Linux HackFest Series: Evil /etc/hosts file

Lisa Kachold lisakachold at obnosis.com
Wed Dec 10 12:27:32 MST 2008


Trust is the basis for all security.

The "evil" /etc/hosts file would look like this:

# /etc/hosts 
127.0.0.1    hostname localhost localhost.localdomain

# end

A good /etc/hosts file appears:

# /etc/hosts
127.0.0.1   localhost localhost.localdomain
192.168.6.66   hostname

# end

The evil hosts file allows postgresql.conf, (psql/pgadmin), my.cnf (phpmyadmin) and php.ini or Apache httpd.conf <location> or <Directory> trust to be served from anyone using the hostname.  The evil hosts file is also an especially dangerous SAMBA, X11 and NFS configuration  "hack" often seen in encroached systems.  Some of the more creative additional hacks seen in the /etc/hosts file include ALT 255 Null ACSII characters before the second line FQDN hostname so it does not load.

Most developers and pentesters know it's trivial to use the /etc/hosts (and 127.0.0.1 localhost) as a proxy for MetaSploit, or local code testing; this hack in production servers is the same demonstrated behavior yet not controlled for layered OSI Browser to layer 2 security behavior [and certainly "EVIL"]!

An additional "use" of the /etc/host file includes sending all requests from rogue sites for 3rd party cookies that are known to contain dangerous bots or email virus, and javascript plugins to the localhost address via /etc/hosts.
 
The following site maintains a good updated /etc/hosts file for browsers:

http://www.hosts-file.net/?s=Download

You just cat that file to the end of your /etc/hosts file:

# cat hosts.download >> /etc/hosts 

Then edit to suit.

www.Obnosis.com |  http://en.wiktionary.org/wiki/Citations:obnosis |
http://www.urbandictionary.com/define.php?term=obnosis (503)754-4452
Catch the January PLUG HackFest!   Kristy Westphal, CSO for the Arizona Department of Economic
Security will provide a one hour
presentation on forensics 1/10/09 at UAT.edu.



_________________________________________________________________
You live life online. So we put Windows on the web. 
http://clk.atdmt.com/MRT/go/127032869/direct/01/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20081210/6d8d9a55/attachment.htm 


More information about the PLUG-discuss mailing list