Detections
Analytics

Compromised Windows System (hosts File Check)

critical Nessus Plugin ID 23910

Synopsis

The remote Windows host may be compromised.

Description

The remote Windows host uses the file 'System32\drivers\etc\hosts' to fix the name resolution of some sites to localhost or internal systems. Some viruses or spyware modify this file to prevent antivirus software or other security software from obtaining updates.

Nessus has found one or more suspicious entries in this file that may prove the remote host is infected by a malicious program.

Solution

Remove the suspicious entries from the host file, update your antivirus software, and remove any malicious software.

See Also

http://www.nessus.org/u?b5c6c90d

Plugin Details

Severity: Critical

ID: 23910

File Name: smb_suspicious_host.nasl

Version: 1.26

Type: local

Agent: windows

Family: Backdoors

Published: 12/18/2006

Updated: 4/17/2023

Supported Sensors: Nessus Agent, Nessus

Risk Information

CVSS Score Rationale: Evidence indicates host may be compromised.

CVSS v2

Risk Factor: Critical

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: manual

CVSS v3

Risk Factor: Critical

Base Score: 10

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Vulnerability Information

Required KB Items: SMB/Registry/Enumerated, SMB/WindowsVersion