Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

What are these 127.0.0.1 entries in my system hosts file?

Question:

I've looked in my "\windows\system32\drivers\etc\hosts" file and
found a number of entries that all begin with 127.0.0.1.

1. What are all those identical seemingly IP addresses,
127.0.0.1?

2. The sites listed, are they on my system and bad or are they being
blocked from my computer to reach them (just like what you had stated
Sasser, sometimes does to reach Anti-virus sites for definition
updates?

3. What should I do with this list? Shall I delete these sites and
only keep the localhost line?

127.0.0.1 is "special", and refers to your own computer. It's used
for both good and evil. The trick here is to understand which, and
perhaps how these entries appeared on your computer in the first
place.

Become a Patron of Ask Leo! and go ad-free!

As I said, 127.0.0.1 is a special IP address that is always defined
to refer to the local computer. So whenever a computer attempts to
connect to 127.0.0.1 it's really attempting to connect to itself.

Now, unless you're running a web server on your own machine (highly
unlikely unless you explicitly set it up), and if a web browser tries
to connect to 127.0.0.1 that connection will fail - there's no web
server to answer the call.

The other piece of this puzzle is to realize that entries in your
hosts file take priority over "real" lookups. For example, if you put
this in your hosts file:

127.0.0.1 google.com
127.0.0.1 www.google.com

"... 127.0.0.1 is a special IP address that is
always defined to refer to the local computer."

you'll no longer be able to access Google. Your browser would
request the IP address for google.com, the system would find it in your
hosts file first and assume that was the correct address. Your browser
would attempt to access 127.0.0.1, your own computer, and that would
fail.

From this comes one ad blocking technique that places these
kinds of entries into your hosts file for known advertising sites. That
way, when your browser attempts to access them to fetch an ad, that
fails and no ad is displayed. It can also be used to prevent access to
sites that are known to be malicious in nature.

In looking at the list provided by the person asking the question,
that appears to be what's happening here. These appear to be
advertising or malware sites that have been blocked.

Now, the question is: how did this list get there?

I'm going to assume that since you're asking, you didn't put it
there. Manually installing such a list is the most common approach.

The other alternative is that some anti-malware or firewall package
you're using added the list for you. I'd check the various packages
you're running to see if perhaps that's part of the feature list.

One way that the hosts file gets abused is by malware.

As we've seen, we can block access to certain sites by creating a
"127.0.0.1" entry in the hosts file. What some malware does is exactly
that - to block anti-malware companies.

For example, malware might install hosts entries to block your
anti-virus software from updating itself or its malware definition. If
your infection occurs prior to the definitions being updated to detect
it, the malware has effectively hidden such that it will never be
discovered as your anti-malware will never be able to update
itself.

So if you see a list of domains like symantec.com,
ca.com, and the domains of other well known anti-malware companies, you
can pretty much bet that something's up. You can delete them if you
like, but I'm guessing that a) it's too late because you're infected, and b)
the malware will just add them back.

The good news in all this is that most anti-malware software is very
aware of the potential for hosts file abuse. Some anti-spyware software
will go so far as to lock the file so that it can't be modified, and
most others will notify you if it changes unexpectedly.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

12 comments on “What are these 127.0.0.1 entries in my system hosts file?”

  1. In addition to routing anti-malware sites to 127.0.0.1, I have seen malware actually direct it to their own sites.

    Imagine what would happen if your hosts file pointed http://www.google.com to an IP address owned by a “bad guy”, and instead of searching via Google, you were searching using a paid advertising site. Even if it did nothing else to your system, it would make money for the “bad guy”.

    Reply
  2. What a fantastic article! I’ve been trying to get my head-around the hosts file for a while, this explained it perfectly.

    Now, the path to it! ….\etc\ Is that pronounced ‘et cetera’ or is it an acronym? Or neither?

    Just wondered, because I occasionally direct someone to this location & wonder if I’m saying *ETC* (The letters), or ‘Et Cetera’.

    Just for reference!…..

    Great article though, now I understand!

    ETC is short for et cetera. It’s actually goes back to the originally developed Unix systems many years ago. Certain folders were defined to hold certain things, but they needed a place to put random stuff or “everything else” … hence “et cetera” or /etc/. It’s used in various ways to similar effect to this day.

    -Leo

    Reply
  3. The anti-spyware program I use puts blocked sites into the hosts list. I use spybot. If you are using that program then that is where that long list of sites came from.

    Reply
  4. No Leo, it’s not an incorrect attempt to do the same thing as 127.0.0.1 I think, because there are hundreds of 0.0.0.0-entries and they come from the RogueRemoverPro application.

    Reply
  5. Ok now what if you dont have anything in that file is that good or bad. When I follow the path “\windows\system32\drivers\etc\hosts” hosts shows it as being a file and no files in it. Ok so some of us only know how to turn it on…

    An empty or mostly empty hosts file is common, and in fact how Windows comes by default.

    -Leo

    Reply
  6. The routing tables use 0.0.0.0 to signify the default network connection in XP. I would think specifying this in your host file would just cause your computer to time out and get confused.

    Definitely cause slow downs…

    Reply
  7. what if my hosts file does not contain a 127.0.0.1 number or a 0.000…etc number? i am trying to block a website on google chrome and i have no idea how to do it…..please help….

    As the article outlines, just add the lines you want.

    – Leo
    21-Jul-2009

    Reply
  8. Hi, Leo. Excellent article.
    I have a Q.
    My hosts file has 2 lines after comment:

    127.0.0.1 localhost
    ::1 localhost

    What’s the effect of second line (::1 localhost)?
    What happens if I get rid of both of those lines and replace it with a host name that I want to block? Should I save those lines and just another host that I want to block?
    Your answer will be very appreciated.

    Leave them both in, and add whatever you want to block underneat. 127.0.0.0 means “this computer”, i.e. the computer itself more commonly known as localhost. ::1 is the same thing in IPv6 – a newer addressing scheme that may (or may not) eventually replace the current IPv4.

    Leo
    12-Aug-2009

    Reply
  9. So what happens if you delete the lines with 127.0.0.1, does you computer still work properly and all services still work as long as they don’t access 127.0.0.1, also when we assign a IP to the m/c, that IP and this 127.0.0.1 address both now refer to this computer? can a linux box function normally if i delete that line or it is die die reqd for something? thanks so much the article is gr8…

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.