Summary: 127.0.0.1 is used in the hosts file by malware, anti-malware and ad blockers to block access to certain sites. The domains blocked will tell you which.
I've looked in my "\windows\system32\drivers\etc\hosts" file and found a number of entries that all begin with 127.0.0.1.
1. What are all those identical seemingly IP addresses, 127.0.0.1?
2. The sites listed, are they on my system and bad or are they being blocked from my computer to reach them (just like what you had stated Sasser, sometimes does to reach Anti-virus sites for definition updates?
3. What should I do with this list? Shall I delete these sites and only keep the localhost line?
•
127.0.0.1 is "special", and refers to your own computer. It's used for both good and evil. The trick here is to understand which, and perhaps how these entries appeared on your computer in the first place.
•
As I said, 127.0.0.1 is a special IP address that is always defined to refer to the local computer. So whenever a computer attempts to connect to 127.0.0.1 it's really attempting to connect to itself.
Now, unless you're running a web server on your own machine (highly unlikely unless you explicitly set it up), and if a web browser tries to connect to 127.0.0.1 that connection will fail - there's no web server to answer the call.
The other piece of this puzzle is to realize that entries in your hosts file take priority over "real" lookups. For example, if you put this in your hosts file:
127.0.0.1 google.com
127.0.0.1 www.google.com
you'll no longer be able to access Google. Your browser would request the IP address for google.com, the system would find it in your hosts file first and assume that was the correct address. Your browser would attempt to access 127.0.0.1, your own computer, and that would fail.
From this comes one ad blocking technique that places these kinds of entries into your hosts file for known advertising sites. That way, when your browser attempts to access them to fetch an ad, that fails and no ad is displayed. It can also be used to prevent access to sites that are known to be malicious in nature.
In looking at the list provided by the person asking the question, that appears to be what's happening here. These appear to be advertising or malware sites that have been blocked.
Now, the question is: how did this list get there?
I'm going to assume that since you're asking, you didn't put it there. Manually installing such a list is the most common approach.
The other alternative is that some anti-malware or firewall package you're using added the list for you. I'd check the various packages you're running to see if perhaps that's part of the feature list.
One way that the hosts file gets abused is by malware.
As we've seen, we can block access to certain sites by creating a "127.0.0.1" entry in the hosts file. What some malware does is exactly that - to block anti-malware companies.
For example, malware might install hosts entries to block your anti-virus software from updating itself or its malware definition. If your infection occurs prior to the definitions being updated to detect it, the malware has effectively hidden such that it will never be discovered as your anti-malware will never be able to update itself.
So if you see a list of domains like symantec.com, ca.com, and the domains of other well known anti-malware companies, you can pretty much bet that something's up. You can delete them if you like, but I'm guessing that a) it's too late because you're infected, and b) the malware will just add them back.
The good news in all this is that most anti-malware software is very aware of the potential for hosts file abuse. Some anti-spyware software will go so far as to lock the file so that it can't be modified, and most others will notify you if it changes unexpectedly.
Related:
-
Can I fake the DNS ip lookup to test my website? In case you need to test your website, there are ways that you can fake the DNS IP lookup to be able to do so. We'll take a look at how that's done.
-
Is this stuff in my 'hosts' file supposed to be there? The "hosts" file can be used for good or evil. Anti-malware programs may use it to block things, and malware may use it to block anti-malware.
-
Is there a way to block certain URL's in IE? There are ways to block URLs in IE, but doing so will block them from all other programs as well.
Article C3492 - September 5, 2008
In addition to routing anti-malware sites to 127.0.0.1, I have seen malware actually direct it to their own sites.
Imagine what would happen if your hosts file pointed www.google.com to an IP address owned by a "bad guy", and instead of searching via Google, you were searching using a paid advertising site. Even if it did nothing else to your system, it would make money for the "bad guy".
Posted by: Ken B at September 5, 2008 8:48 AMWhat a fantastic article! I've been trying to get my head-around the hosts file for a while, this explained it perfectly.
Now, the path to it! ....\etc\ Is that pronounced 'et cetera' or is it an acronym? Or neither?
Just wondered, because I occasionally direct someone to this location & wonder if I'm saying *ETC* (The letters), or 'Et Cetera'.
Just for reference!.....
Great article though, now I understand!
-Leo
The anti-spyware program I use puts blocked sites into the hosts list. I use spybot. If you are using that program then that is where that long list of sites came from.
Posted by: Steve Myers at September 6, 2008 1:46 PMNo Leo, it's not an incorrect attempt to do the same thing as 127.0.0.1 I think, because there are hundreds of 0.0.0.0-entries and they come from the RogueRemoverPro application.
Posted by: dheikoop at September 8, 2008 1:57 AMWhen I first started using the hosts file and did dome reading about it, the advice for blocking sites was to use 0.0.0.0 which would do the same thing as 127.0.0.1
Posted by: Paul Higgins at September 9, 2008 9:31 AMThe problem was that on some XP machines (and I’ve never heard a satisfactory reason for why) it would cause the machine to respond slowly or crash. This happened to me and I used the alternative instead. Maybe the advent of the XP problem has led to 0.0.0.0 never being suggested anymore.
Ok now what if you dont have anything in that file is that good or bad. When I follow the path "\windows\system32\drivers\etc\hosts" hosts shows it as being a file and no files in it. Ok so some of us only know how to turn it on...
-Leo
The routing tables use 0.0.0.0 to signify the default network connection in XP. I would think specifying this in your host file would just cause your computer to time out and get confused.
Definitely cause slow downs...
Posted by: Ziggie at September 10, 2008 8:34 AMI've gone throuh this article and also the comments and found it very enlightening. Thanks - EFernandez
Posted by: Erasto Fernandez at September 12, 2008 10:36 PMwhat if my hosts file does not contain a 127.0.0.1 number or a 0.000...etc number? i am trying to block a website on google chrome and i have no idea how to do it.....please help....
21-Jul-2009
Posted by: miaka at July 20, 2009 10:17 AM
Hi, Leo. Excellent article.
I have a Q.
My hosts file has 2 lines after comment:
127.0.0.1 localhost
::1 localhost
What's the effect of second line (::1 localhost)?
What happens if I get rid of both of those lines and replace it with a host name that I want to block? Should I save those lines and just another host that I want to block?
Your answer will be very appreciated.
12-Aug-2009
Posted by: Jimmy Han at August 11, 2009 8:14 PM