How a hidden OS X process made my old employer think my Mac had been hacked

A slow Monday that I’d hoped would ease my way back into a semi-normal workweek was interrupted by a note from an old Post colleague–specifically, somebody in the IT department–with the never-good subject line of “virus?”

The security guys are reporting that someone is attempting to logon to VPN with your old credentials.

I replied saying that it was probably something spurious unless it was coming from the IP address my home currently had assigned from Verizon. He wrote back to say “turns out that IP is what is pinging the VPN server.”

Well, crap.

Little Snitch network monitorI updated my Mac’s ClamXav malware-scanner for the first time in months and got it started on a tedious inspection of my Mac, then downloaded the trial version of a network monitor called Little Snitch.

The virus scan found nothing, and Little Snitch didn’t report any oddball apps trying to send out data either. I also checked the settings of apps that I’d once configured to log into the newsroom remotely, but found nothing there.

Then I thought to try searching for the Post VPN address in Little Snitch’s network monitor. That revealed that Safari–to be exact, its WebProcess component–had pinged it only a few hours ago. A search for that address in Safari’s bookmarks and history located an old bookmark for the site that I’d misplaced in an unrelated, rarely-opened folder. Since deleting that, Little Snitch hasn’t recorded any more access attempts, and I haven’t gotten any other reports of those from the Post’s IT people.

WebProcess itself seems remarkably undocumented on Apple’s customer and developer sites, aside from references to it by users in the company’s tech-support forums. A further inquiry confirmed my initial hunch that this process updates Safari’s “Top Sites” view of pages you’ve visited recently–how else will the browser know to provide current previews of them?

What I still don’t get is why WebProcess would have kept on checking a site I hadn’t visited in close to two years–and which I don’t remember seeing in Top Sites anytime since. But I’ve witnessed enough weird behavior lately from individual Apple apps that I can’t put this past Safari… which is to say, I hope that’s all this is and that I haven’t missed something else.

About these ads

A fix for strange search results

Something looked broken with Web search on my computer yesterday, and it took me only about 18 hours of detours to figure out the problem. To spare you all the trouble of repeating my troubleshooting, here’s how things worked out.

search redirect network activityEverything started when I was doing a routine search for a post I’d written last winter on CEA’s blog. I clicked on Google’s link, saw a random address appear and then another, and found myself looking at a sketchy page with ads for some casino instead of my analysis of exemptions to the Digital Millennium Copyright Act’s anti-circumvention provisions.

My first thought–both frightened and angry–was that I’d finally gotten hit with a virus like DNSChanger on my own computer. But the same hijacked search happened in another Mac and on the Chromebook I’d just reviewed.

Maybe my wireless router had gotten compromised somehow? I had covered one reader’s experience with that two years ago, and my fellow tech journalist Glenn Fleishman (I’d say he’s forgotten more about WiFi than I’ll ever know, but he forgets nothing) thought that was likely too.

But the router had nothing amiss with its domain-name-server settings. Meanwhile, doing the same search in the browser on an AT&T Android phone (another recent review) didn’t yield any spurious results. Two replies on Twitter also suggested this issue might be specific to Internet providers.

My last move before getting distracted by our daughter was to try the same search on other sites. At Bing, the result also got hijacked; at DuckDuckGo, it did not.

This morning, as I was using Safari’s Web Inspector to see if I could get any more insight on the mechanics of the hijack (and take the screengrab you see above), another Twitter reply suggested that it could be an issue with CEA’s installation of WordPress. There is a history of exploits for that popular blogging platform that target incoming referrers from popular sites to send those clicks elsewhere; see, for instance, this Q&A thread.

(WordPress.com, this blog’s host, is a commercial service that runs WordPress; one of its selling points is having professionals stay on top of patches and security so I don’t have to.)

Sucuri LLC’s malware-checking site didn’t find any malware at CEA’s blog. But when I e-mailed somebody at the Arlington, Va., trade association, they did find a malicious script on the site that’s since been removed. And now, my original search takes me to the right page.

So I guess reporting this counts as this week’s good deed for the Internet… and maybe a start on next weekend’s USA Today column. But before I do that: Have you run into anything like this? Were you able to get it resolved? What else would you like to know about search hijacking?