem. And your use of IE and Firefox sounds eerily like a Windows user.

If your Mac is in any way connected to Windows, I would strongly suspect that's the root of the problem.

This is not an IE issue. As you can read, I have the issue in Firefox also. Now I have tried Safari and it also has the issue. I think three browser with the same issue is enough so let's get off the browser road.

The OS is 10.2.8 and I think you are barking up the wrong tree if you think this issue can be resolved by buying 10.4.

I am on DSL and no Windows computer in the house.

I have not installed any software recently. This issue is caused by uninvited software that installs itself from a web site in China. These web sites hope to profit from the 1 percent of the population that does not realize they have been hijacked and buy something from the web site. The operators of the web site are not concerned with the 99 percent who know they have been invaded.

By "unaffected bootable backup", perhaps you mean a burn of my hard drive on a CD. That would involve 7-8,000 files for the OS basic alone and would require an impractical number of days to compare file by file to my current installation.

What I am hoping for is someone who has had a similar issue caused by malware installed by a web site to see this post. That type of experience could lead me to finding the file that worms its way through all my users and browsers to achieve these results. Otherwise, I will erase and reinstall.

What country are you located in? Have you installed any program from China? Did you insall any programs just prior to this first occuring?

Oddly, the site appears to be legitimate.

In the system profiler, could you copy and paste your list of applications here?

I am located in China. I have not installed any Chinese software because all of it is for Windows and all of it is in Chinese language which I read very poorly. The issue could have occured if I were in any country. It just so happens I am in China. The software behind this issue is nothing that one would try to run. It is malware that is intended solely to captivate an audience with a retail web site. It loads the web site URL every minute or so to keep you looking at what they have to offer. Even Chinese TV will often run the same commercial three times in a row to get their point accross. They are not concerned with those who are irritated. They are concerned with those who buy.

thirdrockphoto,

Your report is very interesting, mostly because malware that can actually run on the Mac in any way is extremely rare. Remember that Trojan Horses and viruses that work on Windows will usually not work on Macs (one exception is Microsoft Office macro viruses, but with the current Mac version of Office, you've got to turn off some checks and click through some warnings even to run those.)

As you mention, software written in China is usually written for Windows, so your report of malware written in China that works on the Mac is quite unusual.

We would really like to help you out, and really like to know as much as possible about the malware that you are seeing. So, please don't take the questions as an affront--they are purely to get information and find out more about this malware.

Can you launch Activity Monitor from your /Applications/Utilities folder, set the popup menu at the top of the Activity Monitor window to "All Processes", then go to the Edit menu, choose "Select All", then "Copy", and copy the data about your processes to the forum for us to see?

Trevor

Could your DNS server have been hacked?

What do you mean by "root Library" ?
I hope you haven't been using the 'root' user.

Or, could your proxy server have been hacked?

Other computers, possibly running Windows, are more likely candidates for the location of this malware. This is one reason I'd like to see your list of processes.

Trevor

You are using 10.2

This OS is no longer supported by Apple, and has received no security upgrades for two years. Hackers and assorted bad guys have probably found all possible security flaws by now.

The number of users using 10.2 is very small, and on these forums even smaller. Users of OSs still current with Apple may not be vulnerable to the exploit in use. In short, it is unlikely that the exact nature of your problem will be identified, and you are wasting your time trying to do so.

Re-install your system, and never surf as an admin user - this may not prevent problems, but it's better than surfing as an admin user.

Best option is to upgrade your OS. Again do not surf as an admin user.

From what you have told us, the problem seems to be browser (and user account) independent.
However, since IE is very old and unsupported and has several known security problems, it is quite possible that your use of IE was the original cause of this problem - i.e. that the malware (if indeed it turns out to be malware) came in via a hole in IE.

What voldenuit meant was that if you had another hard drive (e.g. an external Firewire drive) that you were using to make a full backup of your system, then you should try booting from that other hard drive to see if the problem exists there.

Note that you can usually get a copy of older versions of OS X (e.g. Panther) on eBay quite cheaply. Make sure that you get a retail version of the CD, not just an upgrade or "restore" disk (that came with some particular model of Mac).

