Should there ever be more than 1 entry in the Hosts file?

Ken90630

Golden Member
Mar 6, 2004
1,571
2
81
I've never been clear about something, so it's about time I ask.

Should there ever be more than one entry in the Hosts file? I know that 127.0.0.1 is common, but sometimes I also see "::1" (without the quotation marks) on a second line. Is this okay, or maybe indicative of malware having altered the Hosts file?

And if the answer is yes, sometimes it's okay to have more than one entry in the Hosts file, how can I know if that entry is legit or not?
 

theevilsharpie

Platinum Member
Nov 2, 2009
2,322
14
81
Yes, you can have multiple entries.

::1 is the loopback address for IPv6, and it's presence in the hosts file is normal.

A sign of malware altering your hosts file would be if entries were present for common sites, such as google.com or windowsupdate.microsoft.com.
 

seepy83

Platinum Member
Nov 12, 2003
2,132
3
71
::1 is the IPv6 loopback/local host address, so yes that is perfectly normal for the HOSTS file on a PC that supports IPv6.

Other entries could also be legitimate, but I very rarely see people adding their own entry to a hosts file, and it's even more rare that a non-malicious piece of software makes edits to it.
 

bobdole369

Diamond Member
Dec 15, 2004
4,504
2
0
I do it a lot, but I know what I'm doing. Done often to operate without a DNS, and I've seen anti-ad and anti-malware programs adding tons of stuff to it, and also malware.
 

Ken90630

Golden Member
Mar 6, 2004
1,571
2
81
Yes, you can have multiple entries.

::1 is the loopback address for IPv6, and it's presence in the hosts file is normal.

A sign of malware altering your hosts file would be if entries were present for common sites, such as google.com or windowsupdate.microsoft.com.

Why would that be a sign of malware altering the file? Can you explain?
 

theevilsharpie

Platinum Member
Nov 2, 2009
2,322
14
81
Why would that be a sign of malware altering the file? Can you explain?

The most common use of the hosts file is to disable security update checks, or to redirect common sites (such as Google, Yahoo, eBay, etc.) to other sites with spam advertising or other content that captures revenue for the malware author.
 

robmurphy

Senior member
Feb 16, 2007
376
0
0
I use the hostfile on my home machines to block things like google analytics, adverts, and other sites.

If the internet connection slows I will take a wireshark trace, and check the IP the traffic is to/from. Often you find traffic you do not want, and their host name gets added to the hostfile and sent to 127.0.0.1.

On a slow internet connection doing this can greatly reduce the amount of unwanted traffic. It does mean that man of the adverts on the sites do not work however.

Rob.
 

Ken90630

Golden Member
Mar 6, 2004
1,571
2
81
The most common use of the hosts file is to disable security update checks, or to redirect common sites (such as Google, Yahoo, eBay, etc.) to other sites with spam advertising or other content that captures revenue for the malware author.

Oh, okay. Another question then:

Let's say there were a Hosts file entry designed to redirect, say, Google to another site for spam advertising, as in your example. Would the entry say, "Google" followed by the spam site's IP address? Would it be that easy to recognize?
 
Last edited:

Railgun

Golden Member
Mar 27, 2010
1,289
2
81
It will reference whatever URL it's trying to redirect. If it's google, it will be google.com to whatever IP address it wants to redirect it to.


It can also be used to block access to sites as well. You can point a site to the loopback as well to kill access to a particular site.
 

Emulex

Diamond Member
Jan 28, 2001
9,759
1
71
hell yeah it would be easy but remember alot of google's CDN looks like spam sites to me.
 

fuzzymath10

Senior member
Feb 17, 2010
520
2
81
I remember seeing a magazine or website (wired, giz, engadget, forget exactly but of that theme), and they had an article about the hosts file and one of the screenshots had activate.adobe.com in it ;)