1

Today my ISP blocked my internet due to suspicious activity - outgoing requests to malicious websites. Numerous scans of my machine couldn't reveal the culprit. However, after doing a quick netstat /f I found the following:

TCP    127.0.0.1:5357         101com.com:49168       TIME_WAIT
TCP    192.168.1.21:49169     THOMSON:netbios-ssn    TIME_WAIT
TCP    192.168.1.21:49170     THOMSON:netbios-ssn    ESTABLISHED

TCP    127.0.0.1:49171        101com.com:49172       ESTABLISHED
TCP    127.0.0.1:49172        101com.com:49171       ESTABLISHED

Coincidentally, only a few days ago I decided to start adding servers to my host file. 101com.com appears to be the first entry on my list.

So, am I actually sending out requests to 101com even though it is being blacklisted? And if so, how can it be prevented?

Thanks.

Thomas Dickey
  • 9,100
Berins
  • 23

1 Answers1

2

First, let's make something clear. hosts file doesn't prevent domain name resolution, it only overrides what domains resolve to.

When some program tries to resolve 101com.com, your OS would normally query DNS servers for its IP address. But, if you have it in your hosts file, then 101com.com will be resolved to provided IP without DNS query.

Domain name resolution still happens, but it's handled inside OS. All programs that try to resolve domains will receive IP addresses in response, but it will be the IP you have provided instead of DNS provided one.

101com.com is not "blacklisted", you have only redirected its traffic to your own machine (127.0.0.1).

Now, how can we explain 101com.com in netstat's output? That's pretty simple. netstat will try to reverse lookup domain names for IPs in the third column. You have defined 101com.com as a domain name for 127.0.0.1, so if you have a TCP connection from your machine (127.0.0.1) into your machine (127.0.0.1), then it can be as well shown as a connection from 101com.com to 127.0.0.1.

101com.com still exists for you, but now it points at your computer, not theirs. If your PC says something about 101com.com, it means itself.

This has nothing to do with your ISP and he has no idea you have added some entries to the hosts file.

gronostaj
  • 58,482