Home Forums OS X Server and Client Discussion DNS Mac Desktop DNS hacked?

Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
    Posts
  • #372811
    MacDave
    Participant

    Hi all:

    This question pertains to Mac 10.5 desktop (not server), but is very DNS related. I’m hoping it won’t get removed, and that someone here may be able to offer some guidance. Here goes:

    I have a MacBook Pro running Leopard 10.5.2 client, which is configured to use DHCP via both ethernet and airport, whichever is active. Our LAN router hands out DHCP info: 10.x.x.x private addresses & gateway, and three local 10.x.x.x resolvers. For some reason, only when set to dhcp, two mystery DNS servers (85.255.114.82 and 85.255.112.116) keep showing up in ‘System Prefs > Network > > Advanced > DNS’ in addition to our local 10.x.x.x DNS resolvers. The nameservers are showing up there greyed out, like they always do when supplied by a DHCP server, but the nameservers are not ours, nor our ISP’s. In fact, googling them brings up several pages that mention DNS malware infections (‘Search@Hand’, etc), but they’re only Windows malware, not Mac. They nameservers are also showing up in /etc/resolv.conf.

    I double-checked our DHCP server config, and it’s definitely not providing the weird ns addresses. Also, we have about 25 other practically identical machines on the same lan, same OS, same config, that do not have this problem. So it seems NOT to be the DHCP server handing this out.

    If I set both network configs to manual, the problem goes away. But then if I switch back to DHCP, after 10-15 seconds, the mystery DNS servers re-appear. This is the only machine on our LAN that’s having this problem. I tried ‘ipconfig getpacket’ on both ethernet and airport, and the DHCP server IP looks correct (10.x.x.x router).

    So it seems there is some process running on this desktop machine, that, regardless of the user, watches both the ethernet and airport interface configs, and when DHCP is active, inserting the bogus nameservers. I’m thinking configd has been compromised. Obvisously a wipe and install would fix this, but I want to know what happened and is happening, so I can prevent on other machines on the LAN.

    This happens with any user account on the machine, and survives a reboot, even after flushing dns cache with dscacheutil -flushcache. I suspect some kind of malware infection, perhaps of the configd process, but lack the skills to really track it down.

    If there were some way to monitor processes that modify the /etc/resolv.conf file, that would be a god start. Can anyone help point me to some tools that might reveal what processes/apps could be modifying my DNS server config?

    Thanks in advance!

    #372824
    khiltd
    Participant

    I can’t say that this is what’s to blame in your case, but I found and documented a fairly serious security hole in Leopard that allows pretty much anybody in the world to muck around with your network settings without so much as an authentication dialog:

    [url]https://www.afp548.com/forum/viewtopic.php?showtopic=18982[/url]

    The response I got from Apple was something along the lines of “so what.”

    I’d grep for those IPs, strip them out of whatever files you find them in and make sure you keep your network settings locked. If they turn up again then it’s obviously another issue.

    [url=http://www.khiltd.com/Downloads/Consultant’sCanary.zip]This script[/url] will catalog much of the third-party software installed on the machine and may turn up something suspicious, but if it really is a trojan of some sort odds are good the developer spoofed the Info.plist file to make it look like it came from Apple. If that’s the case it won’t find anything useful, but might be worth a shot anyway.

    It’s pre-compiled Python so you’ll need to invoke it as follows:

    [code]python cc.pyo [/code]

    #372827
    MacDave
    Participant

    Thanks so much – that post was really helpful, and the DNS trojan you mentioned seems to be exactly what happened. I found this article on it:

    http://ithreats.wordpress.com/2008/01/11/analysis-of-osx-trojan-dns-changer/

    which goes into some detail about exactly what it does.

    #372830
    khiltd
    Participant

    [QUOTE][u]Quote by: MacDave[/u][p]Thanks so much – that post was really helpful, and the DNS trojan you mentioned seems to be exactly what happened. I found this article on it:

    http://ithreats.wordpress.com/2008/01/11/analysis-of-osx-trojan-dns-changer/

    which goes into some detail about exactly what it does.[/p][/QUOTE]

    That would be the original version which requires quite a bit of user assistance in order to elevate an installer script’s permissions. The hole I found requires no elevation whatsoever so long as it is run under an admin account.

Viewing 4 posts - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.

Comments are closed