|
Quote:
Quote:
|
Quote:
Strongly recommended. |
Here is the first return showing the redirect:
[localhost:~] root# /usr/bin/curl -I -L www.apple.com HTTP/1.1 302 Moved Temporarily Server: Apache-Coyote/1.1 X-Powered-By: Servlet 2.4; JBoss-4.0.3SP1 (build: CVSTag=JBoss_4_0_3_SP1 date=200510231054)/Tomcat-5.5 Set-Cookie: JSESSIONID=F06BB8B56DA2D1740859633D690BBA53; Path=/ Pragma: no-cache Cache-Control: no-cache Expires: 0 Location: http://welcome.sh.vnet.cn/portal/nt/...nline&oldurl=/ That's all for tonight. |
The stuff after the ? in the URL:
cpkey=53800 cpinst=0 olddst=www.apple.com cpssg=218.1.60.246 cpuname=ad54125859@online oldurl=/ Uh, I see it has an IP address in the URL, along with apple.com. Definately something going on. What could 'cpuname' be? Also, even though a site looks legit, it might not be. Already submitted 2 viruses to ClamAV that came from a 'legit' webhosting company. Open Activity Monitor in the /Applications/Utilities. Post any 'unusual' proccesses here. |
Quote:
Obviously www.apple.com does not usually redirect to welcome.sh.vnet.cn, so something in the intervening mess of firewalls & proxies is causing this. /usr/bin/curl does not (by default) use any proxy settings from your machine - i.e. it attempts to make a direct connection to the site specified. So the problem must be either coming from something (dns server, router, proxy, etc) outside your Mac or else it is due to subversion (via malware) of '/usr/bin/curl' or the software libraries that it uses. You should next try doing the same thing but using Apple's IP address instead of the hostname: /usr/bin/curl -I -L 17.254.0.91 By the way, I obtained the above IP address via the following command: host www.apple.com The '/usr/bin/host' command might not exist on 10.2, if not, try doing: ping www.apple.com Tell us what IP address you get from this. You could also try using 'tcpdump' as suggested above to see the flow of low-level packets. |
Quote:
If you have received fresh updates claiming to be from Apple relating to security since that time then they are fake - and a potential cause of your problem. |
i'm no network expert, but could 'traceroute' help with this?
Also, if your computer is indeed compromised, you can't trust anything thet computer tells you, including software updates. ie. 1. You check for updates. 2. Computer tries to connect to http://update.apple.com, but router/firewall/whatever redirects to http://leet.hack.er (just an example) 3. Website says you have a critical 'update'. 4. You click install, type password, click "OK". (!) 5. Disable Firewall 6. Install rootkit 7. Install VNC server 8. Enable root 9. Enable SSH 10. Install keylogger 11. Hack Sys. Prefs. so it looks like Firewall on, sharing off. 12. Report IP address and other information to hacker. 13. You are screwed. Right now, you know you are experiencing step 2, the sneaky redirections. Try this in terminal: Code:
traceroute apple.com |
Definitely something wrong with your machine.
If you can remember/find out what caused the malware to get installed, please tell us. Do you run any services that are accessible from the outside ? (filesharing/web/ssh...) Someone may have installed a transparent proxy on your machine. Please show us the output of the following Terminal commands to better understand what is causing your problem: ps auxwww netstat -an | grep LISTEN kextstat | grep -v com.apple |
No Activity Monitor in 10.2.8 but here is the tcpdump result:
[localhost:/usr/bin] root# sudo /usr/sbin/tcpdump -i en0 -c > ~/tcpflowOutput.txt tcpdump version 3.8.3 libpcap version 0.8.3 Usage: tcpdump [-aAdDeflLnNOpqRStuUvxX] [-c count] [ -C file_size ] [ -E algo:secret ] [ -F file ] [ -i interface ] [ -r file ] [ -s snaplen ] [ -T type ] [ -w file ] [ -y datalinktype ] [ expression ] |
Quote:
Try it without the "-c" And please stop using the 'root' account! Using 'sudo' from an admin account will do everything you need. |
Quote:
(I was the one who wrote the first 'Activity Monitor' article on Wikipedia, although after all the changes, now it looks more like a list) |
drop the
-c from your tcpdump command. We need to find out whether the redirect comes from a locally installed transparent proxy on your machine or a manipulated DNS reply. |
Quote:
Quote:
Perhaps the problem arose from an earlier connection to a Windows machine even if your Mac is not currently connected to a Windows machine. |
About Windows box: two months ago, living in a different city, the university provided a computer. My Mac OS X volume has been erased and reinstalled since. Here in Shanghai, I do not have a Windows box.
About root: login was convenient to permit backup of users to external drive although now I have more info that seems to make it a moot point. This morning I was mulling over some details about backups while drifting out of sleep. Suddenly I remembered I have OS 9 installed on a different volume. Booted to 9, same issue. And in OS 9 another quirk: a download dialog opened and asked me what to do with "usertrack.aspx" file. Of course, I replied cancel. I don't know much about .aspx files but my guess is they are cookie-ish so they can translate page loads to a remote location throught the DSL network. Now I know it is not limited to OS X. Also, I remembered last week an agent from ChinaNet came to our building with free update CD. Through my neighbor's translation, I explained that I have a Mac so I can't use the CD. Today I asked my neighbor for a look again at his CD. Yep, it is labeled "sh.vnet.cn" so it is some change in the DSL service. Probably not a welcome change. I searched for usertracker and found: usr/libexec/httpd/mod_usertrack.so and Library/Documentation/Services/apache/mod/mod_usertrack.html Is this all safe and innocent or should I be concerned about usertrack? I will ask a friend to translate the "welcome.sh.vnet..." web page to see if it mentions why I need usertrack.aspx but I also want some network/database gurus from MacOSXHints to offer advice. |
Quote:
|
The link describes the uses of the module. It's obvious you are being tracked, but this doesn't explain how it alters your webpage under any OS and browser. Does your building have a proxy server between you and the DSL connection.
http://72.14.209.104/search?q=cache:...ient=firefox-a Wikipedia has a nice desctiption of ASPX. http://en.wikipedia.org/wiki/ASP.NET#ASPX_file_format |
Quote:
|
Sorry, threedee. I can't see your article about Activity Monitor. The wikipedia domain is filtered here. From ProcessViewer I took a screen shot (copy was greyed):
http://www.thirdrockphoto.com/Images/processes.jpg |
I used the "insert image" button for the reply but this forum doesn't seem to want to display the image. it is at http://www.thirdrockphoto.com/Images/processes.jpg
|
With the additional info you have supplied (e.g. the fact that OS 9 is affected, that there was apparently some change in your DSL service necessitating upgraded software for Windows machines, etc), I am more and more certain that what you are experiencing is due to something outside of your Mac. I.e. that the network (hardware & software) to which you are connecting is interfering with your web page requests and returning other pages (as we saw with the experiment with 'curl').
Thus further investigations (if warranted at all - it may be hopeless!) should look at the low-level packets via 'tcpdump' etc. But be sure also to try doing the 'curl' experiment with the Apple IP address instead of the hostname. |
| All times are GMT -5. The time now is 09:46 PM. |
Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.
Site design © IDG Consumer & SMB; individuals retain copyright of their postings
but consent to the possible use of their material in other areas of IDG Consumer & SMB.