What happened to my hosts file?

OK, so I've been having trouble with IE reaching ANY of the MS SUPPORT sites for a couple of days. Every OTHER favorite (lots!) I have loaded in a jiffy, but MSKB, WU, MS Support, XP Support, and XP Downloads all gave me nothing but that stupid, uninformative "Cannot find server" message in the title bar, and the "This page cannot be displayed" nonsense in the main window. Two days. Deleted Index.dat. Updated the hosts file to latest DNS numbers. Checked (and reset) all of my Internet Options settings. Rebooted. Rebooted. Fiddled. Pharted around.

Nada. No MS crucial sites: THE ONLY ONES I USE IE FOR wouldn't open. Imported my Firebird bookmarks. ALL worked. Only MS criticals didn't. MS ClearType fine, MS eBooks fine, MS Word MVP fine. No IMPORTANT MS sites at all, though.

Old computer got ALL crucial MS sites fast in the same period. It's on the same cable, same modem, same router. Same settings so far's I can tell. Can't be DNS, can't be cable, can't be IE, can't be, can't be, can't be ...

Finally, in desperation, I deleted my hosts file.

BINGO! All MS sites load in a tick.

Anybody have any hypothetical or real or good-guesswork explanation for why this happened to this machine and didn't happen on the other machine this one is connected to?

The problem is solved (for now, anyway). I'm just really interested in figuring out why the problem arose. Any ideas considered. No reasonable offer refused.

 

the only thing I can think of is a nasty got on your system and edited it.

 

Yeah, that's what I think, too, but I canna think how the bugger got in there past the AV and the Wall, and escaped detection by AdAw and Spybot and did its nasties without interference from anything.

And now it appears to be hisss-tory.

???? "Is a puzzlement!"
(The king of Siam in *The King and I*)

 

Did you have any of the MS critical sites in your hosts file? If so, that was probably the problem. It's my understanding that these and maybe other MS sites have IPs that are dynamic and should not be in the hosts file.

 

Now, there's an interesting and probably significant notion, Ken! I do have MS criticals in the hosts file, because the hosts file is created and revised by Windows from the Favorites folder in IE.

But you can edit hosts manually or use hosts-management software to get the moving-taget MS entries out of there.

I restored my old hosts file, updated it by running my hosts-editing program that checks current DNS numbers and edits the file, and use that program to remove the MS criticals entries, and everything worked fine.

But you've made me wonder whether there's a way to keep the MS criticals from getting INTO the hosts file in the first place.

Mebbe with today's fast browsers and fast broadband connections, the hosts file has outlived its usefulness for people not on dial-up, and those of us on broadband should just include it in the batch files that we use to delete our useless stuff once a week or so.

Whatcha think, Ken? (Or anybody?)

 

Make the file read-only?

The only thing I use my hosts file for is to redirect banner ads to 127.0.0.1

 

Me too, seems to work

 

??? I'm not familiiar with this function of Windows. I always thought that this file was initially in the OS appropriate folder when the OS is installed and it's up to the user to manage it - manually or through an application.

I'm not with familiar with all of connection methods, just based experience since I'm just an end user at my workplace (using a LAN) wanting to know how things work or make it work better ..... I would say managing the hosts file would still be useful for those using Win9x regardless of connection. I believe with NT and up, browsing capabilities are much better. Someone can correct me if I'm wrong or just a little off. Granted there isn't a lot of host file management software being developed or updated like they use to be so your last statement could be true.

 

Nope. If you look at yours, you'll see that it has the numeric addresses of most of the sites you have in your Favorites folder. Problem is, it seems to get out of date very easily, and if sites are *moving targets* like the important MS sites (WU, MSKB, XPDownloads, that sort), the hosts file can do a lot of harm.

Think I'll just start updating it once a week, and then deleting the MS sites from it. The whole thing will only take 30 seconds, and I can spare that. I have a great little program called CheckIP that opens the hosts file, connects to the cable's DNS, checks the numeric addresses in the hosts file, and corrects the wrong ones. Takes about two seconds for two hundred entries. Then I just have to delete the MS entries.

