Topic: Hosts file hijack?

[Simon]

I've just had my very first alert from Windows Defender, saying I've had a possible Hosts file hijack:

Category:
Settings Modifier

Description:
This program has potentially unwanted behavior.

Advice:
Review the alert details to see why the software was detected. If you do not like how the software operates or if you do not recognize and trust the publisher, consider blocking or removing the software.

Resources:
file:
C:\WINDOWS\system32\drivers\etc\hosts
 

I opted to 'Clean' the file, which WD reports it has done sucessfully, however, when I now open the Hosts file in Notepad, I get the following:

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

Is this normal?  I thought it was supposed to contain actual settings, not what appears to be a 'sample'.  Can anyone clarify, please?

[topquark]

That's fine Simon, the only reason for putting anything in the hosts file is if you want it to resolve without the aid of a nameserver.  Often used for things on your local network.

[Simon]

Thanks, Martin.  I'm still curious as to how / why it's been changed, though, as I'm sure it had 127.0.0.1 localhost in there before.

[topquark]

Yes, on windows you can either find it blank or with a 127.0.0.1 localhost setting (either is fine).

On linux it'll be something like:

Code: [Select]

127.0.0.1 localhost
127.0.1.1 ##.#####.eu ##

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

[Simon]

Thanks again, Martin, that's reassuring.  I'm starting to suspect a false alert from Windows Defender, as nothing else has found anything.

[Sandra]

I told you he was good Simon 

[Simon]

Yes, we must lock the doors to stop him escaping. 

[Rik]

What's wrong with leg shackles like the rest of us?

[Simon]

What do you mean, 'the rest of us'?  That's just you! 

[Rik]

Now you tell me.

[topquark]

You can always check and see what's active if you are seeing activity on your local net ... for example on windows/linux you can use "netstat" (in a command/shell prompt) to list out the active sockets on the system and check any "rogue" entries you find (IP addresses you don't recognize from browser activity for example).  There are various options you can use, so see what suits you.