Try running the following command in a Terminal window.
This should show you the HTTP headers involved for that web site. (You could use other web sites instead of www.apple.com)
If a web site redirects you to some other page, it should show up in the headers output from that command.

If nothing interesting shows up from using the above command, then try using '/usr/bin/curl' to download the full text of some sample web pages and see if you get the problem page showing up in the text output.
E.g.:
/usr/bin/curl www.apple.com > ~/curlOutput.txt
(Look at the file "curlOutput.txt" using any text editor, e.g. TextEdit)

Ultimately, you should be able to find out what is happening by looking at the low-level packets via a command like:

sudo /usr/sbin/tcpdump -i en0 -c > ~/tcpflowOutput.txt
(The 'eno' is if you are connected via Ethernet. Use 'en1' if you are connected via Airport)

(See this Unix FAQ if you are unfamiliar with using Terminal)

You may be aware of the fact that the chinese government runs a giant firewall around the country and messes with the packets you send out and get back in lots of interesting ways.
They have bought top-notch routers and specialzed appliances from various western vendors with questionable business ethics including cisco and do pretty much everything in the book from fake DNS to resetting TCP connections.

If you're not familiar with the sorry state of human rights in your country, inform yourself before you do any high-profile active net-probing as it might get you unwanted attention from the wrong kind of people.

If I were you, I would use network diagnostics tools such as dig, tcpdump, wget etc. to figure out what happens to my http requests and at what point things go wrong before suspecting the Mac to be part of the problem unless you really have reason to believe malware was installed.

If there is malware on your machine, a bootable backup can be compared quite easily using dedicated tools that will compute hashes for all significant files and list the differences. That will probably still be a lot of material to go through, but it's quite doable.

It would definitely be a good idea to run a version of OS X that still gets SecUpates, that would be either Panther and Tiger.

When you find a solution please post it back here.

Thanks, hayne. I will try these options tomorrow. It is midnight here. Yes, I am quite familiar with Terminal and, yes, I use root user often for troubleshooting. It seems likely that a platform independent script could load a URL to any of several browsers. The idea that malware is for Windows stems from the proliferation of OS destructive or bios destructive items. Cookies come to us all and other script-type software can easily direct a browser to load a URL.

I am aware of Explorers limitations so I only use it for A-B troubleshooting to rule out Firefox issues and for printing web pages since Epson printing software does not communicate with Firefox about choosing not to print headers and footers and does not communicate any options whatsoever with Safari.

Running outdated system software that no longer has security updates available and browsers abandoned years ago is not the best way to avoid such problems.
What website allegedly infected you ? The URL you gave does not return any data.

First check whether it's a "Big Firewall" problem and if not, an archive and install for Panther or Tiger should be able to solve the issue.

Of course it would be most interesting to do forensics on your machine if the malware hypothesis was to be confirmed, if you have some diskspace to spare, do a complete archive of the misbehaving system just in case.

All residents of China know that the Internet does not flow as freely here as in most western countries. This issue has all the trappings of a commercial hijack by a web site designer. About security updates, I have actually gotten several updates in the last year. Not all updates are exclusive to 10.3 and later. As I have stated, it is not convenient or practical for me to buy 10.4 at this time although now that I have moved to the east coast of China, things are looking up. For three years I lived where there was not one Mac software item and no hardware other than iPods available for 500 miles.

It should not be necessary to use the 'root' user - or even to enable it. And it is a very bad idea to run GUI apps as 'root'. Anything that requires 'root' privileges should be done via 'sudo'

Maybe you are using "limitations" as a euphemism, but the problems go far beyond mere limitations - as I have said above, using IE is a security risk.

As I mentioned above, it is not necessary to buy Tiger (10.4) - you can get a copy of Panther (10.3) quite cheaply via eBay. Panther is far better than Jaguar (10.2) in all respects - and is still fully supported by Apple.
Strongly recommended.

