Tags:




Did Comcast install spyware on my mac?
December 17, 2005 11:04 AM   RSS feed for this thread Subscribe

I think Comcast installed spyware on my Mac. Boing Boing now redirects to ebay, through a series of URLs. Please help me debug and fix it!

Comcast just came and installed cable modem service at my house. They ran some software on my OS X laptop that required me to type in my password, which seemed weird. Now when I type in http://boingboing.net, I see a series of URLs flash by in Safari's address bar and I eventually end up at ebay.com.

I tried to capture these URLs in order. They are:

http://boingboing.net

http://net.net/ebay.asp

http://www.jdoqocy.com/tj82cy63y5LNSNPVVQLOOMOSQN

http://www.apmebf.com/5f108dlutB/lsx/BB9BFDA/AFACIID/9/9/9?t=d%3c%3cq22y%3A%2F%2F555.smxzxl7.lxv%3AH9H9%2Flurlt-AFACIID-BB9BFDA%3c%3c%3cq22y%3A%2F%2Fwn2.wn2%2Fnkj7.j1y%3c

http://www.qksrv.net/7d108ox54P/x38/NNLNRPM/MRMOUUP/L/zGORxTJKQQSSPPMLSKMMOPTPPTLTTSUKQL/L?d=n%3cmty!opFn-uy5A18t%3cr33z%3A%2F%2F666.tny0ym8.myw%3AIAIA%2Fmvsmu-BGBDJJE-CCACGEB%3c%3c%3cr33z%3A%2F%2Fxo3.xo3%2Folk8.k2z%3c

http://adfarm.mediaplex.com/ad/ck/711-1751-2978-3?loc=http://pages.ebay.com?mpre=&UID=ew36c8z-557744107-1134844808879-50&AID=2202641&PID=1613994

http://cgi.ebay.com/aw-cgi/eBayISAPI.dll?RedirectEnter&partner=26442&loc=http://pages.ebay.com

http://www.ebay.com/

I might have missed some URLs.. they go by really fast, and i'm trying to stop Safari on each URL.

This doesn't happen on any other computer, just the one that Comcast touched. Did comcast really install spyware on my machine? This started happening within five minutes of the comcast installer leaving the house, and it has never happened before.. No other sites seem effected.
posted by rajbot to computers & internet (18 comments total)
Also, this happens in Safari but not Firefox, and there are no unusual processes running on the machine.. Thanks!
posted by rajbot at 11:18 AM on December 17, 2005


The didn't install spyware. They installed their own "portal" software. That's why you had to type in your password (an admin always has to type a password to install any software)

It was unnecessary for them to install anything, actually. When the comcast guys came to my house, they didn't so much as touch my Mac.

Is there anything new in your System Preferences window? A new control of some sort?
posted by Thorzdad at 11:20 AM on December 17, 2005


Also, check your logs. If anything was installed, it would show up there.
posted by Thorzdad at 11:26 AM on December 17, 2005


When I had Comcast originally install my high-speed internet service (PC) several years ago, they installed a whole bunch of software. It put new icons in my web browser, added bookmarks, installed some technical support chat software, in addition to some help files. It also caused my computer to start crashing. I uninstalled all of their software and simply use the connection. Anything you need to do account related can be handled through their website, www.comcast.net.

BTW, they might possibly have installed spyware. At the time of my first install, it was a major issue that customers were having. I'm not sure what they did about it.
posted by Roger Dodger at 11:28 AM on December 17, 2005


I disagree with the above poster, I don't think it's a portal at all, as portals generally don't hijack your browser and redirect to ebay with some person's ebay account so that they can get extra referral $.

It sounds like you might have a modified hosts file, especially considering the fact that all of the sites you list above (except for ebay.com and that net.net one) can be found in this hosts file. Basically a hosts file contains statements which locally redirect a domain name to a given IP address, in this case 127.0.0.1, which is the loopback IP address (that is, it always "loops back" to the IP address of your computer).

Assuming you're using OS X (since you said you have Safari), first check to see if the file /etc/hosts exists (one way to do that is start the terminal and type "ls /etc/hosts" [no quotes], then hitting enter" if it doesn't say something like "/etc/hosts," and just gives you another command prompt, then it isn't the hosts file - otherwise it is.

To look at the file, type "cat /etc/hosts" (again without the quotes) and look at the last few lines. If the IP address it redirects to is 127.0.0.1, that means that they've also probably installed a mini web-server on your computer that redirects to that net.net page. To verify this, go into safari and type in "http://127.0.0.1". If this brings up the ebay page, then they've installed some sort of server, and you should reply in this post indicating that this is the case so that we can help figure out how to get rid of that too.

