After Zoom install: macOS forwards various requests to localhost

dnsmalwareNetworkvpnzoom.app

right on the day since I installed (and uninstalled) Zoom, various URLs began to be forwarded to localhost. Like:

$ traceroute -I googleadservices.com

traceroute to googleadservices.com (127.0.0.1), 64 hops max, 72 byte packets
 1  localhost (127.0.0.1)  0.525 ms  0.061 ms  0.054 ms

Other sites and services are affected, too, so I had to grab the IPs behind the domains and hardcode things in the /etc/hosts to be able to work, it looks like this now:

127.0.0.1   localhost
255.255.255.255 broadcasthost
::1             localhost
# Added by Docker Desktop
# To allow the same kube context to work on the host and the container:
127.0.0.1 kubernetes.docker.internal
# End of section

#manual quickfixes:
140.82.113.3    github.com
140.82.118.4    gist.github.com
151.101.52.133  gist.githubusercontent.com
104.28.28.240   coronazaehler.de
172.217.2.106  firebasestorage.googleapis.com
104.26.1.95  myairbridge.com

157.240.18.19 cdn.fbsbx.com
# BEGIN section for OpenVPN Client SSL sites
127.94.0.1  client.openvpn.net
127.94.0.2  openvpn-client.vpn.leondrino.com
# END section for OpenVPN Client SSL sites

Using NordVPN doesn't change anything, but with TOR I can access everything.
What could be wrong ?

Best Answer

Unbelievable, after months of digging around cluelessly, I seem to have found it out. Apparently, the IPs

103.86.99.99
103.86.96.96

are part of some malicious part, they appear here:

$ scutil --dns
resolver #1
  search domain[0] : 
  nameserver[0] : 192.168.178.1
  nameserver[1] : fd00::7eff:4dff:fe7e:56fa
  if_index : 5 (en0)
  flags    : Scoped, Request A records, Request AAAA records
  reach    : 0x00020002 (Reachable,Directly Reachable Address)

resolver #2
  nameserver[0] : 103.86.99.99
  nameserver[1] : 103.86.96.96
  if_index : 14 (ipsec0)
  flags    : Scoped, Request A records
  reach    : 0x00000003 (Reachable,Transient Connection)

and this resolver #2 isn't shown in any DNS settings in the system config.

running $sudo scutil, I found these IPs in this entry:

>get State:/Network/Service/39118383-7AC1-4270-AA42-7F97B4505F57/DNS

>d.show


<dictionary> {

  ConfirmedServiceID : 39118383-7AC1-4270-AA42-7F97B4505F57

  ServerAddresses : <array> {
    0 : 103.86.99.99
    1 : 103.86.96.96
  }

The top answer here showed me how to replace this entry with a proper one. After that, I ran:

sudo rm /etc/resolv.conf

sudo ln -s /var/run/resolv.conf /etc/resolv.conf

What kind of crap could that have been ?

Related Solutions

MacOS – Aborted localhost http requests — how to troubleshoot

This application was frequently (20+ times a day) un binding and binding the ip+port. Once I refactored this to stop doing that, it no longer has had problems.

MacOS – Cannot access localhost after upgrade to Mavericks but can access 127.0.0.1

Everything seems to be working now. I can access localhost again, and my app is running Sinatra on Thin as it was before. Thanks to bmike, I did a bit of searching on why my loopback was unreachable and came across this article. I moved my old hosts file (/etc/hosts) to hosts.old and made a new one in its place that simply contained:

##
# Host Database
#
# localhost is used to configure the loopback interface
# when the system is booting. Do not change this entry.
##
127.0.0.1           localhost
255.255.255.255     broadcasthost
::1                 localhost
fe80::1%lo0         localhost

Then, I ran dscacheutil -flushcache and rebooted my computer*. After that, things appear to be working normally again. I can only guess that something weird happened with my old hosts file. I also took JakeGould's advice and blew away ruby 2.0.0 (I still had ruby 1.8.7--you cannot uninstall ruby entirely on a mac, since it uses ruby for other things) and rvm and reinstalled those; but I'm not sure that had anything to do with my success, as I still had the same issues until I followed the steps outlined above.

Note: the above hosts file contains virtually the same thing that I say my hosts file contained before (see original question); however, there were other things in my original hosts file that I did not share in my question (I just shared what I thought was the relevant part), so perhaps something there got borked when I upgraded--I wish I knew for sure.

*Rebooting is probably not necessary. I actually had this problem after setting up a new user from a backup drive on my machine at work (which is running Mountain Lion) and (just today) followed the same steps above (minus blowing away ruby and rebooting the machine), and it worked. This leads me to believe that the heart of the issue was a borked /etc/hosts file.

Best Answer

Related Solutions

MacOS – Aborted localhost http requests — how to troubleshoot

MacOS – Cannot access localhost after upgrade to Mavericks but can access 127.0.0.1

Related Question