Link to home
Create AccountLog in
Avatar of Crucio666
Crucio666

asked on

Wpad.dat hacking attempts?

Hello Experts,

I need some urgent help. I've enabled logging on my firewall to log what websites etc my pc's are trying to access.

After reviewing the logs i notice one specific address most PC's are trying to access throughout the day.

the address is 63.xxx.xxx.xxx/wpad.dat

the 63 ip is the ip of our website which is not hosted on site.

The users aren't constantly going to this website all day and in the firewall logs this wpad.dat keeps showing up.

I'm unfamiliar as to what this can be and would like to know if someone is trying to intrude my network....

I tried going to that URL from my PC and it brings up a page cannot be displayed.

Please let me know what I can do to find out what this is or how to prevent this if this is something malicious. Thanks for your help guys.
SOLUTION
Avatar of gsdkain
gsdkain

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Avatar of Crucio666
Crucio666

ASKER

i've noticed today some pc's are also going to

wpad.mydomainname.com/wpad.dat

this seems really suspicious, how does the PC's even know to go to that site for a wpad file?
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
You can disable WPAD in IE by going to Internet Options, Connections, and then LAN Settings. Unselect ``automatically detect settings.''
Upgrade to a newer version of Explorer
Check the domain name setting of your computers.


In my internet explorer for the LAN settings  i have nothing checked, i have version 7.0 of Ie and fully patched.

What does he mean by check the domain anme setting of your computers?

SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
i see the dns suffix search list, my domain is location.name.com, i see that there as one and also i see name.com (without location) this is the address of the site that has the wpad it's trying to access, should this be there?
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
DHCP is giving off location.name.com on both my DHCP servers, it's not hardcoded onto the machine and i do not see name.com located in GPO as a policy....where else can i specify where to search for dns suffix?
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
right now in IE nothing is selected from the connection settings. From what im reading i need to have auto detect settings selected for it to look for a wpad file?

is there a way to set a policy so i can have IE not look for a wpad file or use auto detect settings?
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER CERTIFIED SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.