Solved

Wpad.dat hacking attempts?

Posted on 2008-06-16
13
1,395 Views
Last Modified: 2012-06-21
Hello Experts,

I need some urgent help. I've enabled logging on my firewall to log what websites etc my pc's are trying to access.

After reviewing the logs i notice one specific address most PC's are trying to access throughout the day.

the address is 63.xxx.xxx.xxx/wpad.dat

the 63 ip is the ip of our website which is not hosted on site.

The users aren't constantly going to this website all day and in the firewall logs this wpad.dat keeps showing up.

I'm unfamiliar as to what this can be and would like to know if someone is trying to intrude my network....

I tried going to that URL from my PC and it brings up a page cannot be displayed.

Please let me know what I can do to find out what this is or how to prevent this if this is something malicious. Thanks for your help guys.
0
Comment
Question by:Crucio666
13 Comments
 

Assisted Solution

by:gsdkain
gsdkain earned 50 total points
ID: 21799387
Does this help?

WPAD and WSPAD files
The Wpad.dat file is a Microsoft JScript® file containing a default URL template, constructed by Internet Explorer. Microsoft Internet Security and Acceleration (ISA) Server 2004 constructs the Wspad.dat file to keep Firewall clients informed of all available ISA Server computers, and additional parameters such as a load factor and a state flag to aid the server selection. The Wspad.dat CFILE contains an explicit Time to Live (TTL) entry. After the TTL period expires, the Winsock Proxy client purges the CFILE and attempts to retrieve a new CFILE. The format of the CFILE is the same as the Firewall Client configuration file. In the Common section of the file, the following three entries are displayed:

http://www.microsoft.com/technet/isa/2004/help/SRSP1_CnfWPAD.mspx?mfr=true
0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 300 total points
ID: 21800584
or, in human - a wpad.dat file is the file that internet explorer looks for if the checkbox "automatically detect settings" is ticked in the proxy settings screen. the wpad.dat tells it which proxy to use to reach the internet (and can specify different proxies for different sites)

as this checkbox is default for the software (and usually harmless - unless you have a wpad.dat file it defaults back to the hardcoded settings) you tend to see a lot of traffic looking for them.
0
 

Author Comment

by:Crucio666
ID: 21802375
i've noticed today some pc's are also going to

wpad.mydomainname.com/wpad.dat

this seems really suspicious, how does the PC's even know to go to that site for a wpad file?
0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 300 total points
ID: 21802656
usually, you have configured (in dhcp or on the workstation" a dns name or at least a dns suffix of mydomainname.com. the correct search would be for wpad.machinename.mydomainname.com then wpad.mydomainname.com, then wpad.com

http://wpad.com/ is amusing...
0
 

Author Comment

by:Crucio666
ID: 21805290
You can disable WPAD in IE by going to Internet Options, Connections, and then LAN Settings. Unselect ``automatically detect settings.''
Upgrade to a newer version of Explorer
Check the domain name setting of your computers.


In my internet explorer for the LAN settings  i have nothing checked, i have version 7.0 of Ie and fully patched.

What does he mean by check the domain anme setting of your computers?

0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 300 total points
ID: 21805570
go to a command prompt and type "ipconfig /all"
look for the word "dns" and see what is set there. you can have a primary dns suffix AND a connection specific one.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:Crucio666
ID: 21807304
i see the dns suffix search list, my domain is location.name.com, i see that there as one and also i see name.com (without location) this is the address of the site that has the wpad it's trying to access, should this be there?
0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 300 total points
ID: 21808979
hey, these are your systems - either these are hardcoded in the machine or picked up with dhcp, either way its not going to have been an accidental setting...
0
 

Author Comment

by:Crucio666
ID: 21812082
DHCP is giving off location.name.com on both my DHCP servers, it's not hardcoded onto the machine and i do not see name.com located in GPO as a policy....where else can i specify where to search for dns suffix?
0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 300 total points
ID: 21812235
tbh I don't know. any results from a registry search on one of the machines?
0
 

Author Comment

by:Crucio666
ID: 21812374
right now in IE nothing is selected from the connection settings. From what im reading i need to have auto detect settings selected for it to look for a wpad file?

is there a way to set a policy so i can have IE not look for a wpad file or use auto detect settings?
0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 300 total points
ID: 21813109
sure, you can set a gpo

User Configuration->Windows Settings->Internet Explorer Maintenance->Connection->Automatic Browser Configuration
0
 
LVL 4

Accepted Solution

by:
CarlvanEijk earned 150 total points
ID: 22322963
Are you running a proxy server?

if not:

Group policy is the best way to configure IE for your clients.

OR

Oou can just add a "wpad" entry to your DNS to point to a local server inside your nework, and a DHCP option 252 to do the same. Wpad quesries will still occur, but at least they'll stay inside your network.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
We recently endured a series of broadcast storms that caused our ISP to shut us down for brief periods of time. After going through a multitude of tests, we determined that the issue was related to Intel NIC drivers on some new HP desktop computers …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now