Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Understanding Domain Name Resolution - Tutorial


  • Please log in to reply
9 replies to this topic

#1 zomba

zomba

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Location:Lexington, MA
  • Local time:10:05 AM

Posted 22 October 2004 - 08:59 AM

Hi,
Many thanks for the excellent tutorials.

I'm havong problems with my HOSTS file.
My question is:

Is it possible for malware to plant a second HOSTS file and have this rogue HOSTS file referenced by the OS instead of the HOSTS file in the default location?

If so, how if the location of the "in-use" HOSTS file specified?
(I've tried to find an appropriate registry key without success)
Many thanks,

-Z-

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:05 AM

Posted 22 October 2004 - 04:48 PM

I am pretty sure if you change this registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\\DataBasePath

to another directory , it will read the database files from that directory

#3 zomba

zomba
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Location:Lexington, MA
  • Local time:10:05 AM

Posted 24 October 2004 - 04:33 PM

Hi Grindler,
Many thanks for your prompt reply.
If I'm "allowed" a follow-on question...

Is there another way (or two) that the HOSTS file protection can be circumvented by malware?

The reason I ask is that coolwebsearch.com is in the HOSTS file but my browser is still able to get to coolwebsearch. I've run updated Ad-aware SE and Spybot S&D so I "think" I've removed coolwebsearch.
Many thanks.
-Z-
Any pointer for learning more about the registry will be most appreciated

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:05 AM

Posted 24 October 2004 - 06:16 PM

I am not sure if there is a way to disable it, but there is a way to make it last in the search order so that would effectively make it useless if dns was able to resolve the entry.

Information on that can be found in the tutorial. IN a reply to this post the entry you have in the hosts file and I will tell you if its set up right

#5 zomba

zomba
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Location:Lexington, MA
  • Local time:10:05 AM

Posted 24 October 2004 - 08:36 PM

Hi Grinler,
Thank you again for the VERY swift response and for pointing me to the search order, I'll check that out.

I'm sure the entry in the hosts file is OK because the hosts file is imported from Spybot, and the entry has the same format as all the others...but thanks for offering. I'll keep plugging away at this ;-)
Regards,
-Z-

#6 EdBee

EdBee

  • Members
  • 208 posts
  • OFFLINE
  •  
  • Local time:10:05 AM

Posted 24 October 2004 - 08:44 PM

There is/was some question in this post and another recent post re having duplicate/identical files/--filenames in your computer. As Grinler pointed out to me recently , yes there can be more than one of the same named file--for instance SVCHOSTS and some others as well. So this, in itself is NOT an indicator than one of them is a bad/file (malware). So we should not be running programs that look for dup files and just deleting them just because there is more than one!
I think I have that correct. But, I have been wrong before. :thumbsup:
EDBEE from NMUSA- RENOWNED MALWARE FIGHTER AND SWORN ENEMY OF ALL INTERNET HIJACKERS

#7 zomba

zomba
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Location:Lexington, MA
  • Local time:10:05 AM

Posted 25 October 2004 - 04:38 PM

Hi Grinler and Edbee,
Maybe I should take this question to another aection of the board?

Anyway, the problem persists. (the HOSTS file(per SpybotS&D) entry does not block my browsers from getting to, for example coolwebsearch.com)

I've checked the following:
- the default prefix is set to http://
- the search order is still the default values
- the default location of the HOSTS file is still the default location.

Any ideas as to why the HOSTS file is not blocking access to coolwebsearch.com.
Is there anything else I can check?
Thanks,
-Z-
PS I have of course run Ad-awareSE and Spybot in safe mode and CWshredder)

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:05 AM

Posted 25 October 2004 - 09:06 PM

Can you post the portion of the hosts file that references coolwebsearch? Also is the hosts file named hosts? or another name?

Have you posted a hijackthis log in the hijackthis forum?

#9 zomba

zomba
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Location:Lexington, MA
  • Local time:10:05 AM

Posted 01 December 2004 - 03:06 PM

Hi Grinler,
Thank you again for your prompt response. Here's the section of the HOSTS file that references coolwebsearch:

127.0.0.1 localhost
# Start of entries inserted by Spybot - Search & Destroy
127.0.0.1 coolwwwsearch.com
127.0.0.1 coolwebsearch.com
127.0.0.1 hi.studioaperto.net
127.0.0.1 www.webbrowser.tv

I've been picking the brains of another knowledgable person and it appears that the problem is probably a lack of understanding (on my part) of what happens between typing in an address into the browser and the request going out to the web site so perhaps the "test" that I think is failing is not a valid test?

Some more clues:
- when I "test" to see if the HOSTS file is blocking, if I type in coolwebsearch OR coolwebsearch.com OR http://coolwebsearch.com the browser gives the expected error message, however,
- when I type in http://www.coolwebsearch.com the browser DOES take me to what appears to me to be a coolwebsearch site.

So, I wonder what is it that I'm not properly understanding.

Thanks again for your assistance with this.
(No, I have not posted a HJT log yet but I can, if necessary...however I believe the problem here lies between my chair and my keyboard ;-( not inside the machine..

-Z-
(PS Sorry for the LONG delay)

#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:05 AM

Posted 01 December 2004 - 08:02 PM

That is correct. Remember that a hostname is bleepingcomputer.com. Another hostname, but not the same hostname as the previous example, is www.bleepingcomputer.com

When you use the hosts you are mapping ip address to hostnames. Therefore if you have the entry:

127.0.0.1 coolwebsearch.com

in your hosts file you are only blocking the hostname for coolwebsearch.com and not also www.coolwebsearch.com.

To block that hostname as well you need to add:

127.0.0.1 ww.coolwebsearch.com

as well.

Does this clear it up better? Dont hesitate to ask me to clarify it more.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users