Jump to content

Blocking IP address 34.102.136.180. Something to do with WPAD


Recommended Posts

  • Administrators

wpad.co.uk is a parked domain. I, for one, was unable to find any working domain on that IP address. The question is why "wpad" resolves to the blocked IP address.

Link to post
Share on other sites

The weird thing is this only started after the detection engine update to 21960, today. They are all being blocked by the anti-phishing black list which must have had this added to it. 

Prior to that the last block was 2 months ago and was blocking what I would normally expect

Link to post
Share on other sites
  • Administrators

The IP address was blocked today; the block is not a problem. What I find surprising is that "wpad" is resolved to the blocked IP address on your machine.

Link to post
Share on other sites

We've seen a similar issue, found that the root cause was our Cisco Anyconnect clients and how split brain DNS is operating. It seems to be resolving hostnames it cannot contact over the VPN by appending ".co.uk" to them. If I try to ping "WPAD" on the VPN there is a delay while it tries to contact devices over the VPN, then when it fails resolves as "wpad.co.uk". Image shows a machine on the VPN vs off.

I can only assume something similar is happening with the DNS on your clients.

2020-09-09 16_35_20-Clipboard.png

Link to post
Share on other sites
12 minutes ago, JKay said:

We've seen a similar issue, found that the root cause was our Cisco Anyconnect clients and how split brain DNS is operating. It seems to be resolving hostnames it cannot contact over the VPN by appending ".co.uk" to them. If I try to ping "WPAD" on the VPN there is a delay while it tries to contact devices over the VPN, then when it fails resolves as "wpad.co.uk". Image shows a machine on the VPN vs off.

I can only assume something similar is happening with the DNS on your clients.

2020-09-09 16_35_20-Clipboard.png

Spot on!

I am using AnyConnect too, when I drop the VPN I get "wpad" resolving correctly to "wpad.mydomain.co.uk" as it should. When connected it resolves to the blocked IP

Link to post
Share on other sites
3 minutes ago, Marcos said:

For now we'll unblock the IP address and discuss it internally later.

Is that going to have unintended consequences?  What if someone now registers that domain?  

Edited by David__B
Link to post
Share on other sites
12 minutes ago, Marcos said:

For now we'll unblock the IP address and discuss it internally later.

how long will that take to be updated to the installed Eset client

Link to post
Share on other sites
4 minutes ago, David__B said:

So is this an Eset issue or a Cisco Anyconnect issue?

The ESET alerts are just a side effect since they blocked the domain. It would seem that our and by the looks of it a handful of other companies using split tunneling on their client VPN's have had their machines attempting to resolve wpad.co.uk as a side effect. We're only now just realising it due to the alert from ESET.

I'd check with your networking team to find out what part of split tunnelling is causing it to re-resolve hostnames it cant contact by appending .co.uk to them. The image shows that this affects any hostname it cannot first resolve on its own, as pinging google ends up resolving an address for google.co.uk

2020-09-09 17_17_07-Clipboard.png

Link to post
Share on other sites

We are not using split tunnelling on our VPN (we need to remote onto customer sites and need to use our Office public IP), so I don't think it's actually Split Tunnelling causing it.

There are some users who are not having this issue, when they ping "wpad" off the VPN it adds our company domain to it and it resolves as expected. When they are on the VPN it does not resolve at all, so I assume it is not adding the ".co.uk" to it.

The only difference I can see is that the effected PC's are running the 2004 build of Win 10 and the ones that are working OK are running the 1903 build. All other aspects of the VPN are the same.

 

We are going to upgrade a PC from 1903 to 2004 overnight and see what happens

Edited by ericarcher57
Link to post
Share on other sites

You seem to be right about the split tunnel, I jumped the gun on that with it being the cause of our troubles before.

Taking some time to look at it again this morning I can see that when we connect to our VPN "co.uk" is added to the DNS suffix search list which is what is causing strange resolution:

image.png.33ff62616c186d189a21dcb1360cc8cd.png

I'm still looking into what mechanism is inserting "co.uk" in there in the first place. 

Link to post
Share on other sites
  • ESET Staff

Hi Guys, 
A quick question are all of these machines that are affected domain joined machines?

Also is anyone using wpad to configure a proxy on the machines connecting to the VPN?

Regards,

Edited by TomPark
Link to post
Share on other sites
13 minutes ago, TomPark said:

Hi Guys, 
A quick question are all of these machines that are affected domain joined machines?

Also is anyone using wpad to configure a proxy on the machines connecting to the VPN?

Regards,

19 hours ago, ericarcher57 said:

 

Hi Tom,

 

Domain joined yes, interestingly our IT support provider does not get the same DNS suffix "co.uk" as we do with domain joined computers working remotely.  Unsure about your second question, that's over my head but will ask our third party netowrk support.

