2 Macs infected, Russian redirect, Google images

Discussion in 'all things UNIX' started by Blueshoes, Jan 14, 2011.

Thread Status:
Not open for further replies.
  1. Blueshoes

    Blueshoes Registered Member

    Joined:
    Feb 13, 2010
    Posts:
    220
    I think two of my Macs are infected. I keep getting Russian redirects through Google image search. I have five Macs, three other Mac don't seem to be infected.

    Outline of equipment.

    Gateway SOHO router has IPS/IDS paid deep packet inspection, and AV.
    Second UTM server in bridge mode is an Untangle- Lite with Kaspersky and Clam gateway AV with all modules in use. http://www.untangle.com/Product-Overview
    All 5 Macs running Snow Leopard fully updated and firewalls enabled.
    All 5 Macs have Firefox 3.6.13 with NoScript, AdBlocker, BetterPrivacy, and Ghostery.
    The 2 Macs that appear to be infected are my wife's and my daughters that use webkit/Safari mostly.
    The 3 I run use Firefox with above add-ons enabled almost exclusively.
    All run OpenDNS and OpenDNS is speced in router. ( I test for Macs running OpenDNS monthly)
    Apple updates get updated the same day they are released ( always)
    Intego Virus Barrier X6 updated daily with full scans twice a month and ClamXav scans monthly even though Clam has a couple of Mac sigs, I still do it for PC viruses. Ran latest definitions on both . Clean.
    Ran Sophos when this happened and did it with best practices disabling on-demand scanners when other AV is scanning, plus call out AV files as Trusted. Ran latest definitions. Clean.
    Ran Rootkit Hunter 0.2 with updated sigs. Clean.



    Here is how I found my issue. We have 2 iMacs side by side Mine and my daughters. My daughter Googled "difficult color by number printables" and she clicked on the "images" link to get all the images instead of the normal Google links page. She clicked on an image in a newly updated nightly build of Webkit and received the browser warning about going any farther will damage your computer or something like that. I said cool, let me see if I get that in Firefox. It didn't, so I tried Webkit and still nothing. I tried loading the same image in Firefox on my daughters Mac and it called out malicious site just like Webkit. The redirects affect both browsers.The redirect would want to go to a XXXXXX.ru address. I would try some other images on the Google image page and her computer would get block pages from the browser. My computer would not, I loaded a clean, non redirected page with no redirect on my computer. Same image 2 different outcomes. Ran newly imaged Fedora 14 on a machine that never was on the net and all is well with the Google image search.

    My wife's computer is running in Admin to my disappointment. My daughters is running in a Standard account, and the Admin account is clean and does not get redirected.

    Something is sending me to .ru . On the my daughters infected computer I am also getting redirected to a link page" Rivasearchpage dot com". Both my daughters and my wife's computer act the same so I m assuming they have the same infection. I just loaded Opera on my daughter computer to see if a new browser would be redirected, it was to a porn page that my OpenDNS filter blocked. It also is going to Rivasearch dot com on 30% of the images. On my clean computer next to it, I am getting all clean images on clean sites.

    Any ideaso_O?
     
  2. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,549
    Have you tried with firefox and noscript enabled from the other two pcs?

    Seems more like noscript blocked a malicious script that redirected the other browsers the .ru site.

    Panagiotis
     
  3. Blueshoes

    Blueshoes Registered Member

    Joined:
    Feb 13, 2010
    Posts:
    220
    Yes, I tried every combined senario and every one pointed to 2 infected Macs that love to redirect to Russia. With Noscript you see the xxxxxx.ru wanting to load if you hit the option button that calls out what server wants to load on your computer.
     
  4. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,549
    Are you sure that on your pcs you don't see the xxx.ru blocked for the same images? I am getting the same redirect results here if the safesearch is on moderate (change it to strict). The sites that host the images (those that I checked are clean), googles search cache seems poisoned or gets poisoned results from the hosting providers e.g. http://blog.unmaskparasites.com/201...ervage-hosting-to-poison-google-image-search/

    Panagiotis
     
  5. Blueshoes

    Blueshoes Registered Member

    Joined:
    Feb 13, 2010
    Posts:
    220

    Attached Files:

  6. Blueshoes

    Blueshoes Registered Member

    Joined:
    Feb 13, 2010
    Posts:
    220
    Both links that are different above get the browser warning on my daughters Mac and both links get the all clear good site with my computer. What are you getting?
     
  7. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,549
    I tried those links and both get redirected.

    Seems that maybe Ghostery?, Addblock Plus? (or another plug-in), blocks the redirection on your firefox.

    Panagiotis
     
  8. Blueshoes

    Blueshoes Registered Member

    Joined:
    Feb 13, 2010
    Posts:
    220
    I disabled all my add-ons and both links are still clean for me. I am going to run a full system cache clean and other maintenance stuff right now on both computers. Should be back in 15 mins plus. What OS/browser are you running?
     
  9. Blueshoes

    Blueshoes Registered Member

    Joined:
    Feb 13, 2010
    Posts:
    220
    Ran every conceivable cleaning script in Snow Leopard Cache Cleaner on the so called clean and infected Mac and everything is still the same. My daughters Mac is still getting redirected and mine is not.
     
