URGENT - DNS Virus??

master.00 · Jun 18, 2012

I have 2 PPC's running 10.5.8 and just recently encountered a strange problem a couple days ago.

Every time that I try and visit a popular website (ie. Google, Bing, Yahoo, etc.) it takes an extremely long time to load (approx 5 minutes). Eventually the site does load after a very long time which I have concluded to be a DNS problem (where the primary DNS times out and finally the secondary loads).

All other sites load fine (as long as they are not using any scripts from the blocked sites).

I have come to the conclusion that I have contracted some sort of DNS virus that is intentionally blocking these sites as the problem only occurs on my Mac.

These sites load fine on my network when I am using my iPhone or my PC so the problem is specifically with my PPC macs and not my router or network settings.

I have tried changing the DNS servers to a handful of different DNS settings and it does not make any difference, the sites are still not loading.

I am completely stumped on how to fix this problem and have not been able to find any solutions.

Does anyone have any idea on how to fix this problem? It is causing major problems for my workflow as I cannot access these essential sites.

Any help would be greatly appreciated.

chscag · Jun 18, 2012

There are no DNS viruses so that's not the problem. And even if there were a DNS virus, it would have infected your PC not the Mac.

Try changing your DNS servers to either OpenDNS or Google Public DNS:

In Leopard... open System Preferences, Network. Click on WiFi or Ethernet whichever you're using, then click on the Advanced button. Click on the DNS tab.

You should see an address that's grayed out. Ignore it. Enter these two addresses by clicking on the small + sign below.

8.8.8.8.
8.8.4.4.

Those are the addresses for Google Public DNS, primary and secondary. Exit System Preferences, reboot your router and the machine.

master.00 · Jun 18, 2012

thanks but I clearly stated that I have already tried a handful of different DNS settings. Ive tried Google and about a half dozen other DNS addresses including a list from my own ISP.

That is not the problem. If it was, then my whole network would be experiencing the issue. As I mentioned, it's only my PPC macs.

I am about 99.9% certain that this is being caused by a virus. A virus would not effect my PC as it would only effect the computer in which it was contracted on.

Its no coincidence that it's ONLY the popular sites that are being effected.

vansmith · Jun 18, 2012

master.00 said:
I am about 99.9% certain that this is being caused by a virus. A virus would not effect my PC as it would only effect the computer in which it was contracted on.

Viruses are self-replicating - by design, they are meant to infect multiple machines on accessible networks.

How did you determine that this was a DNS issue? You mention that you're confident that this is the case. I ask because DNS lookups are relatively quick and if one fails, your Mac won't hang around waiting for the first one to fail multiple times. Second, if the problem persists with different addresses, it's probably not the DNS settings. If the problem had gotten worse (or the situation had gotten better) with a different set of DNS servers, I'd be inclined to agree with you. However, since the problem didn't change, I'm lead to believe that the problem isn't DNS related.

master.00 · Jun 18, 2012

I am confident that its a virus and it is my assumption that it is a DNS issue.

I have had DNS problems in the past which mimicked the exact same behavior where sites would take a long time to load which was the result of a primary DNS timeout.

However, in that situation it was ALL sites that were effected and it was on all machines on my network. A simple DNS switch solved the problems in that particular situation.

However, in this case, it's just the popular sites that are effected (Google, Facebook, Yahoo) and it's just my PPC Mac's., Changing the DNS servers has not made any difference.

Also, the day before this problem started I had visited a site that was giving off malware alerts.

Though, I've scanned my machines and nothing was found.

IvanLasston · Jun 18, 2012

It may not be a virus - but it may be a Trojan. The distinction is that a trojan - is like the trojan horse - you have to let it in for it to be a problem. Viri spread without any interaction. Anyway - there are any number of ways to hijack dns - first look at /etc/hosts and see if anything looks fishy there.
Then look through this google search and see if anything sounds familiar.
https://www.google.com/search?sugex...,cf.osb&fp=2c57c9942e9fa8e0&biw=1101&bih=1004

So it could be malware - but it probably isn't a virus.

Germany_chris · Jun 19, 2012

master.00 said:
I am confident that its a virus and it is my assumption that it is a DNS issue.

I have had DNS problems in the past which mimicked the exact same behavior where sites would take a long time to load which was the result of a primary DNS timeout.

However, in that situation it was ALL sites that were effected and it was on all machines on my network. A simple DNS switch solved the problems in that particular situation.

However, in this case, it's just the popular sites that are effected (Google, Facebook, Yahoo) and it's just my PPC Mac's., Changing the DNS servers has not made any difference.

Also, the day before this problem started I had visited a site that was giving off malware alerts.

Though, I've scanned my machines and nothing was found.

Then you have the first PowerPC virus , and it was created 7 years after the last PowerPC Mac shipped.

chas_m · Jun 19, 2012

master.00 said:
I am confident that its a virus and it is my assumption that it is a DNS issue.

I found the problem. It's you.

You're flat-out wrong on the first count (there are ZERO mac viruses) and probably wrong on the second count as well (since changing DNS addresses didn't fix the issue).

You will probably make more headway by questioning your assumptions -- or better yet, assuming nothing -- and re-approach the problem with an open mind.

For example, have you looked at your hosts file lately? There is some DNS re-direct MALWARE (not viruses) that might cause such a problem. Maybe that is what's really going on. Ivan's a smart guy, he may very well have the answer there for you.

Another possibility: a corrupt cache in your browser. I didn't see anything in your original post that indicated you had tried other browsers (or mentioned which browser you're using for that matter). So there's a possibility of that.

I don't know what the problem is, I'm just offering a couple of new approaches to help you find out what the real problem. Sticking to a discredited theory isn't going to help.

master.00 · Jun 19, 2012

It IS a cross-browser problem.

though, if I use a proxy the sites load fine.

master.00 · Jun 19, 2012

I've checked the hosts file and there is nothing suspicious or unusual in there.