 

WW, I still don't understand this. In using Win95 and Win2000 on different computers this does not happen with my HOSTS file. I have always had to manually do this or using a host management program. Is this a feature unique in XP?

The CheckIP program, do you mean CIP? Your description sounds like CIP from Radsoft. I know this is a very fast program and works great.

I've used CIP in the past, but since my workplace is slowly going to be "assimilated" into a lock down environment (NMCI - search on this to know more), I'm using as little freeware programs as possible ("weaning" myself) and use the most I can get from what's available on my computer.

 

I dunno what's happening on your machines. The hosts file is actively used by IE and most other browsers if there IS a hosts file. You KNOW that's true, because a recent BIG wave of hijackings was widely publicized: The attackers took over the hosts file and re-wrote it, and the victim couldn't get to various sites and search engines, cuz the listings in hosts were re-directing the browser.

But you see: that's the problem. If the hosts file has an incorrect entry and the browser checks the hosts file for the address you've asked for, the hosts file doesn't correct itself to match the latest DNS listings. So when some s**t-for-brains imbecile takes over your hosts file and puts junk entries in it, your browser goes to the junk addresses.

The anti-spybot programs offer to lock your hosts file for you (on the assumption that you don't know how to change a file to Read-Only, I guess) and/or to make a backup copy of your most recent GOOD hosts file, so that if ... well, you know.

I've used Radsoft CIP 5 since about '96. Chris P (Lockergnome) got them to offer a freeware standalone for Win95, and it has continued to work perfectly for 98, 2K, and XP -- because what it does doesn't change from OS to OS: it connects to your current ISP's primary DNServer and checks all of the alpha entries in your hosts file against the latest numeric listings on the DNS. You can import any browser's bookmarks or favorites folder to it, then delete the dupes, select All, and run it, and it takes less than five seconds on a fast connection to verify 500+ entries.

If you use a hosts-file manager to kick-start your hosts file, I'm sure it'll start working. It's a genuine godsend to dial-up clients, but broadband users can probably just empty it and then make it Read-Only and not notice the diff.

 

Hmmmmmm, the only line in my HOSTS file is "127.0.0.1 localhost" the rest are comments. It is not read-only. Though I'm not familiar with it, I know there is firewall setup (hardware/software I don't know), and know some ports are being block (again, don't know which ones - see how much I know about this ). Can a corporate firewall be set up smartly to prevent hosts file manipulation on individual computers?

 

You might try a Google on that string for some insight. I did. Here's a sample for you to click. I'm not sure what you use that line for, but it seems to force the browser to go to DNS lookup, instead of using the resources of the hosts file. The first check is of the hosts file, which is why the incorrect numeric addresses put into it by attackers work before the DNS responds with the right addresses.

If your only info in hosts is a direction to the DNServer (which is what I'm just guessing yours is-- I don't know), then the browser goes to hosts and then to the DNServer every time you type a URL in or click a link.

http://www.computing.net/networking/wwwboard/forum/16826.html

Oh, and here's what the very first lines of my hosts file look like. You'll find this site there. Nothing should precede the first line of numeric-alpha addresses. The last entry is the time of the last verification with the DNS.

193.4.210.1 193.4.210.1 ##2003-10-30 13:36:34:589
209.103.215.76 209.103.215.76 ##2003-10-30 13:36:34:573
66.98.158.200 66.98.158.200 ##2003-10-30 13:36:34:573
66.39.115.252 aumha.org ##2003-10-30 13:36:34:620
206.47.72.114 canada411.sympatico.ca ##2003-10-30 13:36:34:620

 

I'm baffled by these comments. I've never, ever, seen the hosts file being filled up with the IE favorites and I've worked on every Windows OS on well over 300 computers at work. In fact, the hosts file is usually not even there (depending on the OS, it may be there but even then it is called hosts.sam thus not functioning) so it is not used at all.

Windows (or IE) has never put anything in my (or any computer I've ever worked on) hosts file. I can see no reason to have your favorites in there. It may make browsing a tiny bit faster, but the trouble caused by maintaining it would outweigh those benefits, IMO.

