Linux HackFest Series: Evil /etc/hosts file

Wed, 10 Dec 2008 11:28:16 -0800 

Trust is the basis for all security.

The "evil" /etc/hosts file would look like this:

# /etc/hosts 
127.0.0.1    hostname localhost localhost.localdomain

# end

A good /etc/hosts file appears:

# /etc/hosts
127.0.0.1   localhost localhost.localdomain
192.168.6.66   hostname

# end

The evil hosts file allows postgresql.conf, (psql/pgadmin), my.cnf (phpmyadmin) 
and php.ini or Apache httpd.conf <location> or <Directory> trust to be served 
from anyone using the hostname.  The evil hosts file is also an especially 
dangerous SAMBA, X11 and NFS configuration  "hack" often seen in encroached 
systems.  Some of the more creative additional hacks seen in the /etc/hosts 
file include ALT 255 Null ACSII characters before the second line FQDN hostname 
so it does not load.

Most developers and pentesters know it's trivial to use the /etc/hosts (and 
127.0.0.1 localhost) as a proxy for MetaSploit, or local code testing; this 
hack in production servers is the same demonstrated behavior yet not controlled 
for layered OSI Browser to layer 2 security behavior [and certainly "EVIL"]!

An additional "use" of the /etc/host file includes sending all requests from 
rogue sites for 3rd party cookies that are known to contain dangerous bots or 
email virus, and javascript plugins to the localhost address via /etc/hosts.
 
The following site maintains a good updated /etc/hosts file for browsers:

http://www.hosts-file.net/?s=Download

You just cat that file to the end of your /etc/hosts file:

# cat hosts.download >> /etc/hosts 

Then edit to suit.

www.Obnosis.com |  http://en.wiktionary.org/wiki/Citations:obnosis |
http://www.urbandictionary.com/define.php?term=obnosis (503)754-4452
Catch the January PLUG HackFest!   Kristy Westphal, CSO for the Arizona 
Department of Economic
Security will provide a one hour
presentation on forensics 1/10/09 at UAT.edu.



_________________________________________________________________
You live life online. So we put Windows on the web. 
http://clk.atdmt.com/MRT/go/127032869/direct/01/
---------------------------------------------------
PLUG-discuss mailing list - [email protected]
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

Reply via email to