Compromised Windows System (hosts File Check)

Critical Nessus Plugin ID 23910

Synopsis

The remote Windows host may be compromised.

Description

The remote Windows host uses the file 'System32\drivers\etc\hosts' to fix the name resolution of some sites to localhost or internal systems. Some viruses or spyware modify this file to prevent antivirus software or other security software from obtaining updates.

Nessus has found one or more suspicious entries in this file that may prove the remote host is infected by a malicious program.

Solution

Remove the suspicious entries from the host file, update your antivirus software, and remove any malicious software.

See Also

http://www.nessus.org/u?b5c6c90d

Plugin Details

Severity: Critical

ID: 23910

File Name: smb_suspicious_host.nasl

Version: 1.24

Type: local

Family: Backdoors

Published: 2006/12/18

Modified: 2018/05/16

Dependencies: 13855, 73980

Risk Information

Risk Factor: Critical

CVSS v2.0

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS v3.0

Base Score: 10

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Vulnerability Information

Required KB Items: SMB/Registry/Enumerated, SMB/WindowsVersion