I'm really stumped here as to what could be causing this! I've scanned with 4 different programs and nothing was found.

This is really driving me crazy!

vansmith · Jun 19, 2012

chas_m said:
I found the problem. It's you.

This response was entirely unwarranted - there is no reason to pick on the OP because you disagree. Ease up on the abrasiveness.

chas_m · Jun 20, 2012

I'm not picking on the OP. I'm challenging him to look at the problem afresh.

I'm genuinely sorry that I don't know what is causing his problem and I wish I could offer some solid help, but all I can do is suggest that he abandon the notions that have (clearly) not worked to resolve the issue.

Next time I'll remember to put sufficient numbers of smiley faces where I intend to be light-hearted.

Also, I take issue with your characterization of my post as "entirely" unwarranted. I offered three perfectly valid, helpful suggestions for new routes of investigation.

master.00 · Jun 21, 2012

So, I found an old version of netscape and as it turns out, I can access google and all other sites using netscape.

Safari and Firefox will not load the sites.

I was able to ping the sites that are blocked in Firefox and Safari so it seems that the problem is that something is effecting those browsers in particular.

I tried creating a new user account on my mac and was still unable to access those sites using Safari on the new account.

Any ideas on what might cause this problem in Safari / Firefox but not netscape?

I've been scratching my head for almost a week now and have found very little help here or elsewhere despite endless searching.

I could really use some help here! ive done the following with no luck what-so-ever

- scanned for trojans / virus
- changed dns servers
- checked host files
- clear browser / system cache (manually / onyx)
- created new system user
- reinstalled browsers
- ping / traceroute check

RavingMac · Jun 21, 2012

I honestly have no real clue what is going on, but, assuming you have good backups have you tried doing a reformat and reinstall of the OS on one of the affected Macs to see if that gets rid of the problem?

vansmith · Jun 21, 2012

So, we can rule our DNS since those settings would affect every browser.

Did you setup OS X to use a proxy server? Safari would use those and although Firefox has its own system, it defaults to using the system ones.

master.00 · Jun 21, 2012

vansmith said:
So, we can rule our DNS since those settings would affect every browser.

Did you setup OS X to use a proxy server? Safari would use those and although Firefox has its own system, it defaults to using the system ones.

I have never set up OS X to use a proxy.

I only tested with an online php proxy to see if the sites were accessible in those browsers, which they were.

It just seems unusual that this is happening on both PPC macs while it clearly doesnt seem to have anything to do with my network configuration

jlundberg · Jun 22, 2012

same DNS issue on Intel Mac

I have an Intel MacBook Pro with the exact same behavior. There is def. some kind of DNS issue going on but what is it?

I have also checked my hosts file and also checked for the most common trojans but everything looks fine.

The issue appears in all my web browsers (incl Safari, Firefow, Camino, Netscape 3.1). There is no way to surf to Google but using googles IP works fine, eg Google. The same goes with many popular sites and not only com addresses.

The network utility uses another DNS solution than the system so in that utility it is perfectly ok to lookup, traceroute etc even with google.com.

I have the same result no matter what network I am in (and my IPad works fine in the same wifi network).

Could this be a new trojan not yet reckognized?

Please refrain from answering the thread if you do not understand the issue or have any constructive input.

Hope this issue can be solved, It is very annoying to say the least.

master.00 · Jun 26, 2012

After 2 weeks of endless trial and error I had given up on hope of finding a solution to the problem and began digging a grave for my macs when all of a sudden the problem magically corrected itself.

This leaves me even more stumped as to what the cause (or solution) of the problem was.

I made no recent changes to my network or system settings that would have been responsible for fixing the problem. Just magically out of the blue both of my PPC machines began allowing access to the sites that would previously timeout.

IvanLasston · Jun 26, 2012

Glad that it worked out for the OP. If you ever get more information please post back as this is an interesting problem.

@jlundberg Another thought - maybe something is lingering in the DNS cache from a VPN or another network. You could try flushing the cache
For Lion
Flush DNS cache changed in Lion - MacRumors Forums
For Leopard and Tiger
How to Flush DNS cache in Mac OS X

jlundberg · Jun 26, 2012

Thank you for the suggestion IvanLasston.

I have however already tried to flush my cache and changed my host file, even tried with public DNS which still doesn't work so I am prone to suspect that there really is something fishy going on before the call gets to the DNS servers, somehow it feels that something is interrupting the DNS lookup call.

I may have posted two rather similar posts on here, my apologies since it was my first posts and it took a long time to actually get posted.

This is my output from dscacheutil -statistics if someone can see something fishy about it.

Overall Statistics:
Average Call Time - 0.001638
Cache Hits - 7087
Cache Misses - 14587
Total External Calls - 8126

Statistics by procedure:

Code:

           Procedure   Cache Hits   Cache Misses   External Calls
    ------------------   ----------   ------------   --------------
              getpwnam          120             24              144
              getpwuid          494             21              515
              getgrnam           46             28               74
              getgrgid           20              9               29
         getservbyname         6406             25                9
        getprotobyname            0              2                2
              getfsent            0              0                6
         gethostbyname            1           7103                5
         gethostbyaddr            0            242              242
    gethostbyname_service         0              0             7099
           _flushcache            0              0                1

URGENT - DNS Virus??

master.00

chscag

Well-known member

master.00

vansmith

Senior Member

master.00

IvanLasston

Germany_chris

chas_m

Guest

master.00

master.00

vansmith

Senior Member

chas_m

Guest

master.00

RavingMac

Well-known member

vansmith

Senior Member

master.00

jlundberg

master.00

IvanLasston

jlundberg

Shop Amazon