• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Should there ever be more than 1 entry in the Hosts file?

K

Ken90630

Golden Member
I've never been clear about something, so it's about time I ask.

Should there ever be more than one entry in the Hosts file? I know that 127.0.0.1 is common, but sometimes I also see "::1" (without the quotation marks) on a second line. Is this okay, or maybe indicative of malware having altered the Hosts file?

And if the answer is yes, sometimes it's okay to have more than one entry in the Hosts file, how can I know if that entry is legit or not?
 
Yes, you can have multiple entries.

::1 is the loopback address for IPv6, and it's presence in the hosts file is normal.

A sign of malware altering your hosts file would be if entries were present for common sites, such as google.com or windowsupdate.microsoft.com.
 
::1 is the IPv6 loopback/local host address, so yes that is perfectly normal for the HOSTS file on a PC that supports IPv6.

Other entries could also be legitimate, but I very rarely see people adding their own entry to a hosts file, and it's even more rare that a non-malicious piece of software makes edits to it.
 
I do it a lot, but I know what I'm doing. Done often to operate without a DNS, and I've seen anti-ad and anti-malware programs adding tons of stuff to it, and also malware.
 
theevilsharpie said:
Yes, you can have multiple entries.

::1 is the loopback address for IPv6, and it's presence in the hosts file is normal.

A sign of malware altering your hosts file would be if entries were present for common sites, such as google.com or windowsupdate.microsoft.com.
Click to expand...

Why would that be a sign of malware altering the file? Can you explain?
 
Ken90630 said:
Why would that be a sign of malware altering the file? Can you explain?
Click to expand...

The most common use of the hosts file is to disable security update checks, or to redirect common sites (such as Google, Yahoo, eBay, etc.) to other sites with spam advertising or other content that captures revenue for the malware author.
 
I use the hostfile on my home machines to block things like google analytics, adverts, and other sites.

If the internet connection slows I will take a wireshark trace, and check the IP the traffic is to/from. Often you find traffic you do not want, and their host name gets added to the hostfile and sent to 127.0.0.1.

On a slow internet connection doing this can greatly reduce the amount of unwanted traffic. It does mean that man of the adverts on the sites do not work however.

Rob.
 
theevilsharpie said:
The most common use of the hosts file is to disable security update checks, or to redirect common sites (such as Google, Yahoo, eBay, etc.) to other sites with spam advertising or other content that captures revenue for the malware author.
Click to expand...

Oh, okay. Another question then:

Let's say there were a Hosts file entry designed to redirect, say, Google to another site for spam advertising, as in your example. Would the entry say, "Google" followed by the spam site's IP address? Would it be that easy to recognize?
 
Last edited:
It will reference whatever URL it's trying to redirect. If it's google, it will be google.com to whatever IP address it wants to redirect it to.


It can also be used to block access to sites as well. You can point a site to the loopback as well to kill access to a particular site.
 
I remember seeing a magazine or website (wired, giz, engadget, forget exactly but of that theme), and they had an article about the hosts file and one of the screenshots had activate.adobe.com in it 😉
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top