Preventing Hosts and LMHosts Tampering

Archive for December, 2007

Preventing Hosts and LMHosts Tampering

Posted by

Some forms of malware and some attackers will modify the DNS resolution file (hosts) and the Windows resolution file (lmhosts). Basically, this would allow someone to enter www.jwgoerlich.us into their browser but be redirected to the attacker’s IP address. A simple way to prevent this tactic is to turn off the hosts and lmhosts files.

You can find the files by looking in the registry.

Registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters
Value: DataBasePath
Data:%SystemRoot%\system32\drivers\etc

Browse to the folder specified, and right-click, set permissions. The service account (NT AUTHORITY\NETWORK SERVICE) must have read access to the folder in order to parse the files and process the name-address mappings. Set explicit permissions and deny access to the service account (NT AUTHORITY\NETWORK SERVICE). Reboot.

From then on, regardless of who modifies the hosts and lmhosts file, the DNS and Windows resolution will be protected.

Tip: Cygwin for Gzips (.gz) and Tarballs (.tar)

Posted by

I find the Windows shareware and nagware tools for Gzip and Tarball files lacking. Some of it is adding unnecessary clutter to my OS. Part of it is compatibility with 64-bit Windows Server 2003. I also do not want to pay for a feature that I rarely use. Since I run Cygwin, it is easy enough to drop into the Bash shell to unzip and untar.

Copy the file to the Cygwin home folder (C:\cygwin\home\Administrator). Then start Cygwin and run the commands to unzip and untar.

$ gzip –d file.tar.gz

$ tar –xvf file.tar

The expanded files will then be in a folder called C:\cygwin\home\Administrator\file.