How can I log edits to the hosts file?

A guy I'm helping fix his Mac and he's got some process on there editing his host file to redirect queries to the Minecraft authentication servers (authserver.mojang.com and sessionserver.mojang.com) to it's own servers, basically it's a piracy program that he unknowingly installed and now we can't get rid of it. The only thing we know it's doing is editing the hosts file so if there is a way to log host file edits that would be great.

Any other recommendations for fixes would be nice too, of course.


Solution 1:

Open terminal and run this command.

sudo fs_usage | grep hosts

Files that read / write / modify that should be logged clearly. Look at the last entry on the right for the program name. If you see nothing, in another window try these two commands. An edit implies a write to that file.

tail -2 /etc/hosts
cat /etc/hosts

As commented very clearly, if you can’t catch the change, you may have to set up a script to save the contents of the file periodically and then narrow down what can run during the time when it’s being messed with.