-
April 5th, 2011, 01:48 AM
#1
Missing Hosts File
I am managing a network with 7 PCs (XP) and a server (2003 SBS) on a domain. All are running eEye Blink AV. The issue is that on a single machine the hosts file disappeared a few months ago which was rebuilt. I went to block Lizamoon.com this weekend and noticed that another machine was missing its hosts file. My boss wants me to find out why this is happening. Both machines are scanned for malware regularly and none of the user accounts have rights to modify the file. I searched on Google and only found info on rebuilding the file, not reasons for it. Anyone out there come across this and the reason for it besides malware?
-
April 5th, 2011, 08:02 PM
#2
Just off the top of my head. As everyone knows, AV software is reactive. That is to say you have to get infected with malious software or a virus before your Antivirus Software will do it's job. For those of you who don't know. AV software does not prevent you from downloading a virus. Just prevents the thing from running.... Arggg long week.
Anyway, I don't know eEye but I'm sure you can set it to delete any file it cannot clean. Check your AV logs to see if it deleted the HOST file. And put super glue in the USB ports. (Nevermind)
09:F9:11:02:9D:74:E3:5B 8:41:56:C5:63:56:88:C0
-
April 5th, 2011, 10:55 PM
#3
Some malware, can also modify your hosts so that common sites go to their ad riddled and infected sites. Maybe eEye Blink AV doesn't trust that the changes you've put into your hosts file should be there?
I've never used that AV software before, so can't comment on what it does and doesn't do, but certainly is something to look into.
-
April 8th, 2011, 09:44 PM
#4
Hi,
You mean the actual file was missing or just empty?
I know that some security products use the hosts file to redirect malicious sites to 127.0.0.1. Could it be a failed update of some sort......like the file is deleted before getting written back, and the write back fails?
I really have no idea how Windows itself handles the hosts file either.
I do find it strange that malware would want to delete the hosts file anyway......modify it perhaps, but not delete.......that seems a bit too obvious to me???
-
April 8th, 2011, 10:43 PM
#5
Yeah, the hosts file was actually not there. All the systems there have the same setup. This has happened on 2 of the 7. It is odd, and there isn't much information on the subject I can find. It's even more curious because the machines are on a Domain, and the users with the issue don't have access to the file.
-
April 8th, 2011, 11:28 PM
#6
Originally Posted by nihil
I really have no idea how Windows itself handles the hosts file either.
wow. on the net long enough ... you're bound to see it all.... I poke, of course, but really you're that on most of the time..
So.. Hosts file ... operates like hosts on linux, the default for windows is to check the hosts file first then resolve via DNS ... any entry in the hosts file in windows that is setup with #PRE at the end of the line, causes windows to preload that entry
ie. 127.0.0.1 some.adserver.com #PRE
And agreed, that its odd the cracker/spammer/malware would delete the file, more likely to either wipe out the file and add its own redirections ...
-
April 9th, 2011, 09:54 AM
#7
Member
i go with nihil idea, check AV and system Logs, if you find writing error, then restoring backup copy of the files could have failed
last option i'd suggest try looking for them on your boss's computer, it's maybe an april fish xD LOL (just kidding xD)
Toka Koka: To receive a reward, an equivalent sacrifice has to be made!
-
April 9th, 2011, 10:49 AM
#8
Hmmm,
So.. Hosts file ... operates like hosts on linux, the default for windows is to check the hosts file first then resolve via DNS ... any entry in the hosts file in windows that is setup with #PRE at the end of the line, causes windows to preload that entry
That's pretty much what I suspected. I know Windows doesn't need a hosts file, and from what you are saying I would conclude that all it does is read the file if there is one present. So I guess we can rule out any sort of Windows corruption.
Hosts is just a simple text file without the .txt extension so the question is how are you editing it or updating it. With Notepad I would just expect the file to be overwritten on save. Whilst that might be a problem, I would expect you to be left with a corrupt file, as opposed to no file at all?
If you are using some other software, it may well delete the existing file and then write the new one. That could explain why it has gone missing? You might run a file recovery program to check for a deleted hosts file?
If the file name/header have been corrupted then it may well be there, but you can't find it. You might try searching for a few known strings in the file?
One thing I would do is run the manufacturer's diagnostics on the hard drives in the two machines in question. A dying hard drive is often the cause of files getting corrupted or disappearing.
I would suggest that whenever you edit the hosts file on a machine you check that the file is there afterwards. That could tell you if there is a problem with the editing/updating process?
Do you have a clean stable electrical supply...........no neon lights on the same circuit?............power blips can have strange effects when you are updating stuff.
-
April 14th, 2011, 01:11 PM
#9
check that it isnt hidden ... seen it before.
attrib -s -h on that dir.
The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.
Albert Einstein
-
April 18th, 2011, 06:04 AM
#10
Most likely hidden and contains some malicious redirects.....had this happen on a bunch of our systems......
"It is a shame that stupidity is not painful" - Anton LaVey
Similar Threads
-
By Irongeek in forum The Security Tutorials Forum
Replies: 0
Last Post: September 2nd, 2005, 05:23 PM
-
By xierox in forum Other Tutorials Forum
Replies: 0
Last Post: March 5th, 2005, 05:34 AM
-
By Nokia in forum Tips and Tricks
Replies: 0
Last Post: June 12th, 2004, 05:13 PM
-
By ali1 in forum The Security Tutorials Forum
Replies: 27
Last Post: January 1st, 2004, 11:59 AM
-
By xmaddness in forum The Security Tutorials Forum
Replies: 9
Last Post: August 6th, 2003, 09:57 AM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|