Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

Resolved Question

How do I change the DNS server settings through Terminal?

Jul 3, 2012 12:18AM PDT

Hi. I had the DNS Changer malware which I have now got rid of but the rogue DNS servers are still on my machine's system. I rang my ISP to get the DNS servers that they use so I could put them back on my machine. But the bad ones are still there too. After a lot of advice and trawling of internet I'm nearly free of them but something's still not right. I'm so close to sorting this and it's so frustrating that I'm at this last hurdle and it won't work.

Can anyone tell me if the steps I've followed in this process are correct? This is how far I've got:

In Terminal type sudo nano /etc/resolv.conf
Enter password
Delete bad DNS servers
There are 4 lines. The last 2 are the rogue DNS servers added by the malware. The first 2 are my ISP's DNS servers. The cursor is at the beginning of the first line so I have to use the back arrow to scroll down 4 lines to the last number of the last line of rogue server then use the backspace arrow to delete the 2 lines of the bad DNS servers.
Press Control - x to exit
Doing this jumps me straight into a highlighted question: "Save modified buffer (ANSWERING "No" WILL DESTROY CHANGES) ?" I'm given the highlighted options of yes, no or cancel.
Then press y to save changes
Pressing y for yes jumps me straight into the highlighted line "File Name to Write: /etc/resolve.conf." I cannot come out of this highlighted line. I can only move the cursor along this line to the beginning of " /etc..." This is where the problem starts.I was advised to press y again but that only adds the letter to the line. I pressed Control - O as someone else advised to write out the file but nothing happens - presumably because it's not one of the options below. The only options I have at this point, which are also highlighted with this line are:
Control - G Get Help
Control - T To Files
M-D DOS Format
M-O Mac Format
M-A Append
M-P Prepend
M-B Backup File
Control - C Cancel

So I only get as far as saving the file. It seems to accept the save up to a point but then it wants me to do something else. Add to the name of the file? If I do add to the file name, then press return, it jumps to "File exists, OVERWRITE ?" with the options yes, no or cancel. I don't dare choose any of them in case I spoil it or something. If I try to close nano and exit, I get the "closing this window will terminate the following processes inside it: login, bash, nano."

I can't do anything except to close and terminate because I can't complete the process of deleting the rogue DNS servers.

I hope this all makes sense and would very much appreciate any help.

Discussion is locked

Feisty411 has chosen the best answer to their question. View answer

Best Answer

- Collapse -
And then I don't use the ISP's DNS.
Jul 3, 2012 4:45AM PDT

For a very long time I've been using the Google DNS. You have choices on this, and OpenDNS is another fine choice.
Bob

- Collapse -
There are reasons to not use the ISP DNS
Jul 3, 2012 5:16AM PDT

Some don't have entries for say those Samsung Smart TV sites so the Samsung HDTV can fail. There was also a few ISPs that redirect your browser in some cases. I'm pretty old school and want the DNS to be a DNS and nothing more.
Bob

- Collapse -
That makes sense.
Jul 4, 2012 12:19AM PDT

I might do that myself, too.

Well it looks like no one can help me with my problem. Apparently what I have to do is:

In Terminal type sudo nano /etc/resolv.conf
Enter my password
<b>Delete the rogue DNS servers </b>
<b>Press Control - O to save the changes.
Then press Control - X to quit Nano.</b>
Then just press Return when it highlights "File Name to Write: /etc/resolve.conf."
Then restart my machine.

But the changes are not taking. When I go back into Terminal to check the servers, I see that the rogue servers are still there - despite my deleting them before!

Can anyone shed any further light on this? Can the servers be deleted this way in Terminal? They don't show up at all when I go into Network so I can't delete them from there. Or is this a router thing? Well, I don't actually have a router. It's a Motorola Surfboard Cable Modem that doesn't have a manual reset...

- Collapse -
I think that is explained by
Jul 4, 2012 3:43AM PDT

The DNS config or file is read on boot. So if you remove them and reboot then you should be fine.

If they appear back in the file, then there is some rogue in your system.
Bob

- Collapse -
Thanks Bob...
Jul 4, 2012 4:46PM PDT

I shall investigate.

I've also been reading some stuff about sudo crontab -l to check what I have, then sudo crontab -e to edit. and getting rid of the servers/malware that way. Would that work too?

- Collapse -
Finally! Sorted!
Jul 5, 2012 2:29AM PDT

I'd like to thank everyone for their advice and help on this. It was much appreciated. In the end it was using crontab that did it for me and in case anyone new has a problem with this in the future, this was the process:


Go into Utilities in Applications and open the Terminal app

Type cat /etc/resolv.conf to check what servers you have
To delete the rogue servers from here type sudo nano /etc/resolv.conf
Enter your password.
Delete rogue servers. You have to scroll with your cursor to get to the end of the line and then delete from there.
Press Control - O to write out and save changes
Press Control - X to exit.
Restart machine.

This actually didn't work for me personally. So after more searching, help and advice, I got this process:

Go into Terminal
Type sudo crontab -l (That's the letter ell) This shows what entries are in the directory. In mine, I saw the malware script which showed up as /Library/Internet Plug-Ins/QuickTime.xpt. If you have more than just the malware entry in there, you will want to edit and delete. To do this for a single line:
Type sudo crontab -e. Use arrow key to navigate to line. I scrolled to end of line.
Type dd to delete the line
Type wq and press Return to write out the file and quit.

I had only the one entry and that was the malware script so I was able to use sudo crontab -r which will delete everything in there, so you have to be careful with that command. After that I also flushed the cache. For Tiger you go into Terminal and type lookupd -flushcache. This is like a reset. Two extra servers showed up and I assume they are the original servers that were there - which means that when I called my ISP to ask for the servers they used, they gave me 2 different ones from the original. Whatever.
So even though I deleted the malware and the rogue DNS servers from my machine, because the script was still there, my machine continued to show up as 'infected.'

I restarted my machine and the google alert was gone. I checked out the site that tells you if you're still 'infected' and the background was green. I'm clear.

Thanks Bob, everyone!

- Collapse -
Answer
you may be over thinking this,
Jul 3, 2012 4:38AM PDT
- Collapse -
I think I will!
Jul 3, 2012 5:03AM PDT

I already removed the DNS Changer last week, but 2 of the rogue DNS servers are definitely still on my machine. They're not deleted with the malware.
That article is from 2011. More recent articles are saying that the FBI will be shutting off the servers on July 9th as it's costing too much money to maintain them and anyone who still has an infected machine will lose access to the internet. Thanks for the info though, P.

Bob, I may just do that. Out of curiosity, why do you prefer not to use the ISP's DNS servers? That is what I was using before my machine got the malware.

I forgot to put the specs for my machine. It's a Power PC iMac G4. So it's about 7 or 8 years old. OS X 10.4.11