RE: ANOTHER possible Windows problem?

["Powers, James L." <JLPowers () cmhmetro net>]

Someone in your organization has figured out how to autoconfigure IE, using
either DHCP or DNS.  IE is set to autoconfigure by default whether you use a
proxy  or not (using WPAD - Web Proxy AutoDiscovery).  You need to find out
whether this is a good person or a bad person.

When MS first started supporting this, it was a problem since an
unauthorized DHCP server could send bogus configurations to IE.  Now, it
doesn't work over DHCP without a Win2K DHCP server (which has to authorized
in a domain), but it can still be done through DNS.

Problem?  Depends on how you look at it.  ;)

-----Original Message-----
From: David Bernick
To: incidents () securityfocus com
Sent: 7/20/01 4:15 PM
Subject: ANOTHER possible Windows problem?

At around 3pm EST all of the Windows 98 boxes at my company suddenly 
turned their proxy settings on (we don't use a proxy) and set their 
proxy server to: cache.mycompany.com (substitute mycompany with the name

of mycompany) and port 3128.

Now i know port 3128 is a Squid proxy port, so i guess that makes sense,

but has anyone ever seen anything like this before? the few win2k boxes 
are fine, as are the linux boxes. Is there a trojan or something like 
that where the payload changes proxy settings?

or is it something else entirely?

thanks!

dave





----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com