Today I encountered something I have certainly not seen before first hand. Our IDS blocked some outbound traffic attempts from 5 servers with no WAN access. This traffic was leading to an inactive address hosting a nonexistent wpad.dat file. 208.91.197.132/wpad.dat is the address and file.
These devices do not use DHCP, and therefore could not have been accessing a bad record. DNS that these devices use appears to be unpoisoned. The only thing left, and what I predict, is that WPAD is relying on NetBIOS broadcast to find a WPAD server, which is then forwarding to the above address.
The IDS blocked attempts starting 2 days ago, about every hour, and the IDS block logs matched up perfectly with outbound WSUS http requests.
There isn't any infection we have definitions for on the affected hosts.
Any ideas? At this point, I believe a device made its way onto the network and WPAD picked it up.
No, we aren't running IE 5.0 :)
Aucun commentaire:
Enregistrer un commentaire