lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: exibar at thelair.com (Exibar)
Subject: Windows hosts file changing.

I have seen qhosts act in strange ways.  Qhosts does indeed edit the HOSTS
file, sometimes will add those registry keys but not all.  Sometimes it will
add the reg keys but leave the HOSTS file alone.  I've seen it replace the
real HOSTS file, and I've also seen it add a new HOSTS file into the temp
directory.

  Qhosts doesn't always respond predictably from what I've seen.

  Exibar


----- Original Message ----- 
From: "Brian Eckman" <eckman@....edu>
To: "David Gianndrea" <dgianndrea@...squared.com>
Cc: "Kevin Gerry" <poof1@....net>; <Full-Disclosure@...ts.netsys.com>
Sent: Wednesday, October 22, 2003 9:50 AM
Subject: Re: [Full-Disclosure] Windows hosts file changing.


>
>
> David Gianndrea wrote:
> > Kind of sounds like this...
> >
> > http://vil.nai.com/vil/content/v_100719.htm
> >
> >
> > Kevin Gerry wrote:
> >
> >> Does -ANYBODY- know how it occurs?
> >>
> >> I've had this happen to a couple boxes of mine now...
> >>
> >> New one:
> >> -- 
> >> 127.0.0.1    localhost
> >> 66.40.16.131    livesexlist.com
> >> 66.40.16.131    lanasbigboobs.com
> >> 66.40.16.131    thumbnailpost.com
> >> 66.40.16.131    adult-series.com
> >> 66.40.16.131    www.livesexlist.com
> >> 66.40.16.131    www.lanasbigboobs.com
> >> 66.40.16.131    www.thumbnailpost.com
> >> 66.40.16.131    www.adult-series.com
> >> -- 
> >>
> >> Any idea how the search site is replacing that? =/ It's starting to
> >> piss me
> >> off =/ I had some custom information in there that's now overwritten
(Not
> >> backed up)
> >>
> >> Thanks =/
>
>
> Actually, I don't think it sounds a damn thing like Qhosts.
>
> Qhosts modifies DHCP-issued DNS server settings in the registry, and
> creates a new HOSTS file and tweaks the registry to use that HOSTS file.
> It doesn't touch the original HOSTS file.
>
> This post exhibits no Qhosts behavior, and Qhosts doesn't exhibit any
> of this behavior. I think Daniel got it right - quit going to porn
> sites. Better yet, quit going to porn sites advertised in Spam.
>
> Also, to respond to another comment, the MS03-040 patch might *not*
> address this type of attack on a system. Internet Explorer fully patched
> with default settings *still* allows silent delivery and install of
> executables. POC was sent to this list weeks ago.
>
> Brian
> -- 
> Brian Eckman
> Security Analyst
> OIT Security and Assurance
> University of Minnesota
> 612-626-7737
>
> "There are 10 types of people in this world. Those who
> understand binary and those who don't."
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists