PC Pals Forum

Technical Help & Discussion => Broadband, Networking, PC Security, Internet & ISPs => Topic started by: Simon on March 09, 2009, 21:49

Title: Hosts file hijack?
Post by: Simon on March 09, 2009, 21:49

I've just had my very first alert from Windows Defender, saying I've had a possible Hosts file hijack:

Quote

Category:
Settings Modifier

Description:
This program has potentially unwanted behavior.

Advice:
Review the alert details to see why the software was detected. If you do not like how the software operates or if you do not recognize and trust the publisher, consider blocking or removing the software.

Resources:
file:
C:\WINDOWS\system32\drivers\etc\hosts
 

I opted to 'Clean' the file, which WD reports it has done sucessfully, however, when I now open the Hosts file in Notepad, I get the following:

Quote

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

Is this normal?  I thought it was supposed to contain actual settings, not what appears to be a 'sample'.  Can anyone clarify, please?

Title: Re: Hosts file hijack?
Post by: topquark on March 09, 2009, 22:09

That's fine Simon, the only reason for putting anything in the hosts file is if you want it to resolve without the aid of a nameserver.  Often used for things on your local network.

Title: Re: Hosts file hijack?
Post by: Simon on March 09, 2009, 22:13

Thanks, Martin.  I'm still curious as to how / why it's been changed, though, as I'm sure it had 127.0.0.1 localhost in there before.

Title: Re: Hosts file hijack?
Post by: topquark on March 09, 2009, 22:23

Yes, on windows you can either find it blank or with a 127.0.0.1 localhost setting (either is fine).

On linux it'll be something like:

Code: [Select]

127.0.0.1 localhost
127.0.1.1 ##.#####.eu ##

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

Title: Re: Hosts file hijack?
Post by: Simon on March 09, 2009, 22:32

Thanks again, Martin, that's reassuring.  I'm starting to suspect a false alert from Windows Defender, as nothing else has found anything.

Title: Re: Hosts file hijack?
Post by: Sandra on March 10, 2009, 00:20

I told you he was good Simon  ;D

Title: Re: Hosts file hijack?
Post by: Simon on March 10, 2009, 10:22

Yes, we must lock the doors to stop him escaping.  ;)

Title: Re: Hosts file hijack?
Post by: Rik on March 10, 2009, 10:26

What's wrong with leg shackles like the rest of us? ;D

Title: Re: Hosts file hijack?
Post by: Simon on March 10, 2009, 11:16

What do you mean, 'the rest of us'?  That's just you!  ;D

Title: Re: Hosts file hijack?
Post by: Rik on March 10, 2009, 12:18

Now you tell me. ;D

Title: Re: Hosts file hijack?
Post by: topquark on March 10, 2009, 16:55

You can always check and see what's active if you are seeing activity on your local net ... for example on windows/linux you can use "netstat" (in a command/shell prompt) to list out the active sockets on the system and check any "rogue" entries you find (IP addresses you don't recognize from browser activity for example).  There are various options you can use, so see what suits you.