If it is the hosts file, here's how you can remove it (though you probably need to know the Administrator password)
sudo mv /etc/hosts /etc/hosts.previous
sudo killall -HUP lookupd
good luck on getting rid of the problem!
posted by Frankieist at 11:30 AM on December 17, 2005


While it's true that comcast didn't need to install anything on your computer to do the job, I highly doubt this is the result of it. Some googling and browsing on dslreports.com has yet to yield any similar predicaments.

I would propose that this has more to do with the way you're entering the url, the fact that the first thing that safari goes to is net.net suggest that it may be interpretting the url you typed as incomplete and trying to guess what the actual url is. Firefox used to do similar stuff from time to time (if you put a domainless word in the bar, such as "boingboing" it would assume you meant boingboing.com) but it seems to have gone away with 1.5.

After the initial flub by safari, all it would take is regular rude crapsite forwarding to get the effect you describe.
posted by Matt Oneiros at 11:34 AM on December 17, 2005


Checking the logs, it seems they added/changed the following:

~/Library/Preferences/com.sprt.favorites.html
~/Library/Preferences/Explorer/Favorites.html
~/Library/preferences/Explorer/History.html

(Their install software pulled up many pages in Internet Explorer).
posted by rajbot at 11:36 AM on December 17, 2005


I've never heard of spyware on the mac, but the third URL is an affiliatte link from Comission Junction, so it appears someone is trying to make money off you loading that up.

It's not a HOSTS file though, if it were, it wouldn't matter what browser you were using.

How'd you capture all the URLs in the chain?
posted by mathowie at 11:36 AM on December 17, 2005


oh yeah, sorry, I didn't see your follow-up comment. Yeah, matt's right, it's not hosts file redirection. Errr, ignore what I said then.
posted by Frankieist at 11:41 AM on December 17, 2005


Crap, it's stopped happening, so I can't debug further. I probably sounds like I'm making all of this up now.

matthowie: By hitting command-period really fast after typing in boingboing.net and hitting enter, and doing that a bunch of times.

Matt Oneiros: I sort of think you are right. If I go to boingboing.net.net, i end up at ebay.

When I was trying to debug, I typed in boingboing.net and www.boingboing.net by hand. Usually I just type 'b' and then hit enter because safari autocompletes the url.

I thank you all for your help! I'll poke around a bit more and make sure nothing else on the disk was touched...
posted by rajbot at 11:43 AM on December 17, 2005


The exact same thing happens to me if I type "boingboing.net.net" into the Safari address bar. So, yes, you must have mistyped it.
posted by xil at 12:02 PM on December 17, 2005


I can confirm that boingboing.net.net redirects to ebay. I'm using a PC with firefox.
posted by delmoi at 12:54 PM on December 17, 2005


Some dickhead has registered the domain boingboing.net.net and set it to redirect you to eBay.
posted by Ken McE at 1:14 PM on December 17, 2005


It's not just boingboing, it's *.net.net. Try metafilter.net.net; it takes you to eBay as well, via all sorts of other scum sites.
posted by arco at 1:18 PM on December 17, 2005


It looks like this is solved, BUT: My advice is to never let anybody install anything on your machine.

Anyway, I think Comcast's installer for the mac just installs a "customized" version of IE 5.2 (which is pretty useless anyway) with comcast-related bookmarks and stuff, so Safari shouldn't be affected.
posted by sluggo at 2:08 PM on December 17, 2005


Technically the domain isn't boingboing.net.net, it's just net.net, with some kind of wildcard subdomain redirect.
posted by odinsdream at 6:06 PM on December 17, 2005


If you can run the tracert command on a Mac, and capture the result, it might be useful. It traces the route your packets take to get to a destination. This site has details.
posted by theora55 at 9:01 PM on December 17, 2005


Firefox used to do similar stuff from time to time (if you put a domainless word in the bar, such as "boingboing" it would assume you meant boingboing.com) but it seems to have gone away with 1.5.
Every version of Firefox I've ever used takes words like that and does an "I'm Feeling Lucky" search on Google. I haven't tried 1.5 though. It's weird that you'd get sent to boingboing.com rather than net.
posted by joegester at 9:47 PM on December 17, 2005


« Older How can I convince my parents ...   |   I am seeking some unbiased adv... Newer »
This thread is closed to new comments.