dslreports logo

Expand Open navigator
If you are unable to access some Internet sites, or requests to one Internet site are re-directed elsewhere, but you can access other Internet sites, your problem may be "Hosts File Hijacking".

What the Hosts file is:

On the Internet, people usually talk about Internet sites using domain names, like microsoft.com, dshield.org, whitehouse.gov, or gc.ca. But computer networks function using IP addresses.

Data to be sent on the Internet is broken up into chunks called packets (also called datagrams or "messages"). The destination IP address is put in the header of each packet and is used to by each machine along the path to route the packet to the destination computer.

So before packets can be sent through the Internet, the sending computer must look up the destination domain name, find out its IP address, and put that IP address in the header of each packet.

The "Hosts" file is a special file in which your computer first tries to look up domain names. If it doesn't find the domain name there, it looks it up using your Internet Service Provider's (ISP's) domain name server (DNS).

Thus, altering the Hosts file can make Internet sites unreachable by misdirecting packets intended for one Internet site to the wrong place (the wrong IP address).



The steps for investigating and cleaning the Hosts file:


1. Backup the Hosts file. Here are the standard Hosts file locations:

Windows XP: C:\WINDOWS\SYSTEM32\DRIVERS\ETC
Windows 2K: C:\WINNT\SYSTEM32\DRIVERS\ETC
Win 98\ME: C:\WINDOWS

First locate the Hosts file, it is a file named "Hosts" with no extension. Right-click on it, and select Copy. Now right-click in the clear space to the right of the Hosts file and select paste. At the bottom of the file list there should now be a file named "Copy of Hosts" (or "Copy (2) of Hosts" if this is the second time you are doing this).

The backup is no danger to your computer because the name is changed. Keep it on your computer for at least one month, just in case you need to refer back to it.


2. Examine your Hosts file.

Download and open hoster.zip. Extract all files (that is, decompress or unzip) the contents (hoster.exe) to a permanent folder (for example c:\hoster).

Run Hoster.exe. Click the "BackUp Hosts File" button.

The contents of the Hosts file appear in the window on the left. You will be able to edit, remove unwanted lines, and save the Hosts file with Hoster. But don't change anything until you get to step 6. First you have to analyze what is there now.


3. Analyze the Hosts file.

The Hosts file consists of lines with up to 3 parts:
a) The IP address to direct messages for a domain to.
b) The domain name.
c) Anything after "#" on a line is a comment for people, and the computer will ignore it.

Here is a sample Hosts file.

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine (host) name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost
# Start of entries inserted by some anti-spyware software
# [Misc Add-ons][A - Z]
127.0.0.1 abcsearch.com
# End of entries inserted by some anti-spyware software
101.4.5.2 aardvark.com # Everything after a pound sign on a line
101.5.6.8 emeraldcs.com # is a comment for people and
127.0.0.1 kaspersky.com # ignored by the computer.
127.0.0.1 mcafee.com
127.0.0.1 symantec.com


3.1 "127.0.0.1 localhost" is in every Hosts file. It merely tells the computer to send messages for other parts of the same computer (the local host) to the "loop back" address 127.0.0.1. In a new default installation of Windows, this is the only line in the Hosts file that is not a comment.

3.2 The line that reads "127.0.0.1 abcsearch.com" was added by anti-spyware or anti-tracking software. Since the anti-spyware in question mentioned in the comment is installed on the computer this is not unexpected.

Before sending messages to abcsearch.com, the computer would check the Hosts file and see that it should send the messages to IP address 127.0.0.1, which loops back to the computer itself, which will ignore the messages. In this way, messages to abcsearch.com are blocked from ever getting there.

3.3 The line that reads "101.4.5.2 aardvark.com" was added to make access to aardvark.com faster. The computer won't have to look up the IP address of aardvark.com on a DNS, because when it first checks the Hosts file, it sees it should send messages for aardvark.com to 101.4.5.2.

