[SOLVED] HOSTS File Not Working Right - Trying To Prevent Remote Assistant Scams

[Appletax]

Solution: block lots of remote assistance websites in the hosts file (see attachment).

---

Got an old client with memory problems that keeps falling for remote assistance scams.

Trying to block remote assistance program's websites via HOSTS file.

It's only blocking the first website and nothing else.

I deleted the HOSTS file and made a whole new one that I downloaded from MajorGeeks.

Tried purging DNS with CMD.

What's wrong?

 

[gadgetfixup]

Resolve the IPs for each of those domains and put those IPs in front of the domains so the IP and domain are blocked like

102.54.94.97 rhino.acme.com # source server
38.25.63.10 x.acme.com # x client host

 

[Appletax]

I can still go to teamviewer.com

When I ping teamviewer.com, I get a reply from 127.0.0.1

What the heck :/

 

[Appletax]

Resolve the IPs for each of those domains and put those IPs in front of the domains so the IP and domain are blocked like

102.54.94.97 rhino.acme.com # source server
38.25.63.10 x.acme.com # x client host

I read that IP addresses for some sites can change so this may not workout ??

 

[Computer Bloke]

The second entry in your list (anydesk.com/en) is a URL and not a host name. There are a few more like it later on as well. It's possible that Windows might be getting confused by the "/" symbol and not processing anything further.

Just a guess, and I'm not near enough to a real computer to check it.

 

[thecomputerguy]

I can still go to teamviewer.com

When I ping teamviewer.com, I get a reply from 127.0.0.1

What the heck :/

Cached data? Try incognito?

 

[gadgetfixup]

Better to use the firewall inbound rules > New rule > custom > scope to block unless you think they'll mess with the firewall.

Teamviewer is 178.77.120.0/24

 

[YeOldeStonecat]

I can still go to teamviewer.com

When I ping teamviewer.com, I get a reply from 127.0.0.1

What the heck :/

You would expect this...127.0.0.1 is a loopback address that all Windows computer bind to the local network interface. Since your NIC is alive..it's responding to 127.0.0.1.

However browser is likely caching.
BUT...don't forget to double them....
You told it domain.com is local
But you also have to tell it www.domain.com is local

So double up everything...root domain, as well as the dub dub dub of the domain.

so you want to see patterns like
127.0.0.1 anydesk.com
127.0.0.1 www.anydesk.com

 

[YeOldeStonecat]

And every other sub domain....for example, for splashtop.
you'd have
127.0.0.1 splashtop.com
127.0.0.1 www.spashtop.com
127.0.01 sos.splashtop.com <-===since splashtops "one time" remote is...this one. Just having the top 2 would not prevent someone from going to sos.splashtop.com

 

[Computer Bloke]

Just having the top 2 would not prevent someone from going to sos.splashtop.com

I'm not sure about that. The name would be resolved right to left so unless there's a more specific hostname already in HOSTS wouldn't *.splashtop.com resolve to 127.0.0.1?

(I'm nowhere near a Windows machine to check this - sorry!)

Edited to add: The more I think about this, the more I think you might be right after all. I still think it's worth checking though.

 

[YeOldeStonecat]

I'm not sure about that. The name would be resolved right to left so unless there's a more specific hostname already in HOSTS wouldn't *.splashtop.com resolve to 127.0.0.1?

(I'm nowhere near a Windows machine to check this - sorry!)

It's what I remembered from years ago.....being taught that.
So..I fired up Notepad in admin mode, opened my hosts file...and entered 127.0.0.1 anydesk.com
I saved....and flushed my dns...and then ran a ping to anydesk.com which came back with my loopback address.
I then ran a ping to www.anydesk.com and it came back with replies from 52.85.86.31

I then opened notepad in admin mode...went to my hosts file...added 127.0.0.1 www.anydesk.com
Flushed my dns....ran a ping to www.anydesk.com and came back with replies from loopback.

I then opened up notepad in admin mode, opened hosts file..removed the www.anydesk line..saved.
Flushed DNS
Ran a ping to www.anydesk.com and got replies from.....yup....52.85.86.31

To me, having programs or malware that runs in the background as a service...different than just a browser...so, the above behavior I demonstrated is what counts to me. I notice browsers can follow things...or not follow them, reliably. But the malware or remote programs themselves..the services, they can phone back to an DNS name, and to me following what you see in pings is more accurate.

