Someone in your organization has figured out how to autoconfigure IE, using either DHCP or DNS. IE is set to autoconfigure by default whether you use a proxy or not (using WPAD - Web Proxy AutoDiscovery). You need to find out whether this is a good person or a bad person. When MS first started supporting this, it was a problem since an unauthorized DHCP server could send bogus configurations to IE. Now, it doesn't work over DHCP without a Win2K DHCP server (which has to authorized in a domain), but it can still be done through DNS. Problem? Depends on how you look at it. ;) -----Original Message----- From: David Bernick To: incidentsat_private Sent: 7/20/01 4:15 PM Subject: ANOTHER possible Windows problem? At around 3pm EST all of the Windows 98 boxes at my company suddenly turned their proxy settings on (we don't use a proxy) and set their proxy server to: cache.mycompany.com (substitute mycompany with the name of mycompany) and port 3128. Now i know port 3128 is a Squid proxy port, so i guess that makes sense, but has anyone ever seen anything like this before? the few win2k boxes are fine, as are the linux boxes. Is there a trojan or something like that where the payload changes proxy settings? or is it something else entirely? thanks! dave ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Jul 22 2001 - 13:01:57 PDT