WPAD.dat 404 errors flooding IIS logs

I have a server running Windows 2003 R2 SP2. This is my production web server. Starting on 9/9, the IIS logs have been filling up with errors about a wpad.dat file. I've scanned the machine for malware/viruses with a few different programs and they all come back clean. I've attached a screen shot of the errors. Any help would be appreciated.
Screen-Shot-2015-09-23-at-10.53.43-A.png
alfred_itVP, ITAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dan McFaddenSystems EngineerCommented:
This is not a virus or malware.  The devices hitting your web server and looking for a wpad.dat are attempting to find a web proxy autodiscovery file... aka: wpad.dat.

link:  https://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol

I'll assume that your production server is visible to the Internet and these hits are coming from only external IPs, correct?

The IPs shown in your log example are both from ISPs that provide Internet access:


Name:    cpe-172-250-71-253.socal.res.rr.com  (This is Road Runner, possibly in Southern California)
Address:  172.250.71.253

Name:    pool-71-165-79-166.lsanca.fios.verizon.net (this is a Verizon FiOS customer)
Address:  71.165.79.166

Is your website using "www.YourDomain.com" or "YourDomain.com" for name resolution?

One possible way to mitigate this is to create a wpad A record entry in your external DNS zone that points to "127.0.0.1".  This way if an external device is doing a wpad probe, they won't pick up on a wildcard hit on your domain.  Using "YourDomain.com" is a essentially a wildcard (catch all) entry.

You could block these IPs from accessing your website using "IP address and domain name restrictions: functionality in IIS Manager.

Link:  https://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/128d26dd-decb-42f9-8efb-30724d1a2f29.mspx?mfr=true

Dan
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
alfred_itVP, ITAuthor Commented:
Our site uses www.YourDomain.com. I didn't setup the * record. The IPs are all external IPs from various providers. I guess I could block them, but I'm still wondering why this is happening. This is new as of 9/9/15.
0
Dan McFaddenSystems EngineerCommented:
I could be a simple hack attempt.  There are a few known wpad.dat hacks that exist.  It could be an attempt to see if your server is vulnerable.

Dan
0
alfred_itVP, ITAuthor Commented:
I just blocked the IPs
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft IIS Web Server

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.