Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1841
  • Last Modified:

Wpad.dat hacking attempts?

Hello Experts,

I need some urgent help. I've enabled logging on my firewall to log what websites etc my pc's are trying to access.

After reviewing the logs i notice one specific address most PC's are trying to access throughout the day.

the address is 63.xxx.xxx.xxx/wpad.dat

the 63 ip is the ip of our website which is not hosted on site.

The users aren't constantly going to this website all day and in the firewall logs this wpad.dat keeps showing up.

I'm unfamiliar as to what this can be and would like to know if someone is trying to intrude my network....

I tried going to that URL from my PC and it brings up a page cannot be displayed.

Please let me know what I can do to find out what this is or how to prevent this if this is something malicious. Thanks for your help guys.
0
Crucio666
Asked:
Crucio666
8 Solutions
 
gsdkainCommented:
Does this help?

WPAD and WSPAD files
The Wpad.dat file is a Microsoft JScript® file containing a default URL template, constructed by Internet Explorer. Microsoft Internet Security and Acceleration (ISA) Server 2004 constructs the Wspad.dat file to keep Firewall clients informed of all available ISA Server computers, and additional parameters such as a load factor and a state flag to aid the server selection. The Wspad.dat CFILE contains an explicit Time to Live (TTL) entry. After the TTL period expires, the Winsock Proxy client purges the CFILE and attempts to retrieve a new CFILE. The format of the CFILE is the same as the Firewall Client configuration file. In the Common section of the file, the following three entries are displayed:

http://www.microsoft.com/technet/isa/2004/help/SRSP1_CnfWPAD.mspx?mfr=true
0
 
Dave HoweCommented:
or, in human - a wpad.dat file is the file that internet explorer looks for if the checkbox "automatically detect settings" is ticked in the proxy settings screen. the wpad.dat tells it which proxy to use to reach the internet (and can specify different proxies for different sites)

as this checkbox is default for the software (and usually harmless - unless you have a wpad.dat file it defaults back to the hardcoded settings) you tend to see a lot of traffic looking for them.
0
 
Crucio666Author Commented:
i've noticed today some pc's are also going to

wpad.mydomainname.com/wpad.dat

this seems really suspicious, how does the PC's even know to go to that site for a wpad file?
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
Dave HoweCommented:
usually, you have configured (in dhcp or on the workstation" a dns name or at least a dns suffix of mydomainname.com. the correct search would be for wpad.machinename.mydomainname.com then wpad.mydomainname.com, then wpad.com

http://wpad.com/ is amusing...
0
 
Crucio666Author Commented:
You can disable WPAD in IE by going to Internet Options, Connections, and then LAN Settings. Unselect ``automatically detect settings.''
Upgrade to a newer version of Explorer
Check the domain name setting of your computers.


In my internet explorer for the LAN settings  i have nothing checked, i have version 7.0 of Ie and fully patched.

What does he mean by check the domain anme setting of your computers?

0
 
Dave HoweCommented:
go to a command prompt and type "ipconfig /all"
look for the word "dns" and see what is set there. you can have a primary dns suffix AND a connection specific one.
0
 
Crucio666Author Commented:
i see the dns suffix search list, my domain is location.name.com, i see that there as one and also i see name.com (without location) this is the address of the site that has the wpad it's trying to access, should this be there?
0
 
Dave HoweCommented:
hey, these are your systems - either these are hardcoded in the machine or picked up with dhcp, either way its not going to have been an accidental setting...
0
 
Crucio666Author Commented:
DHCP is giving off location.name.com on both my DHCP servers, it's not hardcoded onto the machine and i do not see name.com located in GPO as a policy....where else can i specify where to search for dns suffix?
0
 
Dave HoweCommented:
tbh I don't know. any results from a registry search on one of the machines?
0
 
Crucio666Author Commented:
right now in IE nothing is selected from the connection settings. From what im reading i need to have auto detect settings selected for it to look for a wpad file?

is there a way to set a policy so i can have IE not look for a wpad file or use auto detect settings?
0
 
Dave HoweCommented:
sure, you can set a gpo

User Configuration->Windows Settings->Internet Explorer Maintenance->Connection->Automatic Browser Configuration
0
 
CarlvanEijkCommented:
Are you running a proxy server?

if not:

Group policy is the best way to configure IE for your clients.

OR

Oou can just add a "wpad" entry to your DNS to point to a local server inside your nework, and a DHCP option 252 to do the same. Wpad quesries will still occur, but at least they'll stay inside your network.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now