New Entries in my Host File

Discussion in 'Computer Security' started by RM, Sep 25, 2003.

  1. RM

    RM Guest

    I have a Windows XP System running behind a PIX 501 firewall. I went to go
    to google to look up some information and came to a page advertising some
    type of security software. It said to go to my host file and remove the
    entries. I went to my host file and found the entries below had been added.
    Has anyone else seen this? Where does it originate from?

    RM

    the information below had been added to my hosts file:

    127.127.127.127 elite

    64.191.95.139 www.google.com

    64.191.95.139 google.com

    64.191.95.139 www.altavista.com

    64.191.95.139 altavista.com

    64.191.95.139 search.yahoo.com

    64.191.95.139 uk.search.yahoo.com

    64.191.95.139 ca.search.yahoo.com

    64.191.95.139 jp.search.yahoo.com

    64.191.95.139 au.search.yahoo.com

    64.191.95.139 de.search.yahoo.com

    64.191.95.139 search.yahoo.co.jp

    64.191.95.139 www.lycos.de

    64.191.95.139 www.lycos.ca

    64.191.95.139 www.lycos.jp

    64.191.95.139 www.lycos.co.jp

    64.191.95.139 alltheweb.com

    64.191.95.139 web.ask.com

    64.191.95.139 ask.com

    64.191.95.139 www.ask.com

    64.191.95.139 www.teoma.com

    64.191.95.139 search.aol.com

    64.191.95.139 www.looksmart.com

    64.191.95.139 search.msn.com

    64.191.95.139 ca.search.msn.com

    64.191.95.139 fr.ca.search.msn.com

    64.191.95.139 search.fr.msn.be

    64.191.95.139 search.fr.msn.ch

    64.191.95.139 search.latam.yupimsn.com

    64.191.95.139 search.msn.at

    64.191.95.139 search.msn.be

    64.191.95.139 search.msn.ch

    64.191.95.139 search.msn.co.in

    64.191.95.139 search.msn.co.jp

    64.191.95.139 search.msn.co.kr

    64.191.95.139 search.msn.com.br

    64.191.95.139 search.msn.com.hk

    64.191.95.139 search.msn.com.my

    64.191.95.139 search.msn.com.sg

    64.191.95.139 search.msn.com.tw

    64.191.95.139 search.msn.co.za

    64.191.95.139 search.msn.de

    64.191.95.139 search.msn.dk

    64.191.95.139 search.msn.es

    64.191.95.139 search.msn.fi

    64.191.95.139 search.msn.fr

    64.191.95.139 search.msn.it

    64.191.95.139 search.msn.nl

    64.191.95.139 search.msn.no

    64.191.95.139 search.msn.se

    64.191.95.139 search.ninemsn.com.au

    64.191.95.139 search.t1msn.com.mx

    64.191.95.139 search.xtramsn.co.nz

    64.191.95.139 search.yupimsn.com

    64.191.95.139 uk.search.msn.com

    64.191.95.139 search.lycos.com

    64.191.95.139 www.lycos.com

    64.191.95.139 www.google.ca

    64.191.95.139 google.ca

    64.191.95.139 www.google.uk

    64.191.95.139 www.google.co.uk

    64.191.95.139 www.google.com.au

    64.191.95.139 www.google.co.jp

    64.191.95.139 www.google.jp

    64.191.95.139 www.google.at

    64.191.95.139 www.google.be

    64.191.95.139 www.google.ch

    64.191.95.139 www.google.de

    64.191.95.139 www.google.dk

    64.191.95.139 www.google.fi

    64.191.95.139 www.google.fr

    64.191.95.139 www.google.com.gr

    64.191.95.139 www.google.com.hk

    64.191.95.139 www.google.ie

    64.191.95.139 www.google.co.il

    64.191.95.139 www.google.it

    64.191.95.139 www.google.co.kr

    64.191.95.139 www.google.com.mx

    64.191.95.139 www.google.nl

    64.191.95.139 www.google.co.nz

    64.191.95.139 www.google.pl

    64.191.95.139 www.google.pt

    64.191.95.139 www.google.com.ru

    64.191.95.139 www.google.com.sg

    64.191.95.139 www.google.co.th

    64.191.95.139 www.google.com.tr

    64.191.95.139 www.google.com.tw

    64.191.95.139 google.at

    64.191.95.139 google.be

    64.191.95.139 google.de

    64.191.95.139 google.dk

    64.191.95.139 google.fi

    64.191.95.139 google.fr

    64.191.95.139 google.com.hk

    64.191.95.139 google.ie

    64.191.95.139 google.co.il

    64.191.95.139 google.it

    64.191.95.139 google.co.kr

    64.191.95.139 google.com.mx

    64.191.95.139 google.nl

    64.191.95.139 google.co.nz

    64.191.95.139 google.pl

    64.191.95.139 google.com.ru

    64.191.95.139 google.com.sg

    64.191.95.139 www.hotbot.com

    64.191.95.139 hotbot.com
    RM, Sep 25, 2003
    #1
    1. Advertising

  2. RM

    Bit Twister Guest

    On Thu, 25 Sep 2003 04:19:25 GMT, RM wrote:
