Hidden HOSTS manipulation by Malware

Discussion in 'malware problems & news' started by CloneRanger, Aug 24, 2011.

Thread Status:
Not open for further replies.
  1. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    *

    Re - this screenie from the link

    ip.gif

    I'm sure someone once posted that IP #'s don't work in a HOSTS file, so we need to have the name of the www instead. Which is actually corect ?

    TIA
     
  2. tomazyk

    tomazyk Guest

    IP's are part of host files, as hosts files are part of name resolution system. When you enter www address in browser, computer has to translate that address into IP address, so it can find the site. First it checks hosts files and if it finds the address, it directs you to IP address specified in hosts file. If there is no entry in hosts files, it asks DNS server to resolve the address.

    In your case domains vkontakte.ru and vk.com got probably redirected to bogus websites.
     
  3. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I got a vague idea I told you something like that. But, I believe you misunderstood me.

    You can use IPs in a hosts file, just as user tomazyk explained. What you cannot do is map IPs to IPs.

    This, you can do:

    IP domain -> This is right.

    This, you cannot do:

    IP IP -> This is wrong.

    If you take a look at some hosts files, such as MVPS hosts file, you'll see that they map domains to localhost (127.0.0.1). 127.0.0.1 is an IP. It just happens it's part of the loopback.

    But, you could easily, say, map www.wilderssecurity.com to a different IP, so that when you access Wilders Security, you're actually going to enter somewhere else, say Google search engine (if we map www.wilderssecurity.com to Google's IP.). Or, for faster translation, you can simply map www.wilderssecurity.com to its real IP in the hosts file.
     
  4. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ tomazyk

    Thanks & i realised most of that. It was seeing the IP #'s that threw me, as i thought they wouldn't work.

    @ m00nbl00d

    Not sure if it was you ;)

    Thanks, as above :thumb:
     
Loading...
Thread Status:
Not open for further replies.