Hosts files and 127.0.0.1

**happykoala** · April 9th, 2011, 07:32 AM

Hi, I have a script which downloads a hostfile containing thousands of known bad hosts and appends its to /etc/hosts as follows:

Code:

# Sorry but in addition to serving ads BrightCove frequently
# delvers content (mostly video).  It is your choice!
127.0.0.1       goku.brightcove.com
127.0.0.1       sdc.brightcove.com

127.0.0.1       0.r.msn.com
127.0.0.1       005.free-counter.co.uk
127.0.0.1       www.005.free-counter.co.uk
127.0.0.1       006.free-counter.co.uk
127.0.0.1       www.006.free-counter.co.uk
127.0.0.1       007.free-counter.co.uk
127.0.0.1       www.007.free-counter.co.uk
127.0.0.1       007angels.com
127.0.0.1       www.007angels.com
127.0.0.1       008.free-counter.co.uk
127.0.0.1       www.008.free-counter.co.uk
127.0.0.1       008.free-counters.co.uk
127.0.0.1       00fun.com
127.0.0.1       www.00fun.com
127.0.0.1       011707160008.c.mystat-in.net
127.0.0.1       www.021http.com
127.0.0.1       www.05168.com.tw
127.0.0.1       061606084448.c.mystat-in.net
127.0.0.1       070806142521.c.mystat-in.net
127.0.0.1       08search.com
127.0.0.1       www.08search.com
127.0.0.1       090906042103.c.mystat-in.net
127.0.0.1       092706152958.c.mystat-in.net
127.0.0.1       www.0catch.com
127.0.0.1       0koryu0.easter.ne.jp
127.0.0.1       0nly18.com
127.0.0.1       www.0nly18.com
127.0.0.1       1.adbrite.com
127.0.0.1       1.marketbanker.com
127.0.0.1       1.ofsnetwork.com
127.0.0.1       1.sharkadnetwork.com
127.0.0.1       100-100.ru
127.0.0.1       www.100-100.ru
127.0.0.1       100.mbn.com.ua
127.0.0.1       100.topnews.ru
127.0.0.1       10000hits.net
127.0.0.1       www.10000hits.net
127.0.0.1       10006.hittail.com

Now this works quite well, however I have noticed that Mac OSX 10.6.7 picks a host at random from the list to use in such tools as lsof and netstat, which is really quite wierd:

Code:

