Check Your Hosts File VERY Carefully

The bad guys have been using entries in YOUR Hosts file, to block you from accessing the websites that can protect YOU, for quite a while now. So instructing you to examine your Hosts file, for entries like:

127.0.0.1 http://www.symantec.com

is nothing new. This entry, if present in your Hosts file, will block you from getting access to the Symantec servers, including online help, and LiveUpdate. It’s one of the earliest hijacks used by the bad guys.

Anyway, I just copied the above example line from this example Hijacked Hosts file. Go there, and see if you can find the example.

“No”, you mighht answer. “The only non-comment line is:

127.0.0.1 localhost”.

But, you would be wrong. Look again, but look more carefully.

  • The first line there (other than a lot of comments), and the only non-comment line in an otherwise empty file, will APPEAR to be “127.0.0.1 localhost”.
  • Scroll to the end of the file, by hitting Ctrl-End.
  • Scroll back up to the top, page by page, looking for any unrecognised entries, possibly placed there by malware.
  • Look out for blank lines at the beginning and end of the file, after “localhost”, placed there by an exploit.
  • Do not assume that a file is empty simply because you see “localhost” followed by 50 blank lines!
  • Do not assume that a file is empty simply because you see 50 blank lines anywhere!

Now aware of this devious, and o so simple, mechanism that the bad guys can use, check YOUR Hosts file. To clean your Hosts file, if anything of interest is found, and assuming NO valid entries other than “127.0.0.1 localhost”, simply:

  1. Place the cursor at the end of the “127.0.0.1 localhost” line.
  2. Hold down “Ctrl” and “Shift”, and hit “End”.
  3. With everything after “127.0.0.1 localhost” highlighted, hit “Delete”.
  4. Save Hosts, as name “Hosts.” (note the “.”!), as type “All Files”.

If you find that you have valid entries other than “127.0.0.1 localhost”, which you need to retain, be aware of this hijack, and edit the file very carefully.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: