0

After some a requests of supports by users, i have found into C:\WINDOWS\system32\drivers\etc\hosts my website, eg.:

127.0.0.1 mywebsite.com

users say they don't have made it, perhaps a third party software (eg. anti virus) has blocked my website for some unknown reason..

There is a way for detect who has changed the hosts file? eg. Event Viewer, logs, etc.

ar099968
  • 113
  • 5
  • hosts is a common file, and the entry you're looking at is a default entry in every hosts file that has not been removed. It is also preceded by a hash or pound sign "#", corrrect? – music2myear Mar 08 '19 at 17:07
  • sorry, i have used example.com, but i mean my website... – ar099968 Mar 08 '19 at 17:09
  • 1
    Windows offers file auditing, but I believe it has to be enabled before the activity you wish to audit occurs: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder – music2myear Mar 08 '19 at 17:15
  • Got it. Thanks for clearing that up and editing the question. 1 you should look into file auditing, and 2 you should check for viruses and malicious activity on the computers you support. https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder – music2myear Mar 08 '19 at 17:17
  • 1
    Possible duplicate of [How can I remove malicious spyware, malware, adware, viruses, trojans or rootkits from my PC?](https://superuser.com/questions/100360/how-can-i-remove-malicious-spyware-malware-adware-viruses-trojans-or-rootkit) – music2myear Mar 08 '19 at 17:18

1 Answers1

0

Is there a way for detect who has changed the hosts file? eg. Event Viewer, logs, etc.

tl;dr: Absolutely yes.

If you have money you can use Glasswire without any headache. Glasswire has an option in security settings to monitor 'hosts' and 'lmhosts' file changes.

GlassWire_Monitor_hosts_file

If you want free solution use TraceView in Windows Driver Kit. Install Windows Driver Kit → run TraceView as administrator → Create New Log Session → Kernel Logger → File I/O → Log Trace Event Data to File → Enter ETL file path as you want.

TraceView-Kernel-Mode-Trace

Use TraceFmt to display and find your required file change. Required command: tracefmt.exe C:\path\to\ETL-File-Name.etl -displayonly| find /i "hosts"

If you want more free software I have a open-source project TraceEvent @GitHub which is in development.

Biswapriyo
  • 10,831
  • 10
  • 47
  • 78