Spyware Warrior Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances
 
FAQ :: Search :: Memberlist :: Usergroups :: Register
Profile :: Log in to check your private messages :: Log in

Hosts file

 
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Tutorials
View previous topic :: View next topic  
Author Message
iceblue
Warrior Guru


Joined: 18 Jan 2004
Last Visit: 11 Apr 2006
Posts: 392
Location: Sydney

PostPosted: Thu Mar 04, 2004 4:52 am    Post subject: Hosts file Reply with quote

Hosts Tutorial
This is an introduction to using and fixing the HOSTS file to enable some familiarity, to clarify some general points,
and provide links to assist users wanting to know more, particularly at the entry level to the topic.

Most of us use the HOSTS file everyday without knowing it, and without needing to alter it in any way.
It’s when log problems arise that we need to fix, then a little knowledge comes in handy,
but the volume of detail in finding out about it can often deter us from being useful.
The following was jotted to be useful, rather than give the full and complete knowledge base.

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

HOSTS file
..................................................................................................................................................
A simple explanation:

A host file entry works in reverse.
e.g. 222.0.0.0 New York City
It directs the name on the right to the IP address on the left.
Your browser will get sent to the IP address 222.0.0.0 on the left.

Quote:
So it's like a traffic sign.
To New York City, take route 222.

I must have read a couple of hundred explanations of hosts files...That is the best yet! [Thanks Suzi!]

This would look like this (in a pretend Hosts file)
222.0.0.0 New York City
and where our PC lives, we call it ‘home’ or ‘localhost’ which looks like this:
127.0.0.1 home
[As in “There’s no place like 127.0.0.1” on geek Tshirts Razz ]

Home base is 127.0.0.1 for your computer, and is a safe destination,
and this is usually the first entry in a real hosts file.
127.0.0.1 localhost

Safe Sites example:
Anything sent ‘home’ is safe…
e.g.
127.0.0.1 instant.death.net….is totally safe, Very Happy
127.0.0.1 popup.ads.com - - gets you no more ads from that site.
127.0.0.1 hack.heaven.co.uk - - you won’t have to worry about re-directs to that site.
127.0.0.1 driveby.downloads.net - - your browser will not even go to this site.
These sites are now blocked.

*Note: Some Hosts files have the 0.0.0.0 format instead of 127.0.0.1

Bad Sites example:
A browser hijacker IgetNet re-directs ieautosearch to 216.177.73.139
as shown in the HOSTS entry example
216.177.73.139 ieautosearch

216.177.73.139 is www.igetnet.com
Your browser is sent there! This shows as the log entry
O1 - Hosts: 216.177.73.139 ieautosearch
which we fix easily with HijackThis.
................................................................................................................................................

If the HOSTS file has been badly tampered with, it is usually best to rename or delete it,
and then replace it.
Renaming it allows you to copy good entries back into the new HOSTS file if they are needed.
(If you are trying to fix a hosts file, renaming or replacing is much better than
tediously going through and identifying and deleting offending entries by their IP address.)
Rename HOSTS to HOSTS.BAK
or rename HOSTS to HOSTS.OLD
or even HOSTS to OLDHOSTS
Then you can check for any needed entries by asking the user to look at it carefully. E.g.
127.0.0.1 pop3.norton.antivirus
These can be edited back in at a later stage.

Simply deleting the HOSTS file is no problem.
If it is not used by that person, or if it is corrupted,
or you have a perceived problem with Hosts files.
HOSTS files aren’t that critical to Windows operations
– many systems get by happily with the default
127.0.0.1 localhost
as their complete HOSTS file -
but as new exploits arise, an updated and comprehensive Hosts file
is essential for safe internet operations.

Replacing it can be done manually, but replacing it with something very useful, is too easy.
It can be as simple as adding the Spybot HOSTS list from within the advanced program,
(Tools>Hosts File>Add Spybot S&D Hosts List) *This HOSTS list is currently being updated.

OR downloading and installng a specialist HOSTS file from a recognised site,
such as the MVPs site:
http://www.mvps.org/winhelp2002/hosts.htm
or hpguru's site
http://webpages.charter.net/hpguru/hosts/hosts.html

Essentially, these will add one more layer of protection for your system.

