Only HTTPS websites working otherwise I receive ERR_CONNECTION_REFUSED [duplicate]

Question

This question already has an answer here:

All HTTP requests get ERR_CONNECTION_REFUSED, HTTPS works - How to troubleshoot? (1 answer)

Closed 4 years ago.

I am facing annoying problem of only HTTPS websites working on my Mac (in all browsers). I can only visit Google, YouTube, Facebook, Yahoo etc.

So far, I tried following:

• Websites shows error of: ERR_CONNECTION_REFUSED
• I have uninstalled Anti-virus
• Turned off firewall
• Changed DNS, to 8.8.8.8, 8.8.4.4 (Google), 208.67.222.222, 208.67.220.220 (Open DNS), 0.0.0.0
• My network is ipv4 supported (but not ipv6) so most websites should work.
• I tried ping websites that are not opening on browser e.g: dailymotion.com , but I transmitted and received packets without loss. Reinstalled Yosemite but problem still persists.
• Everything works when I use VPN (e.g hotspot shield), so my guess is DNS is messed up.
• I tried flushing DNS using sudo killall -HUP mDNSResponder

P.S Everything works in Safe Mode and using mobile hotspot

Here is traceroute, and curl verbose. So the issue is with only http websites.

When I use sudo pfctl -s nat, I am getting following response: “No ALTQ support in kernel ALTQ related functions disabled rdr pass inet proto tcp from 192.168.1.100 (my IP) to any port = 80 -> 127.0.0.1 port 9882”. By removing port forwarding using sudo pfctl -F all, the websites works for few seconds only

Any suggestions please ?

Answer 1

You are probably victim of an adware: OSX/Pirrit. Please read the linked analysis.

To remove the adware save the following shell script as remove-adware.sh (e.g. on your Desktop) and execute it as root:

echo "*** Osx.Pirit Removal script, Amit Serper, @0xamit ***"
echo "*** BEFORE YOU RUN THIS SCRIPT, STOP! I CAN'T TAKE ANY RESPONSIBILITY ON ANY DAMAGES HAPPENING TO YOUR MACHINE. YOU ARE THE MASTER OF YOUR OWN FATE"
echo "*** Before running this script check that you are indeed infected with osx.pirrit. TERMINATE THIS SCRIPT BY HITTING CTRL+C AND RUNNING THE FOLLOWING COMMAND:"
echo "$ dscl . -list /Users UniqueID | grep 401"
echo "If this command has an output then continue running this script. Else DONT"
echo "Press any key to continue running this script, remember - I am not responsible for any unfortunate outcomes"
read

echo "[*] Getting net_pref name"
netPrefFileName=$(sudo defaults read /Library/Preferences/com.common.plist net_pref)

echo "[*] Netperf name is:"
echo $netPrefFileName

echo "[*] Getting appname from com.common.plist"
appName=$(sudo defaults read /Library/Preferences/com.common.plist name)
echo $appName

echo "[*] Stopping and removing LaunchDaemon"
sudo launchctl unload -w "/Library/LaunchDaemons/"$netPrefFileName
sudo killall $appName

sudo rm "/Library/LaunchDaemons/"$netPrefFileName

echo "[*] Removing injector"
sudo rm -r "/Library/"$appName
echo "[*] Removing malicious pf configs made by Pirrit"
sudo rm /etc/change_net_settings.sh

sudo pfctl -evf /etc/pf.conf

servicePrefFileName=$(sudo defaults read /Library/Preferences/com.common.plist service_pref)
echo “[*] Net pref file name:”
echo $netPrefFileName

appName=$(sudo defaults read /Library/Preferences/com.common.plist name)
echo “[*] App name is:”
echo $appName

echo “[*] Removing LaunchDaemon”
sudo launchctl unload -w "/Library/LaunchDaemons/"$servicePrefFileName
echo [*] Killing app and osascript”
sudo killall $appName
sudo killall osascript

echo “[*] Cleaning up…”
sudo rm "/Library/LaunchDaemons/"$servicePrefFileName

sudo rm -r "/Library/"$appName

echo “[*] Removing pirrit launching script”
sudo rm /etc/run_app.sh

echo “Script finished”

Make it executable:

chmod +x ~/Desktop/remove-adware.sh

change your working directory:

cd ~/Desktop

and execute it. Read the intro of the script thoroughly (especially the advice to run dscl . -list /Users UniqueID | grep 401 before continuing:

sudo ./remove-adware.sh