 

[Markverhyden]

There's much better ways to do this. To start I'd make him a Standard User. Then use firewall rules to block those apps. It's trivial to find out what executables to block. Just setup an outgoing to rule to block anydesk.exe, etc. You should also set him up with one of those free filtering DNS services.

 

[GTP]

Neat tool for installing/editing host file.

Just add your own to anywhere in the list following the same pattern.

 

[Appletax]

I deleted the HOSTS file, again. Made a copy of my Windows 10 HOSTS file. Added entries. Copied over to the other system. Works

127.0.0.1 anydesk.com
127.0.0.1 www.anydesk.com

Etc.

Works.

Neat tool for installing/editing host file.

Just add your own to anywhere in the list following the same pattern.

I am using this now with my own entries

Now:

0.0.0.0 anydesk.com

Etc.

Works great!!!!

There's much better ways to do this. To start I'd make him a Standard User. Then use firewall rules to block those apps. It's trivial to find out what executables to block. Just setup an outgoing to rule to block anydesk.exe, etc. You should also set him up with one of those free filtering DNS services.

Good ideas!!!

To make the Firewall rules:

1. I have to first install the programs and then go in and block them?
2. I have to keep them installed or the rules will be deleted?

Free filtering DNS service.... OpenDNS?

OpenDNS Home

Our nameservers are always:

• 208.67.222.222
• 208.67.220.220

Home Internet Security | OpenDNS

OpenDNS is the easiest way to make your Internet safer, faster and more reliable. Protect your family across all devices on your home network.

www.opendns.com

 

[Markverhyden]

To make the Firewall rules:

1. I have to first install the programs and then go in and block them?
2. I have to keep them installed or the rules will be deleted?

Free filtering DNS service.... OpenDNS?

OpenDNS Home

Our nameservers are always:

• 208.67.222.222
• 208.67.220.220

Home Internet Security | OpenDNS

OpenDNS is the easiest way to make your Internet safer, faster and more reliable. Protect your family across all devices on your home network.

www.opendns.com

To be honest just search for block <insert remote access app name> in Windows Firewall. It's not like these things just fell out of a tree last week. And no, if you installed apps removing them does nothing to firewall settings. They're mutually exclusive.

 

[Appletax]

To be honest just search for block <insert remote access app name> in Windows Firewall. It's not like these things just fell out of a tree last week. And no, if you installed apps removing them does nothing to firewall settings. They're mutually exclusive.

Search for programs that are installed? He has AnyDesk installed. I removed it. Sounds like I would need to re-install AnyDesk, block it via Firewall, then uninstall it and the Firewall rule will remain and be there if he installs it again.

 

[Markverhyden]

Search for programs that are installed? He has AnyDesk installed. I removed it. Sounds like I would need to re-install AnyDesk, block it via Firewall, then uninstall it and the Firewall rule will remain and be there if he installs it again.

I guess I wasn't clear enough. Do a Google, Duck-Duck-Go, etc search. As I said people have been trying to block these things for at least 3-4 years so I'm sure the solution is already there. If you really want to roll you own then install all of them. Right click on each app in W10 start>Properties and you'll see the actual file name. Make the rule then remove the app.

 

[Appletax]

I guess I wasn't clear enough. Do a Google, Duck-Duck-Go, etc search. As I said people have been trying to block these things for at least 3-4 years so I'm sure the solution is already there. If you really want to roll you own then install all of them. Right click on each app in W10 start>Properties and you'll see the actual file name. Make the rule then remove the app.

Thank you

 

[Appletax]

I've got another older client that is 85 years old that has an old 4th gen Core i3 laptop that he is replacing with my help. He still wants to keep the old laptop. I was trying to get TeamViewer updated since his daughter uses it to help him, but both the program and the website were blocked. I took a peek at the hosts file and was surprised to see that it had a lot of entries just for blocking remote assistance programs. I wonder who did that for him.

Should I set all client's host files to block remote assistance programs to prevent "hacking", or should I limit it to perhaps people that have be "hacked" and people are are elderly?

Attached is the hosts file from his laptop. Are there anymore entries I should add to the list?

 

[Philippe]

Don't forget to install uBlock Origin on theirs browsers and look for the filter lists: lots of bad things you can block there...