................................................................................................................................................

Where to find and install the HOSTS file
=============================
Win9x/Me C:\Windows
WinNT/2K C:\Winnt\System32\Drivers\etc
WinXP Home/Pro C:\Windows\System32\Drivers\etc


* Note: Hosts has no file extension. It's the whole Folder.

................................................................................................................................................

HOSTS files have several uses. A Hosts file:
    * will block advertising/porn/ sites (or any other site you wish) if those entries are included
    * will block ads from bad sites (including tracking ads), on any site you happen to go to
    * will block IP calls on any port, whether it is HTTP(the web), FTP or whatever
    * will bypass any redirects to the listed bad sites,
    * will allow you to update changes to domains and IP addresses quickly
    * and you can edit in, any site you don’t want accessed, and your browser will never go there- useful for some families Cool
Work your way through a couple of uses on these sites, as well as finding how to re-name and edit your HOSTS file manually, and troubleshooting tips as well.
http://www.mvps.org/winhelp2002/hosts.htm
Another classic site is Gorilla’s http://www.accs-net.com/hosts
................................................................................................................................................

With a Hosts file installed, any attempt to go to those blocked sites will give you
the >> ‘Cannot find server’ page: This is deliberate - ignore the warning blurb completely.
Quote:

The page cannot be displayed

The page you are looking for is currently unavailable.
The Web site might be experiencing technical difficulties,
or you may need to adjust your browser settings.
---------------------------------------------------------------

Please try the ……etc etc
If you have a serious need to to to a blocked site, you will need to disable the Hosts file temporarily,
or disable that blocked entry temporarily by putting a # at the front of the entry.
Any line with a # at the front is bypassed.
..................................................................................................................................................

Galadriel covers one example of a hosts file hijack here:
http://forums.tomcoyote.org/index.php?showtopic=273
and the directions apply generally;[-updated only for the availability of the patch],

And another log discussion is here: http://forums.tomcoyote.org/index.php?showtopic=3981
................................................................................................................................................

It can be very easy to help block some HOSTS file hijacks: >> Set the HOSTS file to read-only.
Open the containing folder, right-click on the file, select Properties,
check the "Read-only" box and click OK.

OR simply check the box on the Spybot Immunize page Lock Hosts function;
and then uncheck it again, to make any changes.

This should stop many simple hijack attempts to rewrite the hosts file.
Note: This may not stop several CWS hosts hijacks.

................................................................................................................................................

Sample hosts file...
Quote:
# Ad Hosts last update on 06/10/2004 09:50PM
# Ad Hosts last verified by hpguru on 05/15/2004
# Support
# http://www.hostboard.com/cgi-bin/ultimatebb.cgi/ubb/forum/f/7596
# http://groups.yahoo.com/group/hphosts_support/
# hphosts@yahoo.com
#
# Download
# http://groups.yahoo.com/group/hphosts_support/files/
# http://webpages.charter.net/hpguru/hosts/hosts.html
#
# ALL HTML formatted email sent to the above address will be flagged
# as a potential virus and deleted. Please use plain text only.
# Any and all urls found in spam sent to the above address will be added
# to this hosts file shortly thereafter. Thanks for the contributions! Wink
#
# Mark this text with CTRL+A, copy it with CRTL+C and save it as your hosts file.
# If you need 0.0.0.0 instead of 127.0.0.1 you can use your text editor with
# Search and Replace.
#
# Important! - Rename this file to "HOSTS" (no .txt extension).
#
# localhost address - Do Not Remove
127.0.0.1 localhost
#
# Trusted Hosts - Enter your trusted hosts here with their correct IP addresses
#
## Removed due to compatibility issues with other programs
#
# Known or Suspected DNS Hijackers
127.0.0.1 sitefinder.verisign.com
127.0.0.1 sitefinder-idn.verisign.com
127.0.0.1 is.netster.com
127.0.0.1 uu-3-130.buydomains.com
#
# 26,108 Ad Hosts
#
127.0.0.1 0-apr-credit-card.com
127.0.0.1 0-ol1oiz-xolxii1-oxli10ozl1l1-o-l-11-iizxp-l-0o-oll11iz0oil-ol.com
127.0.0.1 008i.com
127.0.0.1 008k.com
127.0.0.1 00hq.com
127.0.0.1 00inkjets.com
127.0.0.1 0190-dialer.com
127.0.0.1 02kmky1xgzbmsdfx.com
127.0.0.1 05p.com
127.0.0.1 070.us
127.0.0.1 077.us
127.0.0.1 08.185.87.0.liveadvert.com


Open, read and manage the hosts file with Hostess
from here: http://accs-net.com/hostess

................................................................................................................................................
Topical item: 'My Doom' Hosts file notes:
ABC News - My Doom

................................................................................................................................................
How does it work?
The short answer is that the Hosts file is like an address book or a list of traffic signs.
When you type an address like www.yahoo.com into your browser, the Hosts file is consulted to see if you have the IP address for Yahoo, i.e. 64.58.76.229 .
If you do, then your computer will "call it" and the site will open.

If not, your computer will ask your ISP's DNS Server for the IP address before it can "call" that site. Most of the time, you do not have addresses in your "address book," because you have not put any there. It goes through your ISP and it all happens automatically.

Why is Dynamic DNS necessary?
IP addresses such as 64.58.76.229 can be difficult for people to remember, so a scheme called DNS (Domain Name Service) was developed. DNS is a database which maps a human-friendly name, a domain name, to an underlying IP address. For instance, DNS allows you to type www.yahoo.com instead of 64.58.76.229 to get to Yahoo!.

Not only are IP addresses difficult to remember, but they may not even stay the same. Most Internet service providers assign dynamic and not static IP addresses to their subscribers. A dynamic IP address means that every time you connect to your ISP or at certain intervals, your computer's IP address may change.

Dynamic DNS service solves these issues by allowing you to use an easy to remember domain name instead of an IP address to help others locate your computer. It also constantly monitors any changes in your machine's IP address and updates the domain name-IP address mapping in DNS.

................................................................................................................................................
Common examples:
127.0.0.1 www.coolwebsearch.com
127.0.0.1 ad.doubleclick.net>>
127.0.0.1 www.abetterinternet.com
(examples needed here…)

Special cases:
For those who couldn’t get to Merijn’s site recently; these helped our browsers get there.
216.40.225.12 merijn.org
216.40.225.12 www.merijn.org

/Edit: Update These two IPs look to have been reassigned to privacymachine.com (another X-Block site) X-Block was hosting merijn.org during the attacks, and those IPs no longer point to merijn.org
These can now be taken out of your hosts file if it has these entries. [i.e. If you manually put them there.]

Merijn, Shredder and Chronicles can now be found at Http://www.spywareinfo.com/~merijn and no doubt some of the other mirrors listed in these forums under CWShredder.
The new hosts hack is
209.133.47.200 merijn.org

203.161.127.141 www.dcsresearch.com
TDS-3 ..a trojan scanner remover - TDS have authorised the redirection from an old site of theirs [www.dcsresearch.com],
to their new host, 203.161.127.141

Quote:
www.dcsresearch.com is no longer owned by TDS. TDS-3 (if it is installed on your system) adds an entry to your HOSTS file to redirect that address to the correct ip. You can add it yourself like this if you like, 203.161.127.141 www.dcsresearch.com
Or just bookmark http://www.diamondcs.com.au/forum/



>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>


General References
===============
http://www.accs-net.com/hosts
http://www.mvps.org/winhelp2002/hosts.htm
http://webpages.charter.net/hpguru/hosts/hosts.html
http://www.everythingisnt.com/hosts.html
http://pgl.yoyo.org/adservers
http://someonewhocares.org/hosts
http://www.dslreports.com/faq/3972
http://accs-net.com/hostess
http://accs-net.com/hosts/HostsToggle
http://asp.flaaten.dk/download/pafiledb.php?action=category&id=2

[Edit - This is a live document and is readily editable for feedback and new info as it comes along.]
hth
Ice
_________________
Smile Travel safely ! Smile


Last edited by iceblue on Sun Jul 04, 2004 2:57 am; edited 26 times in total
Back to top
View user's profile Send private message
suzi
Site Admin


Joined: 27 Jul 2003
Last Visit: 19 Apr 2014
Posts: 10310
Location: sunny California

PostPosted: Thu Mar 04, 2004 9:07 am    Post subject: Reply with quote

Great information - thanks Iceblue!
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn. Smile
Back to top
View user's profile Send private message Visit poster's website
Computer illiterate!
Newbie


Joined: 19 Feb 2004
Last Visit: 20 Mar 2004
Posts: 4

PostPosted: Thu Mar 04, 2004 9:40 am    Post subject: Reply with quote

hello
about this merjing thing just how or what do you do to make it merge?"http://www.mvps.org/winhelp2002/hosts.htm and merging it with yours.
i.e. but not both as there may be conflict problems." Embarassed

_________________
in default plain text
Back to top
View user's profile Send private message
iceblue
Warrior Guru


Joined: 18 Jan 2004
Last Visit: 11 Apr 2006
Posts: 392
Location: Sydney

PostPosted: Thu Mar 04, 2004 10:29 pm    Post subject: Reply with quote

hello there CI,
Very Happy
You can simply replace your existing hosts with an update from mvps/accs/hpguru etc
or
backup and copy to notepad; then add the new entries; sort and save as the new hosts file;
how_to_use_hosts Exclamation
or
look into using HOSTESS to manage a host file database if you want to keep your existing entries and avoid duplications and errors.
HOSTESS Exclamation

hth
Ice
_________________
Smile Travel safely ! Smile
Back to top
View user's profile Send private message
CalamityKen
Warrior Addict


Joined: 06 Mar 2004
Last Visit: 26 Aug 2004
Posts: 611
Location: Ont. Canada

PostPosted: Sun Mar 07, 2004 9:24 am    Post subject: Reply with quote

Advanced HOSTS file usage.

HOSTESS is a great HOSTS file manager and has a database function that eliminates duplicates and has a fast search capability.
http://accs-net.com/hostess/

eDexter speeds up Web browsing when using the HOSTS file and replaces the red 'x' images with blanks.
http://www.accs-net.com/hosts/eDexter.html

A great HOSTS file with over 26,000 validated entries.
http://webpages.charter.net/hpguru/hosts/hosts.html

Setting the "Read Only" attribute gives a false sense of security as it is only valid for Win2K/XP non Administrator user accounts. Win95/98/ME are vunerable. CWS are masters at altering "Read Only" HOSTS files.

If you are using a large HOSTS file in Win2K/XP then the DNS Client Service needs to be set to Manual to avoid system slowdowns. The DNS Client Service is an unnecessary Service that is needed very rarely.
http://www.blackviper.com/WinXP/servicecfg.htm

Discussing the "Best" HOSTS file is like discussing religion and politics. Everyone is entitled to their own but some people will insist theirs is the best. Showing information permits people to make up their own mind.

Validating the HOSTS file is a formidable challenge. Just the use of "ping" is not enough as sites block this. Tools like SamSpade for Windows permits viewing the raw HTML at sites so that one can assess what it does.
_________________
Install IE-SPYAD and SpywareBlaster updated regularly available in the following links .
How did I get infected? http://boards.cexx.org/viewtopic.php?t=957
Calendar Of Updates http://www.dozleng.com/updates/index.php?&act=calendar
member
Back to top
View user's profile Send private message
iceblue
Warrior Guru


Joined: 18 Jan 2004
Last Visit: 11 Apr 2006
Posts: 392
Location: Sydney

PostPosted: Sun Mar 07, 2004 2:01 pm    Post subject: Reply with quote

Excellent post, CK. Very Happy
This is so true:
Quote:
CWS are masters at altering "Read Only" HOSTS files.


