Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > New Entries in my Host File

Reply
Thread Tools

New Entries in my Host File

 
 
RM
Guest
Posts: n/a
 
      09-25-2003
I have a Windows XP System running behind a PIX 501 firewall. I went to go
to google to look up some information and came to a page advertising some
type of security software. It said to go to my host file and remove the
entries. I went to my host file and found the entries below had been added.
Has anyone else seen this? Where does it originate from?

RM

the information below had been added to my hosts file:

127.127.127.127 elite

64.191.95.139 www.google.com

64.191.95.139 google.com

64.191.95.139 www.altavista.com

64.191.95.139 altavista.com

64.191.95.139 search.yahoo.com

64.191.95.139 uk.search.yahoo.com

64.191.95.139 ca.search.yahoo.com

64.191.95.139 jp.search.yahoo.com

64.191.95.139 au.search.yahoo.com

64.191.95.139 de.search.yahoo.com

64.191.95.139 search.yahoo.co.jp

64.191.95.139 www.lycos.de

64.191.95.139 www.lycos.ca

64.191.95.139 www.lycos.jp

64.191.95.139 www.lycos.co.jp

64.191.95.139 alltheweb.com

64.191.95.139 web.ask.com

64.191.95.139 ask.com

64.191.95.139 www.ask.com

64.191.95.139 www.teoma.com

64.191.95.139 search.aol.com

64.191.95.139 www.looksmart.com

64.191.95.139 search.msn.com

64.191.95.139 ca.search.msn.com

64.191.95.139 fr.ca.search.msn.com

64.191.95.139 search.fr.msn.be

64.191.95.139 search.fr.msn.ch

64.191.95.139 search.latam.yupimsn.com

64.191.95.139 search.msn.at

64.191.95.139 search.msn.be

64.191.95.139 search.msn.ch

64.191.95.139 search.msn.co.in

64.191.95.139 search.msn.co.jp

64.191.95.139 search.msn.co.kr

64.191.95.139 search.msn.com.br

64.191.95.139 search.msn.com.hk

64.191.95.139 search.msn.com.my

64.191.95.139 search.msn.com.sg

64.191.95.139 search.msn.com.tw

64.191.95.139 search.msn.co.za

64.191.95.139 search.msn.de

64.191.95.139 search.msn.dk

64.191.95.139 search.msn.es

64.191.95.139 search.msn.fi

64.191.95.139 search.msn.fr

64.191.95.139 search.msn.it

64.191.95.139 search.msn.nl

64.191.95.139 search.msn.no

64.191.95.139 search.msn.se

64.191.95.139 search.ninemsn.com.au

64.191.95.139 search.t1msn.com.mx

64.191.95.139 search.xtramsn.co.nz

64.191.95.139 search.yupimsn.com

64.191.95.139 uk.search.msn.com

64.191.95.139 search.lycos.com

64.191.95.139 www.lycos.com

64.191.95.139 www.google.ca

64.191.95.139 google.ca

64.191.95.139 www.google.uk

64.191.95.139 www.google.co.uk

64.191.95.139 www.google.com.au

64.191.95.139 www.google.co.jp

64.191.95.139 www.google.jp

64.191.95.139 www.google.at

64.191.95.139 www.google.be

64.191.95.139 www.google.ch

64.191.95.139 www.google.de

64.191.95.139 www.google.dk

64.191.95.139 www.google.fi

64.191.95.139 www.google.fr

64.191.95.139 www.google.com.gr

64.191.95.139 www.google.com.hk

64.191.95.139 www.google.ie

64.191.95.139 www.google.co.il

64.191.95.139 www.google.it

64.191.95.139 www.google.co.kr

64.191.95.139 www.google.com.mx

64.191.95.139 www.google.nl

64.191.95.139 www.google.co.nz

64.191.95.139 www.google.pl

64.191.95.139 www.google.pt

64.191.95.139 www.google.com.ru

64.191.95.139 www.google.com.sg

64.191.95.139 www.google.co.th

64.191.95.139 www.google.com.tr

64.191.95.139 www.google.com.tw

64.191.95.139 google.at

64.191.95.139 google.be

64.191.95.139 google.de

64.191.95.139 google.dk

64.191.95.139 google.fi

64.191.95.139 google.fr

64.191.95.139 google.com.hk

64.191.95.139 google.ie

64.191.95.139 google.co.il

64.191.95.139 google.it

64.191.95.139 google.co.kr

64.191.95.139 google.com.mx

64.191.95.139 google.nl

64.191.95.139 google.co.nz

64.191.95.139 google.pl

64.191.95.139 google.com.ru

64.191.95.139 google.com.sg

64.191.95.139 www.hotbot.com

64.191.95.139 hotbot.com


 
Reply With Quote
 
 
 