Here is the first return showing the redirect:
[localhost:~] root# /usr/bin/curl -I -L www.apple.com
HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
X-Powered-By: Servlet 2.4; JBoss-4.0.3SP1 (build: CVSTag=JBoss_4_0_3_SP1 date=200510231054)/Tomcat-5.5
Set-Cookie: JSESSIONID=F06BB8B56DA2D1740859633D690BBA53; Path=/
Pragma: no-cache
Cache-Control: no-cache
Expires: 0
Location: http://welcome.sh.vnet.cn/portal/nt/...nline&oldurl=/

That's all for tonight.

The stuff after the ? in the URL:

cpkey=53800
cpinst=0
olddst=www.apple.com
cpssg=218.1.60.246
cpuname=ad54125859@online
oldurl=/

Uh, I see it has an IP address in the URL, along with apple.com. Definately something going on. What could 'cpuname' be?

Also, even though a site looks legit, it might not be. Already submitted 2 viruses to ClamAV that came from a 'legit' webhosting company.

Open Activity Monitor in the /Applications/Utilities. Post any 'unusual' proccesses here.

Ok, good - you can reproduce the problem in an easily debuggable way.
Obviously www.apple.com does not usually redirect to welcome.sh.vnet.cn, so something in the intervening mess of firewalls & proxies is causing this.

/usr/bin/curl does not (by default) use any proxy settings from your machine - i.e. it attempts to make a direct connection to the site specified.
So the problem must be either coming from something (dns server, router, proxy, etc) outside your Mac or else it is due to subversion (via malware) of '/usr/bin/curl' or the software libraries that it uses.

You should next try doing the same thing but using Apple's IP address instead of the hostname:
/usr/bin/curl -I -L 17.254.0.91

By the way, I obtained the above IP address via the following command:
host www.apple.com
The '/usr/bin/host' command might not exist on 10.2, if not, try doing:
ping www.apple.com
Tell us what IP address you get from this.

You could also try using 'tcpdump' as suggested above to see the flow of low-level packets.

.. but not issued by Apple. The last update according to their website was 04 October '04.

If you have received fresh updates claiming to be from Apple relating to security since that time then they are fake - and a potential cause of your problem.

i'm no network expert, but could 'traceroute' help with this?

Also, if your computer is indeed compromised, you can't trust anything thet computer tells you, including software updates.

ie.
1. You check for updates.
2. Computer tries to connect to http://update.apple.com, but router/firewall/whatever redirects to http://leet.hack.er (just an example)
3. Website says you have a critical 'update'.
4. You click install, type password, click "OK". (!)
5. Disable Firewall
6. Install rootkit
7. Install VNC server
8. Enable root
9. Enable SSH
10. Install keylogger
11. Hack Sys. Prefs. so it looks like Firewall on, sharing off.
12. Report IP address and other information to hacker.
13. You are screwed.

Right now, you know you are experiencing step 2, the sneaky redirections.
Try this in terminal:

Definitely something wrong with your machine.
If you can remember/find out what caused the malware to get installed, please tell us.

Do you run any services that are accessible from the outside ? (filesharing/web/ssh...)

Someone may have installed a transparent proxy on your machine. Please show us the output of the following Terminal commands to better understand what is causing your problem:

ps auxwww

netstat -an | grep LISTEN

kextstat | grep -v com.apple

No Activity Monitor in 10.2.8 but here is the tcpdump result:

[localhost:/usr/bin] root# sudo /usr/sbin/tcpdump -i en0 -c > ~/tcpflowOutput.txt
tcpdump version 3.8.3
libpcap version 0.8.3
Usage: tcpdump [-aAdDeflLnNOpqRStuUvxX] [-c count] [ -C file_size ]
[ -E algo:secret ] [ -F file ] [ -i interface ] [ -r file ]
[ -s snaplen ] [ -T type ] [ -w file ] [ -y datalinktype ]
[ expression ]

Sorry - I took the options from a 'tcpflow' alias I had, I was assuming that 'tcpdump' took the same options.
Try it without the "-c"

And please stop using the 'root' account!
Using 'sudo' from an admin account will do everything you need.

