Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Missing Hosts File

  1. #1
    Senior Member
    Join Date
    Nov 2001
    Posts
    127

    Question Missing Hosts File

    I am managing a network with 7 PCs (XP) and a server (2003 SBS) on a domain. All are running eEye Blink AV. The issue is that on a single machine the hosts file disappeared a few months ago which was rebuilt. I went to block Lizamoon.com this weekend and noticed that another machine was missing its hosts file. My boss wants me to find out why this is happening. Both machines are scanned for malware regularly and none of the user accounts have rights to modify the file. I searched on Google and only found info on rebuilding the file, not reasons for it. Anyone out there come across this and the reason for it besides malware?
    sandwich.

  2. #2
    THE Bastard Sys***** dinowuff's Avatar
    Join Date
    Jun 2003
    Location
    Third planet from the Sun
    Posts
    1,253
    Just off the top of my head. As everyone knows, AV software is reactive. That is to say you have to get infected with malious software or a virus before your Antivirus Software will do it's job. For those of you who don't know. AV software does not prevent you from downloading a virus. Just prevents the thing from running.... Arggg long week.

    Anyway, I don't know eEye but I'm sure you can set it to delete any file it cannot clean. Check your AV logs to see if it deleted the HOST file. And put super glue in the USB ports. (Nevermind)
    09:F9:11:02:9D:74:E3:5B8:41:56:C5:63:56:88:C0

  3. #3
    Junior Member
    Join Date
    Apr 2004
    Location
    United States
    Posts
    24
    Some malware, can also modify your hosts so that common sites go to their ad riddled and infected sites. Maybe eEye Blink AV doesn't trust that the changes you've put into your hosts file should be there?

    I've never used that AV software before, so can't comment on what it does and doesn't do, but certainly is something to look into.

  4. #4
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hi,

    You mean the actual file was missing or just empty?

    I know that some security products use the hosts file to redirect malicious sites to 127.0.0.1. Could it be a failed update of some sort......like the file is deleted before getting written back, and the write back fails?

    I really have no idea how Windows itself handles the hosts file either.

    I do find it strange that malware would want to delete the hosts file anyway......modify it perhaps, but not delete.......that seems a bit too obvious to me???

  5. #5
    Senior Member
    Join Date
    Nov 2001
    Posts
    127
    Yeah, the hosts file was actually not there. All the systems there have the same setup. This has happened on 2 of the 7. It is odd, and there isn't much information on the subject I can find. It's even more curious because the machines are on a Domain, and the users with the issue don't have access to the file.
    sandwich.

  6. #6
    Member
    Join Date
    Jul 2009
    Posts
    45
    Quote Originally Posted by nihil View Post
    I really have no idea how Windows itself handles the hosts file either.
    wow. on the net long enough ... you're bound to see it all.... I poke, of course, but really you're that on most of the time..

    So.. Hosts file ... operates like hosts on linux, the default for windows is to check the hosts file first then resolve via DNS ... any entry in the hosts file in windows that is setup with #PRE at the end of the line, causes windows to preload that entry

    ie. 127.0.0.1 some.adserver.com #PRE

    And agreed, that its odd the cracker/spammer/malware would delete the file, more likely to either wipe out the file and add its own redirections ...

  7. #7
    Member neozoon's Avatar
    Join Date
    Dec 2002
    Posts
    33
    i go with nihil idea, check AV and system Logs, if you find writing error, then restoring backup copy of the files could have failed

    last option i'd suggest try looking for them on your boss's computer, it's maybe an april fish xD LOL (just kidding xD)
    Toka Koka: To receive a reward, an equivalent sacrifice has to be made!

  8. #8
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hmmm,

    So.. Hosts file ... operates like hosts on linux, the default for windows is to check the hosts file first then resolve via DNS ... any entry in the hosts file in windows that is setup with #PRE at the end of the line, causes windows to preload that entry
    That's pretty much what I suspected. I know Windows doesn't need a hosts file, and from what you are saying I would conclude that all it does is read the file if there is one present. So I guess we can rule out any sort of Windows corruption.

    Hosts is just a simple text file without the .txt extension so the question is how are you editing it or updating it. With Notepad I would just expect the file to be overwritten on save. Whilst that might be a problem, I would expect you to be left with a corrupt file, as opposed to no file at all?

    If you are using some other software, it may well delete the existing file and then write the new one. That could explain why it has gone missing? You might run a file recovery program to check for a deleted hosts file?

    If the file name/header have been corrupted then it may well be there, but you can't find it. You might try searching for a few known strings in the file?

    One thing I would do is run the manufacturer's diagnostics on the hard drives in the two machines in question. A dying hard drive is often the cause of files getting corrupted or disappearing.

    I would suggest that whenever you edit the hosts file on a machine you check that the file is there afterwards. That could tell you if there is a problem with the editing/updating process?

    Do you have a clean stable electrical supply...........no neon lights on the same circuit?............power blips can have strange effects when you are updating stuff.

  9. #9
    Only african to own a PC! Cider's Avatar
    Join Date
    Jun 2003
    Location
    Israel
    Posts
    1,683
    check that it isnt hidden ... seen it before.

    attrib -s -h on that dir.
    The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.
    Albert Einstein

  10. #10
    Senior Member Wazz's Avatar
    Join Date
    Apr 2003
    Posts
    288
    Most likely hidden and contains some malicious redirects.....had this happen on a bunch of our systems......
    "It is a shame that stupidity is not painful" - Anton LaVey

Similar Threads

  1. Finding Rogue SMB File Shares On Your Network
    By Irongeek in forum The Security Tutorials Forum
    Replies: 0
    Last Post: September 2nd, 2005, 05:23 PM
  2. Basic Hosts File Banner Ad-Blocking Tutorial
    By xierox in forum Other Tutorials Forum
    Replies: 0
    Last Post: March 5th, 2005, 05:34 AM
  3. Windows 2000 Tips
    By Nokia in forum Tips and Tricks
    Replies: 0
    Last Post: June 12th, 2004, 05:13 PM
  4. 4 steps to making your computer immortal online.
    By ali1 in forum The Security Tutorials Forum
    Replies: 27
    Last Post: January 1st, 2004, 11:59 AM
  5. FAT vs. NTFS The ultimate Guide to Win file systems.
    By xmaddness in forum The Security Tutorials Forum
    Replies: 9
    Last Post: August 6th, 2003, 09:57 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •