how to protect hosts files?

  • Thread starter Thread starter none
  • Start date Start date
N

none

When i look at hosts file i saw entries i didn't put
there. Example :

66.159.18.75 astalavista.com
66.159.18.75 www.astalavista.com

how can i prevent so unauthorized entries do not get in my
hosts file?
Thanks
 
sure, but the problem here is HOW these entries got into
my hosts file? I mean next time it could alternate some
important file the same way HOSTS was alternated ...
 
The hosts file sits in the C:\Winnt\system32 directory which by default can
only be written by the
Administrators
Server Operators (in w2ksrv)
System

It looks like the hosts file was accessed by the installation of some
program or manually by the user. Either way, having the users log in as
regular users (not Power Users or Administrators) will avoid such problems.
It's a headache to have two separate accounts (one for daily use and another
for Administration purposes), but I believe it secures you in the long run.
 
Actually it sits in %SystemRoot%\WinNT\drivers\etc
(where SystemRoot is frequently C:\Winnt or C:\Windows

Spyware such has been changing these.

The poster that recommended NTFS permissions has a
good idea but if you are the User who is (accidentlly)
running the spyware then the NTFS access control will
allow 'you' to edit it anyway.

If you use NTFS you may have to deny EVEN YOURSELF
the "write" (modify) permission but leave it readable to you
and the system.

You need to actively DENY write -- not just remove
everyone or whatever, since you are likely an admin and
you have Full Control to start. Be careful to own the
file or keep "permission change" permission in case you
mess it up.

Sometimes the old, and simple READ-ONLY (dos) file
attribute is sufficient and it protects you from making a
trivial mistake (copy, save a file over hosts.)

attrib +r %SystemRoot%\WinNT\drivers\etc\hosts

Spyware Blaster can "protect" you hosts file but that is
just storing a hidden copy. http://www.WildersSecurity.Com
 
In
posted their thoughts said:
Actually it sits in %SystemRoot%\WinNT\drivers\etc
(where SystemRoot is frequently C:\Winnt or C:\Windows

Spyware such has been changing these.

The poster that recommended NTFS permissions has a
good idea but if you are the User who is (accidentlly)
running the spyware then the NTFS access control will
allow 'you' to edit it anyway.

If you use NTFS you may have to deny EVEN YOURSELF
the "write" (modify) permission but leave it readable to you
and the system.

You need to actively DENY write -- not just remove
everyone or whatever, since you are likely an admin and
you have Full Control to start. Be careful to own the
file or keep "permission change" permission in case you
mess it up.

Sometimes the old, and simple READ-ONLY (dos) file
attribute is sufficient and it protects you from making a
trivial mistake (copy, save a file over hosts.)

attrib +r %SystemRoot%\WinNT\drivers\etc\hosts

Spyware Blaster can "protect" you hosts file but that is
just storing a hidden copy. http://www.WildersSecurity.Com
Click to expand...

When I discovered the same problem the other day, I changed SYstem to Read
and it stopped. I then ran Adaware. eliminated all the spyware, then put it
back to FC and it didn't come back. So somewhere during the original
poster's travels, he inadvertently clicked on something and got the ball
rolling.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
If they weren't put in by a user, they were likely entered by malicious
software (spy/adware). If you restrict system permissions to the file, that
may do the trick. Perhaps try changing it so that only the admin account
has read/write, and everyone else has strict read.
 
Another option may be to enable auditing on the file to see who is altering it. Again, if it's some process running under your context, then it will show you as the
culprit. That may not be all that use full.

Thank you,
Mike Johnston
Microsoft Network Support

--

This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this message are best directed to the newsgroup/thread from which they originated.
 
In
posted their said:
Another option may be to enable auditing on the file to see who is
altering it. Again, if it's some process running under your context,
then it will show you as the culprit. That may not be all that use
full.

Thank you,
Mike Johnston
Microsoft Network Support

--

This posting is provided "AS IS" with no warranties, and confers no
rights. Use of included script samples are subject to the terms
specified at http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to
this message are best directed to the newsgroup/thread from which
they originated.
Click to expand...

I had actually tried that but "System" just came coming up with no specific
user account or application. So hence, once I made System Read Only, it
stopped. After running Adaware I then also blocked the IP that showed up in
my HOSTS files to insure that it doesn't come back, since it was a DNS
server and Web server of some spamming/adult site ISP. I determined that it
was a spamming/adult site by the hundreds of adult sites and known spamming
domain names that showed up in the HOSTS file.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
I had actually tried that but "System" just came coming up with no
specific
user account or application. So hence, once I made System Read Only, it
stopped. After running Adaware I then also blocked the IP that showed up in
my HOSTS files to insure that it doesn't come back, since it was a DNS
server and Web server of some spamming/adult site ISP. I determined that it
was a spamming/adult site by the hundreds of adult sites and known spamming
domain names that showed up in the HOSTS file.
Click to expand...


That's cool -- since it was system, it was easy to remove
the change permissions.

Bigger question, what is running as SYSTEM?

Does it OWN your machine?
 
In
posted their thoughts said:
That's cool -- since it was system, it was easy to remove
the change permissions.

Bigger question, what is running as SYSTEM?

Does it OWN your machine?
Click to expand...

I don't know what app it was. After running Adaware, it removed about 20
things. It could have been any one of them. I just figured out it wasn't
using the user context but rather the System context to alter it, so yes, I
would say it was running as System so apparently it would be able to change
it if a Domain User/User account were only logged on.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Back
Top