Ah... How could I forget. 'Activity Monitor' was called 'Process Viewer' in 10.2.

(I was the one who wrote the first 'Activity Monitor' article on Wikipedia, although after all the changes, now it looks more like a list)

drop the

-c

from your tcpdump command.

We need to find out whether the redirect comes from a locally installed transparent proxy on your machine or a manipulated DNS reply.

In an earlier thread (http://forums.macosxhints.com/showpo...42&postcount=1) you had said:
Was this a different Mac? Different location?
Perhaps the problem arose from an earlier connection to a Windows machine even if your Mac is not currently connected to a Windows machine.

About Windows box: two months ago, living in a different city, the university provided a computer. My Mac OS X volume has been erased and reinstalled since. Here in Shanghai, I do not have a Windows box.

About root: login was convenient to permit backup of users to external drive although now I have more info that seems to make it a moot point. This morning I was mulling over some details about backups while drifting out of sleep. Suddenly I remembered I have OS 9 installed on a different volume. Booted to 9, same issue. And in OS 9 another quirk: a download dialog opened and asked me what to do with "usertrack.aspx" file. Of course, I replied cancel. I don't know much about .aspx files but my guess is they are cookie-ish so they can translate page loads to a remote location throught the DSL network.

Now I know it is not limited to OS X. Also, I remembered last week an agent from ChinaNet came to our building with free update CD. Through my neighbor's translation, I explained that I have a Mac so I can't use the CD. Today I asked my neighbor for a look again at his CD. Yep, it is labeled "sh.vnet.cn" so it is some change in the DSL service. Probably not a welcome change.

I searched for usertracker and found:
usr/libexec/httpd/mod_usertrack.so
and Library/Documentation/Services/apache/mod/mod_usertrack.html

Is this all safe and innocent or should I be concerned about usertrack? I will ask a friend to translate the "welcome.sh.vnet..." web page to see if it mentions why I need usertrack.aspx but I also want some network/database gurus from MacOSXHints to offer advice.

China has the most advanced firewall to filter out many things. I think aspx is a type of Windows media file.

The link describes the uses of the module. It's obvious you are being tracked, but this doesn't explain how it alters your webpage under any OS and browser. Does your building have a proxy server between you and the DSL connection.

http://72.14.209.104/search?q=cache:...ient=firefox-a

Wikipedia has a nice desctiption of ASPX.

http://en.wikipedia.org/wiki/ASP.NET#ASPX_file_format

Those two files are related to use of the built-in copy of the Apache web server in OS X. They are also present on my Mac. These files would only be relevant if you were using the Apache web server to provide a web site. They are not relevant to web browsing and so are completely unrelated to anything that you are experiencing or that versiontrack.aspx file that you mentioned.

Sorry, threedee. I can't see your article about Activity Monitor. The wikipedia domain is filtered here. From ProcessViewer I took a screen shot (copy was greyed):
http://www.thirdrockphoto.com/Images/processes.jpg

I used the "insert image" button for the reply but this forum doesn't seem to want to display the image. it is at http://www.thirdrockphoto.com/Images/processes.jpg

With the additional info you have supplied (e.g. the fact that OS 9 is affected, that there was apparently some change in your DSL service necessitating upgraded software for Windows machines, etc), I am more and more certain that what you are experiencing is due to something outside of your Mac. I.e. that the network (hardware & software) to which you are connecting is interfering with your web page requests and returning other pages (as we saw with the experiment with 'curl').

Thus further investigations (if warranted at all - it may be hopeless!) should look at the low-level packets via 'tcpdump' etc.
But be sure also to try doing the 'curl' experiment with the Apple IP address instead of the hostname.

The image from your previous post displays fine for me (in Safari, on 10.4.7).

And it shows me loud and clear that you persist in logging in as 'root' in spite of repeated admonitions against this very insecure and unnecessary practice.
I'm not sure how much longer I will continue in trying to help someone who ignores good advice.

I'm seeing the image just fine on this site.

