MacNN Forums (
-   Networking (
-   - cookie? (

tastethepain May 9, 2005 01:08 PM cookie?
I could use your wise and divine assistance.

Yesterday, I used Camino to try to surf to '' and it pipes me over to a site hosted by ''

I try to go to my bank site and Camino does the same. I clear the cache, empty the website URL log history, removed all cookies, and retried. Same results.

I used Safari and got the same results. I then tried Firefox and got the same results.

What on Earth is happening? This feels like one of those horrible cookies that M$ Windows users get.


ghporter May 9, 2005 03:42 PM
That sounds like your browser has been hijacked. It doesn't happen only to Windows users, either, it's just far less common in the Mac world. This hijack looks like a DNS corruption-either weirdness from OS X, or done deliberately by some site. BTW, I tried, and I got the eBay hosted store, so it's not that particular address itself.

I think you MAY be able to fix this by flushing your DNS server address and cache. The only way I know how to do this is with Terminal, though there is bound to be an easier way...

Anyway, open Terminal and type "lookupd -flushcache" (no quotes) and hit return. This flushes the DNS cache. Now before you do anything else, restart the computer. Restarting-a full boot-will restore your DHCP-provided DNS server addresses in case they were corrupted.
tastethepain May 9, 2005 04:57 PM
You're correct. I did the solution you said and it worked fabulous.

Thank you very much. Curse that site. <bleh>

turtle777 May 9, 2005 05:47 PM
How is this attack performed on a Mac running OS X ?
I sure hope that this can not be done just by browing a website...

ghporter, do you know anything about the technical stuff behind the hijack execution ?

ghporter May 9, 2005 07:21 PM
turtle, in this case I think it was an accidental corruption of tastethepain's DNS cache.

However, there are ways to actively and maliciously hijack DNS entries. Here's a VERY recent story about Google having at least some DNS servers' entries for them being altered. And as it turns out, there is an exploit against Window's DNS resolver module that could allow a malicious entity to hijack an entire session. An attacker can also impersonate a DNS server, particularly when you're using a link on a site that is not necessarily reputable, or is forged.

DNS hijacking isn't new-in fact Verisign was recently sued for its "hijacking" of addresses through its policy of providing "best guess" matches to Verisign customers rather than actual closest text matches. I found references from five years ago about this issue, which surprised me, especially since the February 2000 report I read was about the apparent defacement of RSA Security's web site. As it turns out, the bad guys really hijacked RSA's DNS entry, so RSA wasn't "powned" by them, they just detoured traffic to a different place.

And here's a great explanation of DNS spoofing. Spoofing is a particularly evil problem, because it can potentially affect EVERYONE, rather than being localized.

Bottom line here is that this is out there, and it is possible to run into it even with a Mac, but there are simple ways to fix it. The only thing you need to worry about with this is when you are directed to a site that isn't what it seems, and that's something we all need to watch anyway. Keep your eyes on where links actually going, that you're really on a secure connection (I've seen counterfeit web sites that hid IE's status bar and put up a graphic with live "link address" text to spoof the user into thinking they actually were on a good SSL connection), and so on. Be vigilant and if something seems just "wrong" it probably is. When in doubt, type the link by yourself.

I know that's not as comforting as I'd like it to be, but that's the best I can do right now.
turtle777 May 10, 2005 10:07 AM
Thanks, gporter.

So if I understand you correctly, nothing is hacked on a local machine (OS X), but rather, on the DNS server. The only thing that happens on your machine is that if you surf and send requests to a hacked DNS server, your computer will get altered DNS information from the server and your local machine will cache it until the next reboot. Is that correct ?

ghporter May 10, 2005 12:53 PM
turtle, you have the basics. The problem is that while the original misdirection that got this thread started was obvious, intentional misdirection may not be. DNS is the heart of getting where you intend to go, so it's very important that it remain trustworthy. Fortunately, DNS server operators know this.
All times are GMT -4. The time now is 04:50 PM.

Copyright © 2005-2007 MacNN. All rights reserved.
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2017, vBulletin Solutions, Inc.

Content Relevant URLs by vBSEO 3.3.2