# Bit Torrent has messed up localhost (127.0.0.1)



## drupaladdict (Jun 25, 2012)

My OS: *Windows 7 professional 64bit*
Developing *Drupal 6* sites locally using *XAMPP 1.7.1*.

I must say first that while local server (*Apache* on *XAMPP*) was runninig, a torrent client (*Bit Torrent*) was running too.

I have eMule running, but I think that is safe.

Yesterday, giving a look to some logs of my Drupal site, I saw I had a lot of log entries of *"Warning"* severity (referring to *"Page not found"* errors) where the message was *"announce"* and a few where was *"scrape"*.

For all of these that I've looked at so far, when I go into the details, the location field will have a long URL starting with *"http://tracker..."* . These are followed by a lot of gibberish that looks like an encrypted string.

Looking for a solution in _StartPage_, I learned these entries (*"announce"* and *"scrape"*) are related to *trackers* generated by *Bit Torrent*.

By examining logs, I discovered *localhost* (127.0.0.1) is accessible using two domains: *"http://localhost"* and *"http://kat.ph"* (?).

Here is the problem... where *"http://kat.ph"* comes from?

I opened my *"hosts"* file on Windows and it is not listed there. I checked *"httpd-vhosts.conf"* out (*\xampp\apache\conf\extra\httpd-vhosts.conf*), but it is not there too.

Digging more I discovered *"kat.ph"* is an external domain pointing to *"KickassTorrents.com"*.

The problem is, even after uninstalling Bit Torrent, when I type *"http://kat.ph"* I get redirected to localhost.

Even more, If I click on a link which begins with *"http://kat.ph"* (i.e. *"http://kat.ph/blogs"*) on any web page on the Internet , I am redirected to my *localhost* site and given that page doesn't exist on my local server, I get a *"Page not found"* error.

It looks like my site on localhost has been _scraped_, all links on the site has been rewritten to be mapping to the new (unwanted) local site.

For example: "*http://localhost*/user/personal-page" is also reachable by typing "*http://kat.ph*/user/personal-page".

How can I get rid of *"http://kat.ph"* pointing to 127.0.0.1? I want only *"http://localhost"* to be mapped to 127.0.0.1.

Is it maybe something related to *ipconfig* in Windows (_subnet mask_, _default gateway_, stuff like that)?

I don't know how to _tweak_ that, I am not expert on Windows.

Thanks for your help, Francesco.


----------



## Ent (Apr 11, 2009)

You could try this, though I suspect the problem is probably somewhat deeper than that.

Close all open web browsers.
Press Start
Type CMD
Right click on CMD.exe and click "Run as Administrator"
Give confirmation and passwords as requested.
Type the following:

```
ipconfig /flushdns
```
Press enter.


----------



## drupaladdict (Jun 25, 2012)

Thanks for trying to help me.

I tried your solution but unfortunately it didn't work.

I found a solution I HAVEN'T tried yet, because I don't know if it could
messed up my internet connection.

Here follows the step-by-step procedure (please, could you tell me what is 
your take on it?):

1. Click on *Start* then *Run*, type *cmd* and press the *OK* button.

2. Type *ipconfig.exe* and press *enter*.

3. Release your current IP by typing the following *ipconfig /release* and then press *enter*.

4. Next type in *ipconfig /renew*

5. Type *exit* to leave the command prompt and get to Windows.

Or simply (alternative equivalent solution):

Right click on your *"Network Connection"* and choose *"REPAIR"*.

What do you think, is this safe? Could it work? 

Francesco.


----------



## Ent (Apr 11, 2009)

Is it safe? Sure it is. It's all standard Microsoft tools used properly. Will it work? I don't know. That depends on what the problem is.

If it doesn't work, try this:
Go to the command line (Press Windows + R, type *CMD *and press enter.)
Type *ipconfig /displaydns*
See what's there about kat.ph.


----------



## drupaladdict (Jun 25, 2012)

Repairing Network Connection didn't work.

The value returned from the prompt command is:

* Record name. . . . . .: 6to4.ipv6.mi
**Record type. . . . . .: 1
**Time To Live. . . . . : 1910
**Data Length. . . . . : 4
**Section. . . . . . . : Answer
**A (Host) Record. . . : 192.88.99.1*

There is nothing about *kat.ph*...

Wait, wait...

