Full Disclosure mailing list archives
Re: Windows hosts file changing.
From: "Exibar" <exibar () thelair com>
Date: Wed, 22 Oct 2003 10:47:35 -0400
I have seen qhosts act in strange ways. Qhosts does indeed edit the HOSTS file, sometimes will add those registry keys but not all. Sometimes it will add the reg keys but leave the HOSTS file alone. I've seen it replace the real HOSTS file, and I've also seen it add a new HOSTS file into the temp directory. Qhosts doesn't always respond predictably from what I've seen. Exibar ----- Original Message ----- From: "Brian Eckman" <eckman () umn edu> To: "David Gianndrea" <dgianndrea () comsquared com> Cc: "Kevin Gerry" <poof1 () cox net>; <Full-Disclosure () lists netsys com> Sent: Wednesday, October 22, 2003 9:50 AM Subject: Re: [Full-disclosure] Windows hosts file changing.
David Gianndrea wrote:Kind of sounds like this... http://vil.nai.com/vil/content/v_100719.htm Kevin Gerry wrote:Does -ANYBODY- know how it occurs? I've had this happen to a couple boxes of mine now... New one: -- 127.0.0.1 localhost 66.40.16.131 livesexlist.com 66.40.16.131 lanasbigboobs.com 66.40.16.131 thumbnailpost.com 66.40.16.131 adult-series.com 66.40.16.131 www.livesexlist.com 66.40.16.131 www.lanasbigboobs.com 66.40.16.131 www.thumbnailpost.com 66.40.16.131 www.adult-series.com -- Any idea how the search site is replacing that? =/ It's starting to piss me off =/ I had some custom information in there that's now overwritten
(Not
backed up) Thanks =/Actually, I don't think it sounds a damn thing like Qhosts. Qhosts modifies DHCP-issued DNS server settings in the registry, and creates a new HOSTS file and tweaks the registry to use that HOSTS file. It doesn't touch the original HOSTS file. This post exhibits no Qhosts behavior, and Qhosts doesn't exhibit any of this behavior. I think Daniel got it right - quit going to porn sites. Better yet, quit going to porn sites advertised in Spam. Also, to respond to another comment, the MS03-040 patch might *not* address this type of attack on a system. Internet Explorer fully patched with default settings *still* allows silent delivery and install of executables. POC was sent to this list weeks ago. Brian -- Brian Eckman Security Analyst OIT Security and Assurance University of Minnesota 612-626-7737 "There are 10 types of people in this world. Those who understand binary and those who don't." _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Windows hosts file changing., (continued)
- Re: Windows hosts file changing. V.O. (Oct 22)
- RE: Windows hosts file changing. Poof (Oct 22)
- Re: Windows hosts file changing. gregh (Oct 22)
- RE: Windows hosts file changing. Poof (Oct 22)
- Re: Windows hosts file changing. gregh (Oct 22)
- RE: Windows hosts file changing. Poof (Oct 22)
- Re: Windows hosts file changing. V.O. (Oct 22)
- Re: Windows hosts file changing. Daniel (Oct 22)
- RE: Windows hosts file changing. Poof (Oct 22)
- Re: Windows hosts file changing. Joshua Levitsky (Oct 22)
- Re: Windows hosts file changing. David Gianndrea (Oct 22)
- Re: Windows hosts file changing. Brian Eckman (Oct 22)
- Re: Windows hosts file changing. Exibar (Oct 22)
- Re: Windows hosts file changing. Brian Eckman (Oct 22)
- Re: Windows hosts file changing. Mike Tancsa (Oct 22)
- RE: Windows hosts file changing. Austin Ehlers (Oct 22)
- RE: Windows hosts file changing. Poof (Oct 22)
- Re: Windows hosts file changing. Joe Stewart (Oct 22)
- RE: Windows hosts file changing. Bjørnar Bjørgum Larsen (Oct 22)
- Re: Windows hosts file changing. V.O. (Oct 22)