The Hosts file is rarely used to speed access anymore, because of the problems keeping it up-to-date as domains move from one IP address to another, and because DNS servers are usually very fast now. DNS servers are updated automatically. The host file has to be updated manually.

3.4 The line that reads "101.5.6.8 emeraldcs.com" was added when Emerald's clock software was added, so that customer computers enter their site using a different IP address than non-customer computers.

This is invisible to Emerald's customers unless they check the Hosts file. To determine that the entry was put there legitimately, one would have to ask someone else who also ran Emerald's software and had a clean machine to check their Hosts file; or check the FAQs and forums on Emerald's website; or email Emerald's technical support. (Because your email goes to an email server first, and not directly to Emerald, you can still contact Emerald using your ISP's email, or a web based email like Hotmail.)

3.5 The lines that read "127.0.0.1 kaspersky.com", "127.0.0.1 mcafee.com" and "127.0.0.1 symantec.com" were added by a malware in an attempt to prevent the computer from communicating with and getting anti-virus information and database updates from anti-virus companies.

When the program that updates Symantec's anti-virus database tries to contact the Symantec Internet site, the computer will read the Hosts file and find the line saying to use IP address 127.0.0.1 to reach Symantec. Therefore communications with Symantec and the other anti-virus companies listed will fail.

If there are lines for many anti-virus, anti-trojan and firewall companies in your Hosts file, it is a pretty safe guess that they were put there by malware or a hacker. To solve the immediate problem, you will delete the unwanted lines and save the Hosts file.

If your hosts file looks okay, then you are done here. The problem has a different cause. Try following the investigation steps here instead: Click here.


4. If you need help cleaning your Hosts file, post the Hosts file in a new topic in the BBR Security Forum.


5. Make the desired changes to the Hosts file using the Hoster utility, and save the changed file.

(Caution: Only use hoster.zip or notepad.exe to edit the Hosts file. The file has to be in text format, not word processor format.)

If you aren't sure what to do, after you have done "Backup Hosts File", remove all the lines that do not begin with a "#" except for the line "127.0.0.1 localhost". If it makes things worse, click "Restore Backup Hosts File".

Once the Hosts file is saved, you can optionally go into Windows Explorer and navigate to the file again, right-click on it, select Properties, select the "Read Only" attribute, and click OK (or click the "Make Hosts File ReadOnly" button in Hoster.exe).

If you have problems, you can go to the Hosts file with Windows Explorer, delete the Hosts file, and rename "Copy of Hosts" to "Hosts".

(Few computers actually make any use of the Hosts file and almost all will work perfectly fine without one. The extra steps in here are in case your computer is one of the few that needs one.)


6. Check your computer for the cause of the Hosts file hijacking.

Hosts file hijacking is the simplest problem you can have, unless whatever did the hijacking is still on your system. So once you have fixed the hosts file, it is important to follow the steps here: Click here since you may have a virus or trojan.


7. Take action to secure your computer so it doesn't happen again: click here.



For more on using the Hosts file, please check the BBR Security FAQ: What is a HOSTS file and where can I get one?




Edit 11 Jul 2005 by CalamityJane: Updated download link for Hoster program


Feedback received on this FAQ entry:
  • Hi My etc file is blank, how do I restore my host file when it is not in the backup file at all? ynatasha8@gmail.com

    2009-07-25 13:16:42

  • "3.1 "127.0.0.1 localhost" is in every Hosts file. It merely tells the computer to send messages for other parts of the same computer (the local host) to the "loop back" address 127.0.0.1. In a new default installation of Windows, this is the only line in the Hosts file that is not a comment." In a new installation of Windows there is NO hosts file unless an OEM/VAR has modified the standard Microsoft Windows install script, or has added third-party applications which require a hosts file to be present to service proxy requests - for example from an anti-spam proxy. A default Windows install ONLY installs hosts.sam.

    2008-05-05 09:38:35



Expand got feedback?

by keith2468 See Profile edited by CalamityJane See Profile
last modified: 2008-11-19 19:37:44