?
Solved

Wpad.dat hacking attempts?

Posted on 2008-06-16
13
Medium Priority
?
1,698 Views
Last Modified: 2012-06-21
Hello Experts,

I need some urgent help. I've enabled logging on my firewall to log what websites etc my pc's are trying to access.

After reviewing the logs i notice one specific address most PC's are trying to access throughout the day.

the address is 63.xxx.xxx.xxx/wpad.dat

the 63 ip is the ip of our website which is not hosted on site.

The users aren't constantly going to this website all day and in the firewall logs this wpad.dat keeps showing up.

I'm unfamiliar as to what this can be and would like to know if someone is trying to intrude my network....

I tried going to that URL from my PC and it brings up a page cannot be displayed.

Please let me know what I can do to find out what this is or how to prevent this if this is something malicious. Thanks for your help guys.
0
Comment
Question by:Crucio666
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
13 Comments
 

Assisted Solution

by:gsdkain
gsdkain earned 150 total points
ID: 21799387
Does this help?

WPAD and WSPAD files
The Wpad.dat file is a Microsoft JScript® file containing a default URL template, constructed by Internet Explorer. Microsoft Internet Security and Acceleration (ISA) Server 2004 constructs the Wspad.dat file to keep Firewall clients informed of all available ISA Server computers, and additional parameters such as a load factor and a state flag to aid the server selection. The Wspad.dat CFILE contains an explicit Time to Live (TTL) entry. After the TTL period expires, the Winsock Proxy client purges the CFILE and attempts to retrieve a new CFILE. The format of the CFILE is the same as the Firewall Client configuration file. In the Common section of the file, the following three entries are displayed:

http://www.microsoft.com/technet/isa/2004/help/SRSP1_CnfWPAD.mspx?mfr=true
0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 900 total points
ID: 21800584
or, in human - a wpad.dat file is the file that internet explorer looks for if the checkbox "automatically detect settings" is ticked in the proxy settings screen. the wpad.dat tells it which proxy to use to reach the internet (and can specify different proxies for different sites)

as this checkbox is default for the software (and usually harmless - unless you have a wpad.dat file it defaults back to the hardcoded settings) you tend to see a lot of traffic looking for them.
0
 

Author Comment

by:Crucio666
ID: 21802375
i've noticed today some pc's are also going to

wpad.mydomainname.com/wpad.dat

this seems really suspicious, how does the PC's even know to go to that site for a wpad file?
0
Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 900 total points
ID: 21802656
usually, you have configured (in dhcp or on the workstation" a dns name or at least a dns suffix of mydomainname.com. the correct search would be for wpad.machinename.mydomainname.com then wpad.mydomainname.com, then wpad.com

http://wpad.com/ is amusing...
0
 

Author Comment

by:Crucio666
ID: 21805290
You can disable WPAD in IE by going to Internet Options, Connections, and then LAN Settings. Unselect ``automatically detect settings.''
Upgrade to a newer version of Explorer
Check the domain name setting of your computers.


In my internet explorer for the LAN settings  i have nothing checked, i have version 7.0 of Ie and fully patched.

What does he mean by check the domain anme setting of your computers?

0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 900 total points
ID: 21805570
go to a command prompt and type "ipconfig /all"
look for the word "dns" and see what is set there. you can have a primary dns suffix AND a connection specific one.
0
 

Author Comment

by:Crucio666
ID: 21807304
i see the dns suffix search list, my domain is location.name.com, i see that there as one and also i see name.com (without location) this is the address of the site that has the wpad it's trying to access, should this be there?
0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 900 total points
ID: 21808979
hey, these are your systems - either these are hardcoded in the machine or picked up with dhcp, either way its not going to have been an accidental setting...
0
 

Author Comment

by:Crucio666
ID: 21812082
DHCP is giving off location.name.com on both my DHCP servers, it's not hardcoded onto the machine and i do not see name.com located in GPO as a policy....where else can i specify where to search for dns suffix?
0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 900 total points
ID: 21812235
tbh I don't know. any results from a registry search on one of the machines?
0
 

Author Comment

by:Crucio666
ID: 21812374
right now in IE nothing is selected from the connection settings. From what im reading i need to have auto detect settings selected for it to look for a wpad file?

is there a way to set a policy so i can have IE not look for a wpad file or use auto detect settings?
0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 900 total points
ID: 21813109
sure, you can set a gpo

User Configuration->Windows Settings->Internet Explorer Maintenance->Connection->Automatic Browser Configuration
0
 
LVL 4

Accepted Solution

by:
CarlvanEijk earned 450 total points
ID: 22322963
Are you running a proxy server?

if not:

Group policy is the best way to configure IE for your clients.

OR

Oou can just add a "wpad" entry to your DNS to point to a local server inside your nework, and a DHCP option 252 to do the same. Wpad quesries will still occur, but at least they'll stay inside your network.
0

Featured Post

Simple, centralized multimedia control

Watch and learn to see how ATEN provided an easy and effective way for three jointly-owned pubs to control the 60 televisions located across their three venues utilizing the ATEN Control System, Modular Matrix Switch and HDBaseT extenders.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Are you one of those front-line IT Service Desk staff fielding calls, replying to emails, all-the-while working to resolve end-user technological nightmares? I am! That's why I have put together this brief overview of tools and techniques I use in o…
Trying to figure out group policy inheritance and which settings apply where can be a chore.  Here's a very simple summary I've written which might help.  Keep in mind, this is just a high-level conceptual overview where I try to avoid getting bogge…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…
Suggested Courses
Course of the Month13 days, 21 hours left to enroll

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question