Home | Blog | Browse Database | Contact Us | Download | Forums | History | Need Help?
Find  
IMPORTANT: Read the classification explanations BEFORE loading sites listed in this database (classification explanations).


Below are frequently asked questions concerning this website. Should you have a question that is not answered here, please do not hesitate to contact me

General
  1. How do I submit removal/addition/modification requests?
  2. Is there a current list of available download mirrors?
  3. Who are the "Computer Emergency Response Team"?
  4. Why is there a notice at the top of the page, saying the sites will infect me?
Results
  1. hpHosts detects multiple IP's for {hostname}, is this normal?
  2. hpHosts is telling me {hostname} doesn't resolve, is this normal?
  3. What are the various colours for, for the hpHosts listing?
  4. What do the warning messages mean?
  5. What is the MDL Status result for?
  6. Why is the page so slow to load the results?
RSS
  1. How do I filter the RSS feed by classification?
  2. Is there an RSS feed for removals or updates?
Developers
  1. Can I query the hpHosts database from my programs?
Q. How do I submit removal/addition/modification requests?
A. Previously, this could be done via the hpHosts forums. However, this was recently maliciously compromised, and thus I disabled it. Because of this, the only way to submit removal/addition/modification requests at present, is to send me an e-mail.

Q. Is there a current list of available download mirrors?
A. Indeed there is. The current list of download mirrors are;

hphosts.gt500.org (courtesy of GT500)
hosts-file.malwareteks.com (courtesy of Malware Teks)
hosts-file.montanamenagerie.org (courtesy of Montana Menagerie)
temerc.com/hphosts (courtesy of TeMerc Internet Countermeasures)
securitycadets.com/download/ (courtesy of Security Cadets)
avant.it-mate.co.uk
archives.mysteryfcm.co.uk
calendarofupdates.com (courtesy of Calendar of Updates)

Q. Who are the Computer Emergency Response Team?
A. The Computer Emergency Response Teams (CERT) are spread around the world, and deal with cybercrimes such as phishing, malware, hacking etc etc.

When the results page load, you will see one or two CERT contacts, depending on what you queried. For example, if you query a domain name, you will see the CERT details for the domains TLD (e.g. .com, .biz etc), and the CERT responsible for the country the IP address is located in.

The CERT displayed when querying an IP, is the CERT for that country, for example RU = Russia, CN = China, NZ = New Zealand, NL = Netherlands etc.

Q. Why is there a notice at the top of the page, saying the sites will infect me?
A. The warning at the top of the site, is there because alot of the sites listed in hpHosts, carry exploits. The notice, contrary to popular belief, does not mean that ALL sites will infect you just by visiting them, the infection could come via something you choose to download, or the site could be clean and simply be an ad server. The classification assigned to the site, determines the risk factor (e.g. EXP = Exploit (dangerous), ATS = Ad/Tracking server (usually benign)).

Q. hpHosts detects multiple IP's for {hostname}, is this normal?
A. In some cases, yes. Some of the larger sites host multiple copies of their site on multiple server, spread over multiple locations using load balancing. This helps where the site in question received a ton of traffic (ala Microsoft, YouTube, Google), to cope without going up and down all the time.

Q. hpHosts is telling me {hostname} doesn't resolve, is this normal?
A. Generally when a hostname does not resolve, it's because;
  1. The domain was temporarily down at the time of the query
  2. The domain is undergoing DNS updates (probably awaiting propogation)
  3. The domain is no longer in use
  4. My DNS server was unable to resolve the domain
  5. A timeout occured whilst trying to resolve the domain
DNS propogation usually takes anywhere from a few minutes (for a .co.uk for example) to 72 hours, so it's usually a good idea to keep checking it over a 3-4 day period.

hpHosts itself has been coded to use 3 different methods of validation, two via internal DNS servers and one via external (courtesy of TeMerc Internet Countermeasures)

You can of course, also use external sources to verify whether or not a domain actually does resolve, or whether it's just a propogation issue. The first and most simple, is via NSLookup.

To access NSLookup, go to Start > Run and type cmd, then press enter. Next, enter the following and press enter;

nslookup hostname.com

Where "hostname" is the hostname you want to verify (screenshot)

Other sources of validation include;
  1. OpenDNS
  2. RobTex
  3. Trusted Source

Q. What are the various colours for, for the hpHosts listing?
A. The different colours have been chosen to reflect the different classifications, from minor, to serious (aka very very bad).

If a site is listed and does not have a classification, it will be displayed with an orange colour. If a site is listed with the ATS (Ad or Tracking Server) or GRM (Grass Roots Marketing) classification, it is given a yellow rating as this is classed as minor (i.e. not very bad, just annoying). Dangerous site's (i.e. those with EMD, EXP, PSH etc) classifications are very bad site's and are shown as red.

Q. What do the warning messages mean?
A. There are several messages that will be shown depending on conditions. These are;

WARNING: The IP PTR [ PTR ] does not resolve. This is considered very bad practice and contravines the RFC Standards. Most legit ISP's will have their PTR's resolve to an IP.