  10. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    OP,

    I am running Ubuntu here with the latest Chromium (and it's sandboxed with AppArmor). At any rate, I reproduced your problem as outlined:

    1) google search for "difficult color by number printables"

    2) Click on images

    3) Click on the image of the dude with the hat

    I am getting the same warning. No matter what image I click on, I am getting the same warning about the xxxx.ru website. However, if I do another random google search and click on images, I am not getting the redirect.

    Are you saying that no matter what google search you do that you are getting redirects? (I am not clear on that). But to be clear, I am getting redirects on that one google image page no matter what image I click, and I am positive my machine is not infected (my browser is sandboxed both by Chromium and by AppArmor. I also run from a user account). There must be some other issue here.
     
  11. Blueshoes

    Blueshoes Registered Member

    Joined:
    Feb 13, 2010
    Posts:
    220
    OK, I fired up my Fedora 14 machine that was I used testing the same images yesterday and that was a new image, so it was clean. I also get the warnings. So could the so called clean running Mac have the issue?
     
  12. katio

    katio Guest

  13. Blueshoes

    Blueshoes Registered Member

    Joined:
    Feb 13, 2010
    Posts:
    220

    Katio, I think you are on to something!! My Intego Virusbarrier on a couple of my Macs would call out Firefox-bin to suspicious behavior and that went away past what my logs have saved, so I can't see the time frame of the warnings. I don't have time right now, but it will be the first place I look.

    Here is another thing to put into this mess. While 2 of the Macs get the Russian redirect even after deleting cookies, my other so called clean Macs that don't get redirected or get the browser warning always go to the clean sites. More less, the so called clean macs don't get browser warning because they don't get "fed" malware infected sites. Where clearly in the back ground you can see you have been sent to the redirected or bad site by the grayed out background screen on the so called infected Macs. I will have to read more on your links and do a Clean Profile switch on all the Macs to take that out of the equation. Thanks again!


    ADDED NOTE after posting this,

    Then what about Safari/Webkit? Clean surfing on the clean Macs and browser warnings on the so called infected Macs. I think their could be more to thiso_O? CRAP
     
  14. katio

    katio Guest

  15. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
  16. Blueshoes

    Blueshoes Registered Member

    Joined:
    Feb 13, 2010
    Posts:
    220
    I will try that even though I think all these Mac AVers are not up to speed like PC AV. I think it is something obscure that is not life threatening and they could care less.
     
    Last edited: Jan 15, 2011
  17. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    I highly doubt this is a security issue.
     
  18. mack_guy911

    mack_guy911 Registered Member

    Joined:
    Mar 21, 2007
    Posts:
    2,677
    i tried both links and they do redirect its server problem

    they are redirected to ayjfblduzs.ru

    where

    Website for this image

    american-home-cleaning.com ( even thats site name looks funny to me)

    not your pc but whats is looks to me server might me compromised :D

    if you have even wot toolbox addon even it block site at background so no need to worry
     
  19. NGRhodes

    NGRhodes Registered Member

    Joined:
    Jun 23, 2003
    Posts:
    2,331
    Location:
    West Yorkshire, UK
    Its a server issue.
    If I block reffers lets me in OK to the site without redirect to the russian site.
    Not had chance to look further, train to catch.
     
  20. NGRhodes

    NGRhodes Registered Member

    Joined:
    Jun 23, 2003
    Posts:
    2,331
    Location:
    West Yorkshire, UK
    Server serves up a 302 redirect to the russian site.
     
  21. Blueshoes

    Blueshoes Registered Member

    Joined:
    Feb 13, 2010
    Posts:
    220
  22. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    BTW since you are a VirusBarrier user you might want to take a look at
    this: -http://mac.softpedia.com/get/Antivirus/VirusBarrier-Express.shtml

    It's a new (FREE) On-demand AV scanner from Intego Named VirusBarrier Express.

    IMO, why Intego choose to release a FREE AV scanner right now, is ALL due to the Free Antivirus for Mac that Sophos released a while ago:cautious:
     
  23. NGRhodes

    NGRhodes Registered Member

    Joined:
    Jun 23, 2003
    Posts:
    2,331
    Location:
    West Yorkshire, UK
    This is a server issue.
    Noones machine is infected.

    If the server detects a refferer (not sure if its specific to google) in the header you send to request the page in your browser it redirects to the russian site.

    If there is no refferer, the server lets you in to the site.

    Refferers are being blocked on one machine (privacy setting/tool/addon at a guess).

    The server looks like it has been compromised.
    If you visit http://american-home-cleaning.com/index.php and view source you will see someone has written in a load of spam links.

    I shall contact the host and inform them.

    Cheers, Nick
     
  24. NGRhodes

    NGRhodes Registered Member

    Joined:
    Jun 23, 2003
    Posts:
    2,331
    Location:
    West Yorkshire, UK
    Hosted by godaddy. Reported to them.
     
  25. mack_guy911

    mack_guy911 Registered Member

    Joined:
    Mar 21, 2007
    Posts:
    2,677
    there is 100% sure (american-home-cleaning.com) site problem thats all. If you scan that site on norton safe search

    https://safeweb.norton.com


    you see the results
     
    Last edited: Jan 19, 2011
Loading...
Thread Status:
Not open for further replies.