Security Incidents mailing list archives

Re: Unknown Hosts file

From: "<-delusion->" <delusi0n () bellsouth net>
Date: Mon, 1 Apr 2002 22:07:53 -0500

a hosts file can be used to redirect a url to a different ip. like for
example a malicious user can mirror www.hotmail.com and put it on their
webserver and edit it so that when you log in it sends the login and
password to the owner of the webserver, then they proceed to edit your hosts
file and put in a field like:
hotmail.com 1.2.3.4
www.hotmail.com 1.2.3.4

where 1.2.3.4 is the IP of their webserver. so then when anyone types in
www.hotmail.com in internet explorer on your computer they go to the user's
webserver and not the real hotmail.com. Since the malicious user mirrored
hotmail.com a user at your computer wouldn't know the difference and proceed
to login. Instead of logging the person into hotmail, it sends the login and
password a user supplies to the malicious user. So you get what i'm saying
right? for more info check out:
http://www.lameindustries.org/tutorials/windowshosts/index.shtml

-delusion
http://www.digital-delusions.com

----- Original Message -----
From: "David Tan" <dtan () chipscc com>
To: <incidents () securityfocus com>
Sent: Monday, April 01, 2002 7:31 PM
Subject: Unknown Hosts file



I have a client machine running Windows 2000
Professional.  All of a sudden, one day, the user was
unable to access several of the most popular
websites (i.e. google, yahoo, cnn, etc.).  I noticed that
the machine was attempting to access the wrong IP
address for all the websites, in fact, it was attempting
to access the SAME IP address for every website in
the group.  After some research, I found there was a
Hosts file with all the domains in question listed, and
the erroneous IP address.  Has anyone ever come
accross an incident where a virus or trojan would
place a Hosts file onto a system.  I have thoroughly
scanned the machine for viruses, open ports, etc.
and found nothing.  Is there anything else I should be
on the lookout for?

--------------------------------------------------------------------------

--

This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Unknown Hosts file David Tan (Apr 01)
- Re: Unknown Hosts file Michael ENGEL (Apr 02)
- Re: Unknown Hosts file H C (Apr 02)
- Re: Unknown Hosts file ePAc (Apr 02)
- Re: Unknown Hosts file <-delusion-> (Apr 02)
- <Possible follow-ups>
- RE: Unknown Hosts file BRAD GRIFFIN (Apr 02)
  - RE: Unknown Hosts file Brenna Primrose (Apr 02)