RE: ANOTHER possible Windows problem?

From: Powers, James L. (JLPowersat_private)
Date: Sat Jul 21 2001 - 18:08:52 PDT

  • Next message: Sander de Rijk: "RE: ANOTHER possible Windows problem?"

     
    Someone in your organization has figured out how to autoconfigure IE, using
    either DHCP or DNS.  IE is set to autoconfigure by default whether you use a
    proxy  or not (using WPAD - Web Proxy AutoDiscovery).  You need to find out
    whether this is a good person or a bad person.
    
    When MS first started supporting this, it was a problem since an
    unauthorized DHCP server could send bogus configurations to IE.  Now, it
    doesn't work over DHCP without a Win2K DHCP server (which has to authorized
    in a domain), but it can still be done through DNS.
    
    Problem?  Depends on how you look at it.  ;)
    
    -----Original Message-----
    From: David Bernick
    To: incidentsat_private
    Sent: 7/20/01 4:15 PM
    Subject: ANOTHER possible Windows problem?
    
    At around 3pm EST all of the Windows 98 boxes at my company suddenly 
    turned their proxy settings on (we don't use a proxy) and set their 
    proxy server to: cache.mycompany.com (substitute mycompany with the name
    
    of mycompany) and port 3128.
    
    Now i know port 3128 is a Squid proxy port, so i guess that makes sense,
    
    but has anyone ever seen anything like this before? the few win2k boxes 
    are fine, as are the linux boxes. Is there a trojan or something like 
    that where the payload changes proxy settings?
    
    or is it something else entirely?
    
    thanks!
    
    dave
    
    
    
    
    
    ----------------------------------------------------------------------------
    
    
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:
    
    http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Sun Jul 22 2001 - 13:01:57 PDT