 
Bit Twister
Guest
Posts: n/a
 
      09-25-2003
On Thu, 25 Sep 2003 04:19:25 GMT, RM wrote:
> I have a Windows XP System running behind a PIX 501 firewall. I went to go
> to google to look up some information and came to a page advertising some
> type of security software. It said to go to my host file and remove the
> entries. I went to my host file and found the entries below had been added.
> Has anyone else seen this? Where does it originate from?


You can use http://samspade.org/ to Do Stuff to look up ip address ISP/owner

Example looking up my ip addy will show AT&T WorldNet Services as
owning the ip assigned to me from my Comcast.net ISP.

Just guessing, the site you are sent to to get the fix, stuck the
64.191.95.139 ip address in your hosts file somehow.

Maybe you can wipe the hosts file, goto every site in your history file,
check hosts file after each site and see if it comes back.
 
Reply With Quote
 
 
 
 
Frode
Guest
Posts: n/a
 
      09-25-2003
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

RM wrote:
> I have a Windows XP System running behind a PIX 501 firewall. I went to
> go to google to look up some information and came to a page advertising
> some type of security software. It said to go to my host file and remove
> the entries. I went to my host file and found the entries below had been
> added. Has anyone else seen this? Where does it originate from?


AFAIK it's done via an IE hole. Apparently a very limited hole in this case
since all it seems to enable is the editing of the hostfile to hijack a ton
of search engines and redirect you to a crappy search site instead. Spybot
S&D's solution is to just make the hosts file read-only I believe.


- --
Frode

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2

iQA/AwUBP3K7BuXlGBWTt1afEQIFxQCfR+tVQeX8zRiCU6UmaPRevg BHD00An0G6
d1+1Ie7R90ppJR9Br2lH8mNs
=EEsu
-----END PGP SIGNATURE-----


 
Reply With Quote
 
David Postill
Guest
Posts: n/a
 
      09-25-2003
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In article <h1ucb.100083$(E-Mail Removed)>, on Thu, 25 Sep 2003
04:19:25 GMT, "RM"
<(E-Mail Removed)> wrote:

| I have a Windows XP System running behind a PIX 501 firewall. I went to go
| to google to look up some information and came to a page advertising some
| type of security software. It said to go to my host file and remove the
| entries. I went to my host file and found the entries below had been added.
| Has anyone else seen this? Where does it originate from?
|
| RM
|
| the information below had been added to my hosts file:
|
| 127.127.127.127 elite
|
| 64.191.95.139 www.google.com

<snip>

See
<http://www.google.com.ni/search?sourceid=mozclient&ie=utf-8&oe=utf-8&q=%2264.191.95.139%22>

For two threads discussing this very problem.

<davidp />

- --
David Postill

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2 - not licensed for commercial use: www.pgp.com
Comment: Get key from pgpkeys.mit.edu:11370

iQA/AwUBP3KtZXxp7q1nhFwUEQKyFQCgwuyWOcUlZTm1QjXfAk6fgg 24vFwAoM4a
7NYyQV0Ho54+OSx059Mf+4Tu
=ELS9
-----END PGP SIGNATURE-----

 
Reply With Quote
 
Dave Korn
Guest
Posts: n/a
 
      09-29-2003
"Frode" <(E-Mail Removed)> wrote in message
news:3f72bbc3$(E-Mail Removed)...
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> RM wrote:
> > I have a Windows XP System running behind a PIX 501 firewall. I went to
> > go to google to look up some information and came to a page advertising
> > some type of security software. It said to go to my host file and

remove
> > the entries. I went to my host file and found the entries below had

been
> > added. Has anyone else seen this? Where does it originate from?