lsof -i 4
COMMAND     PID    USER   FD   TYPE     DEVICE SIZE/OFF NODE NAME
SystemUIS   107 stephen    9u  IPv4 0x08c13e14      0t0  UDP *:*
SystemUIS   107 stephen   11u  IPv4 0x08c12898      0t0  UDP *:*
Finder      108 stephen    5u  IPv4 0x07adfb18      0t0  TCP tamtam.tomshw.it:49159->tamtam.tomshw.it:26164 (ESTABLISHED)
Dropbox     139 stephen   13u  IPv4 0x08c13ef0      0t0  UDP *:17500
Dropbox     139 stephen   16u  IPv4 0x07ae0748      0t0  TCP *:17500 (LISTEN)
Dropbox     139 stephen   18u  IPv4 0x0972ab18      0t0  TCP 10.200.200.103:62582->208.43.202.24-static.reverse.softlayer.com:http (ESTABLISHED)
Dropbox     139 stephen   19u  IPv4 0x07adf708      0t0  TCP tamtam.tomshw.it:26164->tamtam.tomshw.it:49159 (ESTABLISHED)
Dropbox     139 stephen   21u  IPv4 0x07adff28      0t0  TCP 10.200.200.103:49158->208.43.202.54-static.reverse.softlayer.com:https (CLOSE_WAIT)
Dropbox     139 stephen   23u  IPv4 0x07ae0338      0t0  TCP tamtam.tomshw.it:26164 (LISTEN)
Safari      730 stephen   38u  IPv4 0x0f31cdc0      0t0  UDP 10.200.200.103:24044
Mail      13560 stephen   24u  IPv4 0x078a72b8      0t0  TCP 10.200.200.103:62569->qw-in-f109.1e100.net:imaps (ESTABLISHED)
Mail      13560 stephen   25u  IPv4 0x0ac1a338      0t0  TCP 10.200.200.103:62575->qw-in-f109.1e100.net:imaps (ESTABLISHED)
Mail      13560 stephen   26u  IPv4 0x092cc2b8      0t0  TCP 10.200.200.103:62579->qw-in-f109.1e100.net:imaps (ESTABLISHED)
Mail      13560 stephen   28u  IPv4 0x078aab98      0t0  TCP 10.200.200.103:62580->qw-in-f109.1e100.net:imaps (ESTABLISHED)
Adium     44759 stephen   12u  IPv4 0x092cc6c8      0t0  TCP 10.200.200.103:62545->cs201.msg.sp1.yahoo.com:mmcc (ESTABLISHED)
Adium     44759 stephen   13u  IPv4 0x08c12974      0t0  UDP *:62299
Adium     44759 stephen   15u  IPv4 0x07509338      0t0  TCP 10.200.200.103:62546->jabber-01-01-snc2.facebook.com:jabber-client (ESTABLISHED)
Skype     45363 stephen    8u  IPv4 0x08c13810      0t0  UDP tamtam.tomshw.it:63062
Skype     45363 stephen   47u  IPv4 0x0c13eb98      0t0  TCP *:47506 (LISTEN)
Skype     45363 stephen   48u  IPv4 0x08c139c8      0t0  UDP *:47506
Skype     45363 stephen   53u  IPv4 0x07868378      0t0  TCP 10.200.200.103:62539->213.146.189.206:12350 (ESTABLISHED)
Skype     45363 stephen   65u  IPv4 0x0c13e788      0t0  TCP 10.200.200.103:62541->160.110.70.115.static.exetel.com.au:9931 (ESTABLISHED)
NetNewsWi 67771 stephen    8u  IPv4 0x0722f6c8      0t0  TCP 10.200.200.103:63356->news.l.google.com:http (CLOSE_WAIT)
NetNewsWi 67771 stephen   12u  IPv4 0x0722f2b8      0t0  TCP 10.200.200.103:63569->ad.doubleclick.net:http (ESTABLISHED)
NetNewsWi 67771 stephen   14u  IPv4 0x0a90a688      0t0  TCP tamtam.tomshw.it:63570->tamtam.tomshw.it:http (CLOSE_WAIT)
NetNewsWi 67771 stephen   18u  IPv4 0x0ac1ab58      0t0  TCP 10.200.200.103:62576->www.marketwatch.com:http (ESTABLISHED)
NetNewsWi 67771 stephen   19u  IPv4 0x0b4c4ad8      0t0  TCP tamtam.tomshw.it:63361->tamtam.tomshw.it:http (CLOSE_WAIT)
NetNewsWi 67771 stephen   20u  IPv4 0x07adf2f8      0t0  TCP 10.200.200.103:63354->news.l.google.com:https (CLOSE_WAIT)
NetNewsWi 67771 stephen   21u  IPv4 0x078aa788      0t0  TCP 10.200.200.103:63358->74.125.237.4:http (CLOSE_WAIT)
NetNewsWi 67771 stephen   22u  IPv4 0x0ac1b378      0t0  TCP 10.200.200.103:63359->74.125.237.4:http (CLOSE_WAIT)

in this example tamtam.tomshw.it is one of the many bad hosts mapped to 127.0.0.1.

So coming to the point, is it possible to get Mac OSX to respect and use the first entry in the hosts file:

127.0.0.1 localhost

**ElDiabloConCaca** · April 9th, 2011, 08:04 AM

Which hosts file are you editing -- the one in /etc or the one in /private/etc? It seems Snow Leopard uses the one in /private/etc.

Also, after adding entries into the hosts file, you must flush the DNS cache so that the new entries will be respected, with the following command:

Code:

dscacheutil -flushcache

...does your script do that?

**happykoala** · April 9th, 2011, 08:30 AM

Hi /etc/hosts and /private/etc/hosts are in fact the same file, it is a hidden symbolic link off the root

No, my script doesnt issue that dscacheutil -flushcache command as I had tried it manually and it made no difference, so couldnt see the point. As the system is mapping the 127.0.0.1 to a random name which could never have been derived from dns in the first place, thats why it doesnt help.

No, the problem is not about respecting the new entries, its about Mac OSX using "localhost" for 127.0.0.1 instead of picking a random entry in /etc/hosts. I believe this to be erroneous behaviour in Mac OSX itself.

**ElDiabloConCaca** · April 9th, 2011, 09:05 AM

Can you post your entire hosts file here?

**happykoala** · April 9th, 2011, 12:14 PM

never mind mate - thanks for your help, I switched to opendns. cant fix this problem

**Satcomer** · April 10th, 2011, 06:40 AM

First check with the free program DNSChanger Removal Tool and the free Boonana Trojan Horse Removal Tool. Finally there is the free iServices Trojan Removal Tool if you pirated iWork.

See if any of these free tools help.