Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 6 subscribers
  • Views 839 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

searchdiscovered.com redirect removal?

samuraiguy

One of my Macs has had both Safari and Firefox affected by something that redirects many urls to a page on searchdiscovered.com that says it is the page you are looking for. It happens for google.com and also facebook.com - not all the time though. Other sites don't seem to be affected. Does Sophos know about this and does MacHomeAV deal with it?

:1005127


This thread was automatically locked due to age.
Parents
  • 0

    There are a number of ways this could be accomplished, some of which we detect via MacHomeAV and some we don't.

    The first things to check are:

    1. Do you have a proxy set in your Safari preferences?
    2. Open your /etc/hosts file in a text editor... it should not haveanything mentioning google or searchdiscovered in it
    3. Check your DNS settings in System Preferences->Network->(your network: Ethernet or Wi-Fi)->DNS Server.  OSX/RSPlug and OSX/DNSCha both change the DNS server from one supplied by your ISP to a malicious server that shapes and directs your traffic how THEY want.

    It is also possible (especially if your DNS settings point to 10.x.x.x or 192.168.x.x) that an attacker has gone after your network firewall/router, and not your computer.  In this case, you should log on to the device as administrator, check that the device's DNS settings point to the right place (your ISP's DNS servers, Google's DNS servers, or OpenDNS's servers, for example), and if they don't, then change them back, change the admin password on the device, and ensure that the device can not be administered from the internet.

    There are many other ways this can be done as well, including replacing your default search page, your default home page, patching the browsers themselves, etc.

    :1005141
Reply
  • 0

    There are a number of ways this could be accomplished, some of which we detect via MacHomeAV and some we don't.

    The first things to check are:

    1. Do you have a proxy set in your Safari preferences?
    2. Open your /etc/hosts file in a text editor... it should not haveanything mentioning google or searchdiscovered in it
    3. Check your DNS settings in System Preferences->Network->(your network: Ethernet or Wi-Fi)->DNS Server.  OSX/RSPlug and OSX/DNSCha both change the DNS server from one supplied by your ISP to a malicious server that shapes and directs your traffic how THEY want.

    It is also possible (especially if your DNS settings point to 10.x.x.x or 192.168.x.x) that an attacker has gone after your network firewall/router, and not your computer.  In this case, you should log on to the device as administrator, check that the device's DNS settings point to the right place (your ISP's DNS servers, Google's DNS servers, or OpenDNS's servers, for example), and if they don't, then change them back, change the admin password on the device, and ensure that the device can not be administered from the internet.

    There are many other ways this can be done as well, including replacing your default search page, your default home page, patching the browsers themselves, etc.

    :1005141
Children
No Data