This message indicates that an IP addresses PTR (Pointer record) does not itself, resolve to an IP address. This is shown as a warning specifically because a PTR should resolve to an IP address itself, as per the RFC standards.

WARNING: The IP PTR associated with this record, does not resolve back to it's original IP address. This is very bad practice.

Original: IP
PTR IP: PTR


This message indicates that the IP PTR, resolves to an IP address that is NOT the original IP that actually pointed to this PTR. In laymans terms, an IP address should normally have a corresponding PTR (Pointer record), and this PTR should always resolve back to the original IP address. For example;

BAD example.com > 1.2.3.4 > ptr.somedomain.com > 0.2.3.4

GOOD example.com > 1.2.3.4 > ptr.somedomain.com > 1.2.3.4

WARNING: The PTR associated with this record appears to be deliberately invalid (if no hostname is specified, it should fail resolution). Chances are high that this is a malicious IP.

This message indicates an IP address is resolving to a PTR record that is not actually a hostname (for example, some malicious IP's have had a pointer record that was simple a "." (period)). If an IP address does NOT have a corresponding PTR that is a hostname, then it should fail resolution. I've never seen any legit ISP's use this behaviour.

WARNING: This site is suspected of containing CP (Child Pornography). Unless you are with law enforcement, DO NOT load this site

This message is reserved for sites containing or suspected of containing, CP (child pornography). Sites with this warning message should NEVER be loaded under any circumstances, unless you are a member of law enforcement (and even then, only with specific authorization from your superiors, to be investigating such content). All sites with this message, are reported to the IWF (Internet Watch Foundation).

Sudosecure.net have identified this IP as a known Waledac source

When you query the hpHosts database, a query is made against the Sudosecure.net database, to check whether the IP address is known to be associated with the Waledac botnet. If this message is displayed, it simply means what it says - the IP address has been identified as a member of the Waledac botnet.

DroneBL have identified this IP as a known drone (abusable or rooted) IP

When you query the hpHosts database, a query is made against the DroneBL.org database, to check whether the IP address is known to be a member of a botnet. If this message is displayed, it means the IP address is known to be a compromised (infected) computer, and is a botnet member.


Q. What is the MDL Status result for?
A. The MDL result is displayed to tell you if the site you are querying, is listed in the Malware Domain List database. Sites listed within this database should NOT be loaded in a browser.

Q. Why is the page so slow to load the results?
A. There are two main reasons for this. The first is that other similar sites use Ajax, so you see a flashy graphic or such, whilst the results are loading - I don't. I want the site to be friendly even to those such as myself, that prefer to have Javascript disabled.

The second reason, and perhaps the main reason, is that results are not all stored in the database - some are obtained when you load the page, which means it's got to wait for a response not only from the hpHosts server, but from the DNS servers, windows API (which is unbelievably slow sometimes) etc. I could have it obtain the results once, then store it in a cache and always get it from there, but that risks the information being inaccurate and out dated. I'm working on improving the speed however.

Q. How do I filter the RSS feed by classification?
A. The RSS feed can be filtered by appending the filter to the end of the RSS feed URL, for example, if you only want EMD entries shown, the RSS feed URL would be;

http://hosts-file.net/rss.asp?class=EMD

Q. Is there an RSS feed for removals or updates?
A. Not at present, no. This is being looked into as a future option.

Q. Can I query the hpHosts database from my programs?
A. Developers can query the online database directly via the following;

http://verify.hosts-file.net/

Variables supported (only the first two are mandatory, the rest are optional);

1. Your applications identifier (e.g. the name of your application)

Var: v=

E.g. &v=MyApplication


2. Site/IP being queried

Var: s=
Returns: Listed or Not Listed


3. Date added (where a site is listed)

Var: date=
Returns: Date added to the database


4. Classification (where a site is listed)

Var: class=
Returns: Classification given


5. Return IP address

Var: ip=
Returns: Current IP address, and IP address currently in the database for the queried hostname


6. Return IP PTR

Var: ipptr=
Returns: PTR result for the current IP, and for the IP currently in the database for the queried hostname


7. Return net-block information

Var: nb=
Returns: Net-block information for the queried IP address


As an example;

Return only listed/not listed status
http://verify.hosts-file.net/?v=OEv0.0.7&s=microsoft.com

Return listed/not listed status and classification
http://verify.hosts-file.net/?v=OEv0.0.7&s=microsoft.com&class=true

Return listed/not listed status and date added
http://verify.hosts-file.net/?v=OEv0.0.7&s=microsoft.com&date=true

Return listed/not listed status & IP address
http://verify.hosts-file.net/?v=OEv0.0.7&s=microsoft.com&ip=true

Return listed/not listed status and IP PTR
http://verify.hosts-file.net/?v=OEv0.0.7&s=microsoft.com&ipptr=true

Return listed/not listed status and IP net-block information
http://verify.hosts-file.net/?v=OEv0.0.7&s=microsoft.com&nb=1