Have you tried installing a 3rd party firewall application?

Regarding proxy: my connection is a typical DSL via PPPoE with user name and password configured on my router so the router can supply IP addresses. I do not have a second computer but I may add one later and the router might add one more rather weak wall of security. In my previous location, I was on a university proxy server but not here. I use the OS X firewall but I don't blindly accept it as safe.

We don't have all the information needed to compleely solve this problem but it looks we can rule out this being a problem with an Apple OS.

I'd like to see a traceroute. Since you have a personal router using DHCP I suspect the problem is coming outside your network. Is it possible that because you don't have the CHina Net software installed you being are redirected to ChinaNet's "Welcome" page by a proxy server owned by the DSL company. Just a theory, but as unlikely as this sounds nothing else makes any sense to me.


edit: You aren't alone.

edit2: Apache's ProxyPassReverse creates redirects that are transparent to the end user.

Have you looked for any suspicious Input Managers? This little bits of code are stored in /Library/InputManagers and ~/Library/InputManagers. They are loaded into every application you run transparently, and have been desmonstrated in the past as a vector for malware on MacOS X.

Here in the State's, Comcast does the same thing. You need to have your modem registered with Comcast if you are a new user, or if you have switched modems. Before then, any DNS lookups will redirect to a comcast page.

You could try accessing pages by IP address to bypass DNS lookups.

If you're still interested in getting this sorted, show us the results of the rectified tcpdump command while connecting to one site (post #30), yet getting the vnet.cn redirect and what was requested in post #28.

While it would be interesting to get this sorted, your resistance to take advice makes progress rather difficult and once you've exhausted the patience of those willing to help you, you may very well be stuck with your problem.

Did the time when people tried to install extra software on your machine roughly coincide with the beginning of the problem ? There may very well be a transparent proxy installed by the ISP. Setting up a VPN into the next free country might be a solution for this and the censorship problem, but may be too difficult for you to set up.

If you can get there, you may want to read up on different methods to bypass such annoyances: http://www.rsf.org/article.php3?id_article=15013

As I mentioned before, I logged in as root (with ethernet cable disconnected) for the convenience of backing up three user accounts to an external drive. I just happened to use Process Viewer during the root login also, not much to do while waiting for the files to copy. All the backups are done now so I have no reason to use root. Now I am logged in as a non-admin user.

I know about VPN and setting a proxy from outside boundary but no further comments are available.

The idea of ChinaNet needing the router registered is interesting. Here are some details about that. I used this DSL connection with the router for more than one month with no anomolies. It now appears that the oddity of the sh.vnet.cn page began a couple of days after the agent from ChinaNet came door-to-door handing out software CDs. I may be able to get this sorted out when I get more translation of the leaflet that came with the CD.

The sh.cnet.cn page does set three cookie domains when it first loads. I blocked those in Firefox prefs and refreshed. The site set another cookie listed by IP address. I blocked that also. I have refreshed that page a couple of times and it does not register any new cookies. Among the leaflet notes is the word "cookies" so a translation should help.

If this sh.vnet.cn web page is a new service, is it possible it is just strong-arming its way in front of me to be noticed and the intrusions may stop after another couple of days on the assumption that it has bugged everyone enough to get them to register for the various services (music, auctions, etc.)? I will post again after my friend comes over to translate the leaflet.

While typing these comments, the browser status bar flashed "sh.vnet.cn". It appears to be much more than a cookie sender.

I must have the wrong syntax for the Terminal command. Here's what I get:

[localhost:~] browse% /usr/sbin/tcpdump -i en0 > ~/tcpflowOutput.txt
tcpdump: (no devices found) /dev/bpf0: Permission denied

I have an application called Zorfex (I am sure some Terminal commands would show the same info, but it is convenient). It shows four connected IPs:
64.215.169.215 / 72.14.219.147 / 64.154.80.250 / 64.215.169.206
When I click refresh in Zorfex, it shows:
218.30.64.20 / 204.2.128.185 / 64.154.80.250 / 218.30.64.121

You need to use 'sudo' in front of that command.