Your best bet in figuring out what is happening is to use dtrace or fs_usage.
opensnoop (uses DTrace)
sudo opensnoop -f /private/etc/hosts
might reveal something as this example during a disk write operation:
UID PID COMM FD PATH
0 24386 script 3 /private/r00ted
65 41 mDNSResponder 76 /private/etc/hosts
65 41 mDNSResponder 76 /private/etc/hosts
fs_usage
sudo fs_usage -f /private/etc/hosts
would output similar to:
15:55:52 open private/etc/hosts 0.000085 mDNSResponde
15:55:52 fstat64 0.000002 mDNSResponde
15:55:52 read 0.000006 mDNSResponde
15:55:52 sendto 0.000017 mDNSResponde
15:55:52 recvfrom 0.000004 mDNSResponde
using dtrace opensnoop is much better in my opinion simply because it's easy to use and requires less hunting or refining the command to find what you're looking for.