Solved

Wpad.dat hacking attempts?

Posted on 2008-06-16
13
1,442 Views
Last Modified: 2012-06-21
Hello Experts,

I need some urgent help. I've enabled logging on my firewall to log what websites etc my pc's are trying to access.

After reviewing the logs i notice one specific address most PC's are trying to access throughout the day.

the address is 63.xxx.xxx.xxx/wpad.dat

the 63 ip is the ip of our website which is not hosted on site.

The users aren't constantly going to this website all day and in the firewall logs this wpad.dat keeps showing up.

I'm unfamiliar as to what this can be and would like to know if someone is trying to intrude my network....

I tried going to that URL from my PC and it brings up a page cannot be displayed.

Please let me know what I can do to find out what this is or how to prevent this if this is something malicious. Thanks for your help guys.
0
Comment
Question by:Crucio666
13 Comments
 

Assisted Solution

by:gsdkain
gsdkain earned 50 total points
ID: 21799387
Does this help?

WPAD and WSPAD files
The Wpad.dat file is a Microsoft JScript® file containing a default URL template, constructed by Internet Explorer. Microsoft Internet Security and Acceleration (ISA) Server 2004 constructs the Wspad.dat file to keep Firewall clients informed of all available ISA Server computers, and additional parameters such as a load factor and a state flag to aid the server selection. The Wspad.dat CFILE contains an explicit Time to Live (TTL) entry. After the TTL period expires, the Winsock Proxy client purges the CFILE and attempts to retrieve a new CFILE. The format of the CFILE is the same as the Firewall Client configuration file. In the Common section of the file, the following three entries are displayed:

http://www.microsoft.com/technet/isa/2004/help/SRSP1_CnfWPAD.mspx?mfr=true
0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 300 total points
ID: 21800584
or, in human - a wpad.dat file is the file that internet explorer looks for if the checkbox "automatically detect settings" is ticked in the proxy settings screen. the wpad.dat tells it which proxy to use to reach the internet (and can specify different proxies for different sites)

as this checkbox is default for the software (and usually harmless - unless you have a wpad.dat file it defaults back to the hardcoded settings) you tend to see a lot of traffic looking for them.
0
 

Author Comment

by:Crucio666
ID: 21802375
i've noticed today some pc's are also going to

wpad.mydomainname.com/wpad.dat

this seems really suspicious, how does the PC's even know to go to that site for a wpad file?
0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 300 total points
ID: 21802656
usually, you have configured (in dhcp or on the workstation" a dns name or at least a dns suffix of mydomainname.com. the correct search would be for wpad.machinename.mydomainname.com then wpad.mydomainname.com, then wpad.com

http://wpad.com/ is amusing...
0
 

Author Comment

by:Crucio666
ID: 21805290
You can disable WPAD in IE by going to Internet Options, Connections, and then LAN Settings. Unselect ``automatically detect settings.''
Upgrade to a newer version of Explorer
Check the domain name setting of your computers.


In my internet explorer for the LAN settings  i have nothing checked, i have version 7.0 of Ie and fully patched.

What does he mean by check the domain anme setting of your computers?

0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 300 total points
ID: 21805570
go to a command prompt and type "ipconfig /all"
look for the word "dns" and see what is set there. you can have a primary dns suffix AND a connection specific one.
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 

Author Comment

by:Crucio666
ID: 21807304
i see the dns suffix search list, my domain is location.name.com, i see that there as one and also i see name.com (without location) this is the address of the site that has the wpad it's trying to access, should this be there?
0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 300 total points
ID: 21808979
hey, these are your systems - either these are hardcoded in the machine or picked up with dhcp, either way its not going to have been an accidental setting...
0
 

Author Comment

by:Crucio666
ID: 21812082
DHCP is giving off location.name.com on both my DHCP servers, it's not hardcoded onto the machine and i do not see name.com located in GPO as a policy....where else can i specify where to search for dns suffix?
0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 300 total points
ID: 21812235
tbh I don't know. any results from a registry search on one of the machines?
0
 

Author Comment

by:Crucio666
ID: 21812374
right now in IE nothing is selected from the connection settings. From what im reading i need to have auto detect settings selected for it to look for a wpad file?

is there a way to set a policy so i can have IE not look for a wpad file or use auto detect settings?
0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 300 total points
ID: 21813109
sure, you can set a gpo

User Configuration->Windows Settings->Internet Explorer Maintenance->Connection->Automatic Browser Configuration
0
 
LVL 4

Accepted Solution

by:
CarlvanEijk earned 150 total points
ID: 22322963
Are you running a proxy server?

if not:

Group policy is the best way to configure IE for your clients.

OR

Oou can just add a "wpad" entry to your DNS to point to a local server inside your nework, and a DHCP option 252 to do the same. Wpad quesries will still occur, but at least they'll stay inside your network.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
OfficeMate Freezes on login or does not load after login credentials are input.
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.
This is a video that shows how the OnPage alerts system integrates into ConnectWise, how a trigger is set, how a page is sent via the trigger, and how the SENT, DELIVERED, READ & REPLIED receipts get entered into the internal tab of the ConnectWise …

919 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now