I retried by first opening *"http://kat.ph"* in my browser and _THEN_ typing *"ipconfig /displaydns"* at the command prompt.

This time the result is different, here it is:

*kat.ph
----------------------------------------*
*Record name. . . . . .: kat.ph
Record type. . . . . .: 1
Time To Live. . . . . : 889
Data Length. . . . . : 4
Section. . . . . . . : Answer
A (Host) Record. . . : 127.0.0.1*


----------



## Ent (Apr 11, 2009)

I'm afraid that I don't know what's happening in that case. There doesn't seem to be any record of it as far as Windows is concerned. 

Can you think of anything else on your machine, such as web filter software, that may be redirecting the traffic back to the localhost?


----------



## drupaladdict (Jun 25, 2012)

Hi,

I don't know if you noticed I edited my last post.

I retried your suggestion by performing the following steps:

1. Opened the *Command Prompt*
2. Started *XAMPP*
3. Browsed to *"http://kat.ph"*
4. Typed at the *Command Prompt*: *"ipconfig /displaydns*"

A list of records is displayed (most of these records are
external domains starting with *www*).

One of the records is *kat.ph*, here is the full result:

*kat.ph
----------------------------------------
Record name. . . . . .: kat.ph
Record type. . . . . .: 1
Time To Live. . . . . : 889
Data Length. . . . . : 4
Section. . . . . . . : Answer
A (Host) Record. . . : 127.0.0.1*


----------



## valis (Sep 24, 2004)

I'm going to go out on a limb here and wager you got tagged with malware from using torrents........do you have any AV on that rig?


----------



## drupaladdict (Jun 25, 2012)

Yes, *Eset Nod32 Antivirus 5* is running on my machine...


----------



## Ent (Apr 11, 2009)

While Eset is a good AV, it cannot possibly catch everything, especially if you engage in risky behaviour such as using P2P software. It is possible that there's an infection there. But first, lets see if it's something in XAMPP or drupal that has broken.

What happens if you ping kat.ph when XAMPP *isn't* running? (Don't visit it in the browser.)

Close XAMPP
Open an administrator command prompt.
Type _ipconfig /flushdns_ and press enter.
Type _Ping kat.ph _and press enter.


----------



## drupaladdict (Jun 25, 2012)

I have used Bittorrent exclusively to download old-fashioned movies in *AVI* format.

Here is the value returned from the command prompt: 
*
Pinging kat.ph [127.0.0.1] with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms*


----------



## valis (Sep 24, 2004)

drupaladdict said:


> I have used Bittorrent exclusively to download old-fashioned movies in *AVI* format.


Well, that doesn't really matter. I mean, it does, in that it's illegal and I'll probably have to close this thread (I'll check with the admins first), but more importantly, it doesn't matter WHAT you download. If you don't know everyone who is sharing that file, you are messing with everyone who has handled it.

Ent, let me check to see if we can continue on this.......be right back.

thanks,

v


----------



## Ent (Apr 11, 2009)

valis said:


> Ent, let me check to see if we can continue on this.......be right back.
> 
> thanks,
> 
> v


Copy. If so, could you get one of the malware guys to take a look at it?


----------



## valis (Sep 24, 2004)

I've been asking about that, but now we have to clear the torrent issue first.....once someone responds (I've already asked) I'll let you guys know........but yeah, malware was my immediate thought as well.

thanks, 

v


----------



## drupaladdict (Jun 25, 2012)

Uh-oh...

I came here for help, I didn't think I could get in trouble.

Let's say this: I now know that even downloading old-fashioned movies (from the *fifties*) it's illegal.

So *I have just destroyed all my copies, I have uninstalled Bittorrent and never reinstall it again*.

I want also to say: up with *freedom*! I hope one day *democracy comes to America* and Europe and that day could *people* interest be more important than corporate interest.

That day I hope to be able to write everything I want in a forum, *freely*, without being *frightened* to be prosecuted.

*Let's close it here. *

However, I really appreciate you for spending your time in trying to solve my issue. *Thank you, really!* 

Though, I think I'll go in some other places, more democratic and less dangerous where asking for help.

I am thinking about those domains with *".ru"* extension.

Hi,


----------



## valis (Sep 24, 2004)

No worries. I'll close this then. One thing to remember, if/when you do get infected from the torrent sites, we'll still fix ya up. 

thanks, 

v


----------

