Jump to content

Recommended Posts

*cross-posting from BleepingComputer forums. I didn't get any replies there for 5 days, I hope someone here may be willing to help.*

I'd be grateful for some advice on my situation. 
 
I'm using Mac OSX 10.8.5 (I know I need upgrade as soon as I poss, currently travelling).
 
I starting seeing "connection not secure" browser error dialogue when trying to open facebook, instagram, skype. But opened my bank's portal no problem.

 

rkLZmn.png

 

 

 

Same behaviour in FF, Chrome and Safari. Sometimes it would redirect and display an OpenDNS error page instead. I couldn't pick a pattern for why. Google search started prompting me to verify that I'm human.

 

FRMQyQ.png

 

The problem disappeared when I found and removed OpenDNS addresses from my DNS settings. But prior to that I had taken a bunch of steps (listed below). Subsequently I've removed Spigot adware from my system. 

Now I'm not sure if I'm vulnerable to a MITM attack? Or is the problem is resolved?

In particular, I'm not sure how the OpenDNS addresses got added to my DNS settings. Could it be the Spigot adware? Or should I be looking for something else?

Steps I've taken:

  • Checked that pages that produced the "not secure" error load with my phone and a different computer on the same wifi network - they do. So not a router issue
  • Timezone, date and time are synced with Apple servers 
  • Updated Java
  • Disabled all browser plugins
  • Firefox, browser I use every day - cleared cache and offline files
  • scan with clamxav (2016 version, updated definitions, no infection found)
  • scan with knock-knock (current ver, no infection found)
  • At this point I found OpenDNS addresses and removed them. 
  • scan with Avast 12.5, found and removed 
    • searchme@mybrowserbar.com.xpi
    • Spigot-O "YahooEngine.xml"
    • Several Spigot files already sitting in Malwarebytes "removals" folder
  • Checked for Avast CA untrusted certificate in KeyChain - not present (but Avast is using MITM, switching in its own trusted certificate)
  • Downgraded anti-malware bytes to 1.2.4 (1.2.5 requires OSX 10.9 or later, apparenty), found and removed "adware.Spigot"

I'd appreciate some help on this! 

 

Many thanks

Link to post
Share on other sites

It sounds like this is a known problem when OpenDNS blocks sites that use HSTS, thus the reason that the problem went away when you removed OpenDNS from your network settings.

As for why OpenDNS might have been blocking those sites, since you say you're traveling, most likely someone else set OpenDNS to block those sites for the IP address you're currently using.

Link to post
Share on other sites

On many networks, the IP address can change periodically. That could easily explain the issue. If the problem went away when you removed the OpenDNS addresses from your network settings, and hasn't been back since, I wouldn't worry about it. In that case, it's not a man-in-the-middle attack.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.