One further backup precaution, is to encrypt your Hosts file using one of SpywareBlaster's tools.
Quote:
Hosts Safe: The Hosts Safe can store encrypted backup copies or snapshots of the Hosts file. These backup copies are stored in the SpywareBlaster folder. Should you ever need to restore a backup copy of your hosts file, simply select it from the displayed list and press the "Restore Saved Backup" button.
and this works for all operating systems. Should your Hosts file become corrupted, it is an easy fix to replace it from a backup. The whole operation takes two seconds from within SpywareBlaster > Tools > Hosts Safe.
_________________
Smile Travel safely ! Smile
Back to top
View user's profile Send private message
CalamityKen
Warrior Addict


Joined: 06 Mar 2004
Last Visit: 26 Aug 2004
Posts: 611
Location: Ont. Canada

PostPosted: Sun Mar 07, 2004 2:39 pm    Post subject: Reply with quote

If you use HOSTESS then a quick Export will get the HOSTS file back to how you want it. Dancing
_________________
Install IE-SPYAD and SpywareBlaster updated regularly available in the following links .
How did I get infected? http://boards.cexx.org/viewtopic.php?t=957
Calendar Of Updates http://www.dozleng.com/updates/index.php?&act=calendar
member
Back to top
View user's profile Send private message
Moore
Moderator


Joined: 31 May 2004
Last Visit: 22 Jul 2013
Posts: 758
Location: °°.MooreLand.°°

PostPosted: Fri Jun 04, 2004 7:35 pm    Post subject: Reply with quote

Hi , excellent guide ICEBLUE .. Very Happy

Here's a great HOSTS manager by Gladiator Anti-virus Global Mod Toadbee , to check out : HOSTER 1.3

I think it is very handy alongside the HOSTESS.. you can back up your HOSTS file and edit hostnames easily, append new entries to your existing file.. and a lot more and its free of course.. Cool

Toadbees HOSTS Manager:
http://members.aol.com/toadbee/hoster.zip
Back to top
View user's profile Send private message Visit poster's website
frederik
Newbie


Joined: 20 Jun 2004
Last Visit: 01 Jul 2004
Posts: 3

PostPosted: Wed Jun 30, 2004 11:49 pm    Post subject: HOSTS Reply with quote

Hi, very informative article about HOSTS and the use of it, I just have a question.
CalamityKen wrote about using a large HOSTS file in win xp, it could be good to change the DNS from automatic to manual to avoid slowdowns, no problem, I did that, but at what level is the HOSTS file recognized as large? mine is this size: 128kB, it's the HOSTS file from Bluetack with some personal addin's.
regards frederik
Back to top
View user's profile Send private message
Moore
Moderator


Joined: 31 May 2004
Last Visit: 22 Jul 2013
Posts: 758
Location: °°.MooreLand.°°

PostPosted: Thu Jul 01, 2004 12:58 am    Post subject: Reply with quote

Hi Frederick Cool , my HOSTS is only about 1mb and no slowdown so far with the DNS service on manual , I'm sure there are people with bigger Twisted Evil .. you shouldnt have to worry about it for a while yet ...

and how rude of me not to say great stuff by Calamity Ken too. Very Happy
_________________
| Stop Malvertising | Outpost | Blocklist Pro | Hosts |
Back to top
View user's profile Send private message Visit poster's website
frederik
Newbie


Joined: 20 Jun 2004
Last Visit: 01 Jul 2004
Posts: 3

PostPosted: Thu Jul 01, 2004 1:47 am    Post subject: Hosts sizing Reply with quote

Wink Hi Moore, thanks for the answer, I was a little worried, cause I seen some Hosts on the net, and was thinking about merging them, so that I will do soon, cause I can see a well managed Hosts file is a good security advance.
regards frederik
Back to top
View user's profile Send private message
CalamityKen
Warrior Addict


Joined: 06 Mar 2004
Last Visit: 26 Aug 2004
Posts: 611
Location: Ont. Canada

PostPosted: Thu Jul 01, 2004 4:05 am    Post subject: Reply with quote

frederik, a good HOSTS file manager is HOSTESS and to replace the "empty space" caused by the HOSTS file I use eDexter.
http://accs-net.com/hostess/
http://www.accs-net.com/hosts/eDexter.html

It seems like the slowdown caused by a large HOSTS file only occurs for some people. I believe it has something to do with processor speed and the amount of RAM.

Thanks Moore Very Happy
_________________
Install IE-SPYAD and SpywareBlaster updated regularly available in the following links .
How did I get infected? http://boards.cexx.org/viewtopic.php?t=957
Calendar Of Updates http://www.dozleng.com/updates/index.php?&act=calendar
member
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Tutorials All times are GMT - 8 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



smartBlue Style © 2002 Smartor
Powered by phpBB © 2001, 2002 phpBB Group