>
> AFAIK it's done via an IE hole. Apparently a very limited hole in this

case

<KOFF!>

> since all it seems to enable is the editing of the hostfile


<GAKK!>

Are you aware what you just said? Basically, the ability to rewrite a
hosts files can give you more or less total control over a remote machine.
How 'limited' would you call this hole if the hosts file had been rewritten
to say

> 64.191.95.139 www.hotmail.com
> 64.191.95.139 www.passport.net
> 64.191.95.139 www.msn.com


or never mind that, I just thought up one a million times worse.

> 64.191.95.139 a.gtld-servers.net
> 64.191.95.139 b.gtld-servers.net
> 64.191.95.139 c.gtld-servers.net
> 64.191.95.139 d.gtld-servers.net
> 64.191.95.139 e.gtld-servers.net
> 64.191.95.139 f.gtld-servers.net
> 64.191.95.139 g.gtld-servers.net
> 64.191.95.139 h.gtld-servers.net


Just 8 entries written to the hosts file, and all of a sudden you're MITM
*EVERY*SINGLE*THING*THEY*SEND*.

Now would you call it serious?

DaveK
--
moderator of
alt.talk.rec.soc.biz.news.comp.humanities.meow.mis c.moderated.meow
Burn your ID card! http://www.optional-identity.org.uk/
Help support the campaign, copy this into your .sig!
Proud Member of the Exclusive "I have been plonked by Davee because he
thinks I'm interesting" List Member #<insert number here>
Master of Many Meowing Minions
Holder of the exhalted PF Chang's Crab Wonton Award for kook spankage above
and beyond the call of hilarity.
PGP Key-ID: 0x0FB504D1 Fingerprint 04B7 2E8C 0245 680E 6484 C441 CEC7 D2BD


 
Reply With Quote
 
Frode
Guest
Posts: n/a
 
      09-30-2003
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dave Korn wrote:
> Are you aware what you just said? Basically, the ability to rewrite a
> hosts files can give you more or less total control over a remote
> machine.


No, it will give you control over the machine's target for specific
hostnames.

> How 'limited' would you call this hole if the hosts file had been
> rewritten to say
>> 64.191.95.139 www.msn.com


That one would be an improvement imo

> or never mind that, I just thought up one a million times worse.

[snip]
>> 64.191.95.139 h.gtld-servers.net

> Just 8 entries written to the hosts file, and all of a sudden you're
> MITM *EVERY*SINGLE*THING*THEY*SEND*.


Name a few programs that goes straight to root nameservers as opposed to
the DNS servers defined on the machine. I can't think of a single one. Nor
would that program go to the hostname of a root nameserver but to its IP
thus making the hosts file a non-issue in this case.

> Now would you call it serious?


Not in the least when it comes to the nameservers. For those that use
passport for anything relating to money however you have a point. Although
my guess would be that the password authentication is in itself encrypted
to some Microsoft public key and thus wouldn't do them any good even if the
malicious hacker did create a fake destination server to try and grab your
password. I'm just guessing there though. Tis how I would do it but noone's
ever accused Microsoft of being security minded so the "passport" (if it is
anything more than your username/pwd on hotmail that is) may have no other
protection than ssl for all I know.

I do wholeheartedly agree that this bug has no business existing and that
any bug of this sort can be potentially exploited. I got the impression
it's been around for a good whiles too.


- --
Frode

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2

iQA/AwUBP3m69eXlGBWTt1afEQJR1gCfRZdX+mDt1ySv00fNgYoq8P Z62iQAoPOs
7Lv5i7kRr1KZ+K7S7pJpqNtj
=E0Eg
-----END PGP SIGNATURE-----


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Picking X random entries from linked list of Y entries Don Bruder C Programming 3 08-03-2010 09:10 AM
Iteration through File.file? misses entries for whichFile.file?(entry) == true Kyle Barbour Ruby 10 08-02-2010 08:55 PM
Cisco PIX 501 - Port forwarded to an internal host via Static NAT doesn't work from internal host JoelSeph Cisco 9 01-23-2006 03:52 PM
Tying up Port Login table entries with Port Table Entries in CISCO SNMP John Ramsden Cisco 0 07-24-2004 04:03 PM
PIX: how to allow 1 host from outside interface to access another host on the inside interface? jonnah Cisco 1 04-21-2004 02:26 PM



Advertisments