    > I have a Windows XP System running behind a PIX 501 firewall. I went to go
    > to google to look up some information and came to a page advertising some
    > type of security software. It said to go to my host file and remove the
    > entries. I went to my host file and found the entries below had been added.
    > Has anyone else seen this? Where does it originate from?


    You can use http://samspade.org/ to Do Stuff to look up ip address ISP/owner

    Example looking up my ip addy will show AT&T WorldNet Services as
    owning the ip assigned to me from my Comcast.net ISP.

    Just guessing, the site you are sent to to get the fix, stuck the
    64.191.95.139 ip address in your hosts file somehow.

    Maybe you can wipe the hosts file, goto every site in your history file,
    check hosts file after each site and see if it comes back.
    Bit Twister, Sep 25, 2003
    #2
    1. Advertising

  3. RM

    Frode Guest

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    RM wrote:
    > I have a Windows XP System running behind a PIX 501 firewall. I went to
    > go to google to look up some information and came to a page advertising
    > some type of security software. It said to go to my host file and remove
    > the entries. I went to my host file and found the entries below had been
    > added. Has anyone else seen this? Where does it originate from?


    AFAIK it's done via an IE hole. Apparently a very limited hole in this case
    since all it seems to enable is the editing of the hostfile to hijack a ton
    of search engines and redirect you to a crappy search site instead. Spybot
    S&D's solution is to just make the hosts file read-only I believe.


    - --
    Frode

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 8.0.2

    iQA/AwUBP3K7BuXlGBWTt1afEQIFxQCfR+tVQeX8zRiCU6UmaPRevgBHD00An0G6
    d1+1Ie7R90ppJR9Br2lH8mNs
    =EEsu
    -----END PGP SIGNATURE-----
    Frode, Sep 25, 2003
    #3
  4. -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    In article <h1ucb.100083$>, on Thu, 25 Sep 2003
    04:19:25 GMT, "RM"
    <> wrote:

    | I have a Windows XP System running behind a PIX 501 firewall. I went to go
    | to google to look up some information and came to a page advertising some
    | type of security software. It said to go to my host file and remove the
    | entries. I went to my host file and found the entries below had been added.
    | Has anyone else seen this? Where does it originate from?
    |
    | RM
    |
    | the information below had been added to my hosts file:
    |
    | 127.127.127.127 elite
    |
    | 64.191.95.139 www.google.com

    <snip>

    See
    <http://www.google.com.ni/search?sourceid=mozclient&ie=utf-8&oe=utf-8&q=%2264.191.95.139%22>

    For two threads discussing this very problem.

    <davidp />

    - --
    David Postill

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 8.0.2 - not licensed for commercial use: www.pgp.com
    Comment: Get key from pgpkeys.mit.edu:11370

    iQA/AwUBP3KtZXxp7q1nhFwUEQKyFQCgwuyWOcUlZTm1QjXfAk6fgg24vFwAoM4a
    7NYyQV0Ho54+OSx059Mf+4Tu
    =ELS9
    -----END PGP SIGNATURE-----
    David Postill, Sep 25, 2003
    #4
  5. RM

    Dave Korn Guest

    "Frode" <> wrote in message
    news:3f72bbc3$...
    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA1
    >
    > RM wrote:
    > > I have a Windows XP System running behind a PIX 501 firewall. I went to
    > > go to google to look up some information and came to a page advertising
    > > some type of security software. It said to go to my host file and

    remove
    > > the entries. I went to my host file and found the entries below had

    been
    > > added. Has anyone else seen this? Where does it originate from?

    >
    > AFAIK it's done via an IE hole. Apparently a very limited hole in this

    case

    <KOFF!>

    > since all it seems to enable is the editing of the hostfile


    <GAKK!>

    Are you aware what you just said? Basically, the ability to rewrite a
    hosts files can give you more or less total control over a remote machine.
    How 'limited' would you call this hole if the hosts file had been rewritten
    to say

    > 64.191.95.139 www.hotmail.com
    > 64.191.95.139 www.passport.net
    > 64.191.95.139 www.msn.com


    or never mind that, I just thought up one a million times worse.

