What is writing to my hosts file?

Posted on

QUESTION :

I’ve got an odd situation where I’m emptying out my hosts file but when I ping something that used to have an entry in the hosts file the hosts file gets populated with the entries that I’ve just removed.

The entries are particular to various servers on the network so they’re not just random IP addresses. However, since some of the IP addresses have been changed, so the entries are no longer valid, but I can’t just remove them and rely on the internal DNS on the network.

What could be updating the hosts file?

Edit: So it seems that running ipconfig /flushdns is what’s adding the entries back in. I’ve not come across this before.

Edit2: should have pointed out earlier, this is on a windows box

Edit3: It looks like it’s svchost.exe that’s doing it. See this here screenshot: Screenshot of processmonitor

ANSWER :

Windows Security Essentials and other anti virus software will fix your hosts file. Including removing references to their ad servers that you try and block. and reverting changes on the grounds your text editor is malware. Had it happen less than an hour ago in windows 8.

It could be any process with root access. You could write a small script which periodically checks which files are using the /etc/hosts file:

#!/bin/bash
while true
do
  fuser /etc/hosts >> /tmp/hosts_monitoring
  sleep 0.1
done

Run it for a few minutes and check the /tmp/hosts_monitoring. It’ll tell you which process id has written to the file.

You need to download a program like Process Monitor

You can then see what is accesing the file

Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. It combines the features of two legacy Sysinternals utilities, Filemon and Regmon, and adds an extensive list of enhancements including rich and non-destructive filtering, comprehensive event properties such session IDs and user names, reliable process information, full thread stacks with integrated symbol support for each operation, simultaneous logging to a file, and much more. Its uniquely powerful features will make Process Monitor a core utility in your system troubleshooting and malware hunting toolkit.

http://technet.microsoft.com/en-gb/sysinternals/bb896645.aspx

Leave a Reply

Your email address will not be published.