If you can show me that this automatically happens without using some third party tool or totally obscure option, I'd appreciate it as it would turn my understanding of how these things work upside-down.

Almost everyone should have one entry in their hosts file and that is "127.0.0.1 localhost". Anything else in there would have been added manually by the user, sometimes by the ISP, and sometimes by a third-party tool. Oh, it could also be changed by a virus.

Most people would be better off renaming "hosts" to "hosts.txt" and letting the internet and DNS do the work.

 

I completely agree with Jamiko. Note that the browser has 0/ None/ Nada/nothing to do with writing to the hosts file. ONLY user intervention, app or malware could do this LOCALLY.
Spybot has this ability. If desired, you can add spybots list of of known ad sites to the hosts file that all point to 127.0.0.1 .. IE has nothing to do with it.

 

Apologies all around. I said "the browser did it," when it was clearly the third-party software that did it. I'd never looked at anyone else's hosts file. I didn't know they weren't ALL like mine, brimming with numeric addresses of Favs. Now I know. Thanks for the lesson, guys.

As I said, I've had the third-party stuff running on every OS and every machine since way back when, so I wasn't aware that EVERYbody didn't have the hosts full of hundreds of numeric addresses, all agreeing with the latest set of Favorites.

But now I realize that the third-party program IMPORTS the Favs every time I open it, and then scans the DNS for their numeric addresses. The sample entries I displayed above work, too. I can change a number for a site I just visited a moment ago, then save the hosts file with the changed number, and I'll immediately get either a "not found" or an incorrect site.

So it's still the case that the browsers look FOR hosts and look AT hosts before they go to the DNServer, and that's why the attacks that write stuff to hosts work.

But your reasoning is sound, and I'm gonna follow it: updating and maintaining hosts makes no sense when you're on broadband and DNS lookups take a split second.

Think I'll maintain and update it on the old machine that I use for dial-up when the cable is down, but hosts is history on the broadbanded XP from now on.

Thanks again for the enlightenment, guys. Special apology to Ken, whose machine (and hosts) is working just FINE, thankyou very much!

 

WW, no problem. For a moment though I thought there was something new about HOSTS and did a search on it and didn't come with it. So I figured something wasn't right here; waited patiently until there were other posts to this and behold Jamiko and Kodo humbly provided their knowledge. Great forum here - always learning from each other.

 

The problem, Ken, was that I go back in computing farther than almost anybody here, and I started out with the very first modems on dial-up. Back then, if you wanted to download a 100KB file, you started the download and went away for the weekend. There was NO SUCH THING as a 500 KB or 1 MB downlaod available ANYwhere, because people just wouldn't have touched it. The Internet was there, but the Web was mostly a dream for the future. Graphics just took too long to load.

There were tons of "Internet Speedup" programs available back then, and most of them reset the usual settings on your machine, but SOME of them (the BEST ones) also took the hosts file and made it work HARD for the Internet user. The difference in speed was really amazing.

On my first modem connections, it took about two full minutes for a browser to find a site and BEGIN to load it, because the round trip for a visit to the nearest DNS took so long. Then the Speedup programs came along and put all of the numeric addresses into the hosts file in one (sorta long) visit to the DNS, and after that, the browser took about five SECONDS to start loading a site. Wow!

End of story: I got so accustomed to USING the hosts file that I never thought about STOPPING. Jamiko and Kodo rattled my chain enough so that I've got the word: I don't need that stuff anymore. And that means that the headaches caused by incorrect entries in the hosts file (because I hadn't updated it recently enough) are history.

Yesss!

 

WW, I suspected you may have been using some third-party tools so I am glad it was confirmed. I honestly was expecting you to show me how it is done without that, since I am always being shown things I've missed.

Using the hosts file is certainly more common among the early internet users (I'm not one of them) and I know that old habits die hard. It just goes to show that we all think certain things work a certain way and we all are wrong about some of them some of the time. You can catch the next one.

Great site and great people here, glad I found it.

 

I'm not sure anybody welcomed you here, Jamiko, so if not, Welcome to Major Geeks!

Thanks for the good words. I felt stupid for a bit there, until I realized that I was just ignorant, and the ignorance was taken care of by a little learning.