X
Tap here to go to the mobile version of the site.

Support Forum

Browser hijack from unknown source starting Chrome instance within Firefox.

Posted

Yesterday my Firefox browser was apparently hijacked.

System information: Macbook Pro macOS Sierra 10.12.2 fully updated Extensions: uBlock Origin, Lastpass, Self-destructing cookies, Random Agent Spoofer 0.9.5.6, uMatrix

Symptoms: -The size of the browser tool bar and tabs were far too small, like they were zoomed out. The tabs and the buttons in the upper left (red, yellow, green on Mac) no longer overlayed properly. -Home page was redirected to 124bytes.com (the 124 bytes part is correct, not sure if this is the whole address -Surfed to google.com who notified me that I was using an old version of Chrome

   -Shut down all add-ons, restarted browser, returned to Google.com, same notification (wanted to ensure that it wasn't an add-on malfunction)

-Changing home page would stick until the browser was restarted -Ran virus/malware scans: Malwarebytes, ClamXav

   -No issues were returned with either

Resolution efforts (in order): -ClamXav virus scan -Malwarebytes scan -Delete and reinstall Firefox -Use terminal to look for hidden directories (none found) -Removed (rm -r) all Mozilla and Firefox directories from /Library

The last effort seems to have resolved the problem. Unfortunately I no longer have the user information because it was rm -r

I'm happy to help troubleshoot this further.

Yesterday my Firefox browser was apparently hijacked. System information: Macbook Pro macOS Sierra 10.12.2 fully updated Extensions: uBlock Origin, Lastpass, Self-destructing cookies, Random Agent Spoofer 0.9.5.6, uMatrix Symptoms: -The size of the browser tool bar and tabs were far too small, like they were zoomed out. The tabs and the buttons in the upper left (red, yellow, green on Mac) no longer overlayed properly. -Home page was redirected to 124bytes.com (the 124 bytes part is correct, not sure if this is the whole address -Surfed to google.com who notified me that I was using an old version of Chrome -Shut down all add-ons, restarted browser, returned to Google.com, same notification (wanted to ensure that it wasn't an add-on malfunction) -Changing home page would stick until the browser was restarted -Ran virus/malware scans: Malwarebytes, ClamXav -No issues were returned with either Resolution efforts (in order): -ClamXav virus scan -Malwarebytes scan -Delete and reinstall Firefox -Use terminal to look for hidden directories (none found) -Removed (rm -r) all Mozilla and Firefox directories from /Library The last effort seems to have resolved the problem. Unfortunately I no longer have the user information because it was rm -r I'm happy to help troubleshoot this further.

Additional System Details

Installed Plug-ins

uBlock Origin, Lastpass, Self-destructing cookies, Random Agent Spoofer 0.9.5.6, uMatrix

Application

  • Firefox 50.1.0
  • User Agent: Mozilla/5.0 (X11; FreeBSD amd64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36
  • Support URL: https://support.mozilla.org/1/firefox/50.1.0/Darwin/en-US/

Extensions

  • Application Update Service Helper 1.0 (aushelper@mozilla.org)
  • LastPass 3.3.2 (support@lastpass.com)
  • Multi-process staged rollout 1.5 (e10srollout@mozilla.org)
  • Pocket 1.0.5 (firefox@getpocket.com)
  • Random Agent Spoofer 0.9.5.6 (jid1-AVgCeF1zoVzMjA@jetpack)
  • Self-Destructing Cookies 0.4.11 (jid0-9XfBwUWnvPx4wWsfBWMCm4Jj69E@jetpack)
  • uBlock Origin 1.10.4 (uBlock0@raymondhill.net)
  • Web Compat 1.0 (webcompat@mozilla.org)

Javascript

  • incrementalGCEnabled: True

Graphics

  • adapterDescription:
  • adapterDeviceID: 0x162b
  • adapterDrivers:
  • adapterRAM:
  • adapterVendorID: 0x8086
  • crashGuards: []
  • currentAudioBackend: audiounit
  • driverDate:
  • driverVersion:
  • featureLog: {u'fallbacks': [], u'features': [{u'status': u'available', u'description': u'Compositing', u'log': [{u'status': u'available', u'type': u'default'}], u'name': u'HW_COMPOSITING'}, {u'status': u'available', u'description': u'OpenGL Compositing', u'log': [{u'status': u'available', u'type': u'default'}], u'name': u'OPENGL_COMPOSITING'}]}
  • info: {u'TileHeight': 1024, u'TileWidth': 1024, u'AzureFallbackCanvasBackend': u'none', u'AzureCanvasAccelerated': 1, u'AzureCanvasBackend': u'skia', u'AzureContentBackend': u'skia'}
  • numAcceleratedWindows: 1
  • numTotalWindows: 1
  • supportsHardwareH264: Yes
  • webgl2Renderer: (no info)
  • webglRenderer: Intel Inc. -- Intel(R) Iris(TM) Graphics 6100
  • windowLayerManagerRemote: True
  • windowLayerManagerType: OpenGL

Modified Preferences

Misc

  • User JS: No
  • Accessibility: No
FredMcD
  • Top 10 Contributor
4306 solutions 60423 answers
See if this helps; Mac Malware Scanners https://discussions.apple.com/message/29938930#29938930 You can also try https://www.malwarebytes.org/antimalware/mac/index.html
James
  • Top 25 Contributor
  • Moderator
1603 solutions 11348 answers

The User Agent you used to make this thread as you can see in your More System Details on right of your post is Mozilla/5.0 (X11; FreeBSD amd64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36

If you are using Firefox to post then perhaps your user agent was changed. https://support.mozilla.org/en-US/kb/how-reset-default-user-agent-firefox

The User Agent you used to make this thread as you can see in your More System Details on right of your post is Mozilla/5.0 (X11; FreeBSD amd64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 If you are using Firefox to post then perhaps your user agent was changed. https://support.mozilla.org/en-US/kb/how-reset-default-user-agent-firefox
James
  • Top 25 Contributor
  • Moderator
1603 solutions 11348 answers

hubrisbear said

Extensions: Random Agent Spoofer 0.9.5.6

Actually this may be due to the Random Agent Spoofer extension you have installed. https://addons.mozilla.org/firefox/addon/random-agent-spoofer/

''hubrisbear [[#question-1154618|said]]'' <blockquote> Extensions: Random Agent Spoofer 0.9.5.6</blockquote> Actually this may be due to the Random Agent Spoofer extension you have installed. https://addons.mozilla.org/firefox/addon/random-agent-spoofer/