    > 64.191.95.139 a.gtld-servers.net
    > 64.191.95.139 b.gtld-servers.net
    > 64.191.95.139 c.gtld-servers.net
    > 64.191.95.139 d.gtld-servers.net
    > 64.191.95.139 e.gtld-servers.net
    > 64.191.95.139 f.gtld-servers.net
    > 64.191.95.139 g.gtld-servers.net
    > 64.191.95.139 h.gtld-servers.net


    Just 8 entries written to the hosts file, and all of a sudden you're MITM
    *EVERY*SINGLE*THING*THEY*SEND*.

    Now would you call it serious?

    DaveK
    --
    moderator of
    alt.talk.rec.soc.biz.news.comp.humanities.meow.misc.moderated.meow
    Burn your ID card! http://www.optional-identity.org.uk/
    Help support the campaign, copy this into your .sig!
    Proud Member of the Exclusive "I have been plonked by Davee because he
    thinks I'm interesting" List Member #<insert number here>
    Master of Many Meowing Minions
    Holder of the exhalted PF Chang's Crab Wonton Award for kook spankage above
    and beyond the call of hilarity.
    PGP Key-ID: 0x0FB504D1 Fingerprint 04B7 2E8C 0245 680E 6484 C441 CEC7 D2BD
    Dave Korn, Sep 29, 2003
    #5
  6. RM

    Frode Guest

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Dave Korn wrote:
    > Are you aware what you just said? Basically, the ability to rewrite a
    > hosts files can give you more or less total control over a remote
    > machine.


    No, it will give you control over the machine's target for specific
    hostnames.

    > How 'limited' would you call this hole if the hosts file had been
    > rewritten to say
    >> 64.191.95.139 www.msn.com


    That one would be an improvement imo :p

    > or never mind that, I just thought up one a million times worse.

    [snip]
    >> 64.191.95.139 h.gtld-servers.net

    > Just 8 entries written to the hosts file, and all of a sudden you're
    > MITM *EVERY*SINGLE*THING*THEY*SEND*.


    Name a few programs that goes straight to root nameservers as opposed to
    the DNS servers defined on the machine. I can't think of a single one. Nor
    would that program go to the hostname of a root nameserver but to its IP
    thus making the hosts file a non-issue in this case.

    > Now would you call it serious?


    Not in the least when it comes to the nameservers. For those that use
    passport for anything relating to money however you have a point. Although
    my guess would be that the password authentication is in itself encrypted
    to some Microsoft public key and thus wouldn't do them any good even if the
    malicious hacker did create a fake destination server to try and grab your
    password. I'm just guessing there though. Tis how I would do it but noone's
    ever accused Microsoft of being security minded so the "passport" (if it is
    anything more than your username/pwd on hotmail that is) may have no other
    protection than ssl for all I know.

    I do wholeheartedly agree that this bug has no business existing and that
    any bug of this sort can be potentially exploited. I got the impression
    it's been around for a good whiles too.


    - --
    Frode

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 8.0.2

    iQA/AwUBP3m69eXlGBWTt1afEQJR1gCfRZdX+mDt1ySv00fNgYoq8PZ62iQAoPOs
    7Lv5i7kRr1KZ+K7S7pJpqNtj
    =E0Eg
    -----END PGP SIGNATURE-----
    Frode, Sep 30, 2003
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. jonnah
    Replies:
    1
    Views:
    1,096
    mcaissie
    Apr 21, 2004
  2. John Ramsden
    Replies:
    0
    Views:
    813
    John Ramsden
    Jul 24, 2004
  3. JoelSeph
    Replies:
    9
    Views:
    6,652
    JoelSeph
    Jan 23, 2006
  4. Jojo the 90lb hottie

    Dane Cook: Great S.N.L. host or GREATEST S.N.L. host?

    Jojo the 90lb hottie, Feb 14, 2007, in forum: Digital Photography
    Replies:
    1
    Views:
    638
    Flash Bazbo
    Feb 14, 2007
  5. Collector»NZ

    A New use for the host file

    Collector»NZ, Nov 3, 2004, in forum: NZ Computing
    Replies:
    2
    Views:
    320
    Lawrence D¹Oliveiro
    Nov 4, 2004
Loading...

Share This Page