Link to post
Share on other sites
55 minutes ago, TomPark said:

Hi Guys, 
A quick question are all of these machines that are affected domain joined machines?

Also is anyone using wpad to configure a proxy on the machines connecting to the VPN?

Regards,

Tom,

 

Yes the machines are all joined on the domain, and we do  not use any proxy configuration using wpad.

 

It's Like Jkay said, the Cisco Anyconnect client is adding the ".co.uk" suffix to the DNS Search list, but only when it is connected. I can remove the entry manually form the adaptor settings when connected and everything is fine. As soon as the VPN re-connects the extra suffix is added back again.

 

I have gone over our Cisco configuration, I can find our main company domain entry but there is nowhere I can find the ".co.uk" entry.

Link to post
Share on other sites
  • ESET Staff

Hi All,

Thank you for the information, like has already been said I think the notification from ESET is a side affect of something else that is changing the domain suffix when connect to the VPN.

Something that might be of consideration is disabling the 'Auto-Detect' proxy configuration in Chrome / IE which will then stop the browser from looking for these configurations as 'wpad.domain.com' is the default search browser use if this setting is enabled and the information is not provided via DHCP. This should fix the issue for anyone that is still seeing this on their machine. Please note to disable the setting a browser restart will be required.

As @Marcos said the IP will be unblocked, if anyone is able to test the solution above that would be appreciated. 

Regards,

Link to post
Share on other sites

I've opened up a Cisco TAC to see if they can pin down what part of the VPN configuration or issue with the AnyConnect client is causing "co.uk" to be injected into the DNS Suffix Search List as this is the root cause for us at least. I'll drop back once they have some information for us.

Link to post
Share on other sites

This is related to WPAD DNS activity:

Quote

DNS WPAD

DNS WPAD is a method of detecting a PAC file via discovery by leveraging the network name of the user computer and using a consistent DNS configuration and PAC script file name. DNS WPAD is the most widely supported method, with support across all major browsers and operating systems.

Prerequisites include a PAC file, web server, and a locally access DNS hostname to point to the web server.

Example

  • In the below example, the network name of the user computer is laptop01.us.division.company.com.
  • A PAC file with the file name wpad.dat is being served by a web server on the host wpad.company.com.
  • A DNS WPAD enabled browser will remove the machine name (laptop01), apply wpad to the network name, and apply as a suffix the file resource /wpad.dat, e.g. http://wpad.us.division.company.com/wpad.dat.
  • The browser will try to download the PAC file from the location http://wpad.us.division.company.com/wpad.dat.
  • If the web browser is unable to resolve the host wpad.us.division.company.com, it will progress through the sub-domain node hierarchy and attempt to download the wpad.dat file from the host wpad.division.company.com, and so on until the lowest valid node is reached, wpad.company.com.

https://findproxyforurl.com/wpad-introduction/

Appears WPAD has a number of security risks with the recommendation it be permanently disabled if not using IE11 or Edge as your browser: https://auth0.com/blog/heads-up-https-is-not-enough-when-using-wpad/

Edited by itman
Link to post
Share on other sites

Per Robtex lookup, IP address, 34.102.136.180, has one PTR, 180.136.102.34.bc.googleusercontent.com. 

However, ThreatMiner listed a number of nasty URL's associated with it:

Quote

Last Seen                                                                        URL

[object Object]    hxxps://chegoudiadedestaquesdomes.com/PLKSmNzXm/987874/aproveite/594857246/?conjunto-de-panela-antiaderente-turin-10-pe%C3%A7as-vermelha-tramontina-%26skullid%3D285676427
[object Object]    hxxps://chegoudiadedestaquesdomes.com/PLKSmNzXm/987874/aproveite/774445698/?conjunto-de-panela-antiaderente-turin-10-pe%C3%A7as-vermelha-tramontina-%26skullid%3D285676427
[object Object]    hxxps://chegoudiadedestaquesdomes.com/PLKSmNzXm/987874/aproveite/186742936/?conjunto-de-panela-antiaderente-turin-10-pe%C3%A7as-vermelha-tramontina-%26skullid%3D285676427
[object Object]    hxxps://hxxpssirvulcan.org/
[object Object]    hxxps://lewisthompsonelectric.com/a98dssa7dsa98d98sad09sa.php
[object Object]    hxxps://sendercompany.net/LinkedinD/linkedin.html
[object Object]    hxxps://mysportscraze.com/ChaseSupport/login/auth.php
[object Object]    hxxps://mlmpreis.com/verizon.net/newdr/o1/main.html?accessToFile=accessing&fileAccess=15602&encryptedCookie=35af82d97fb9fbea36b5c2bdfffd28df&u=61004ccd89a0fd72900c6cb53471c0d0&connecting=ee4a7a01bece3e9af2344ac82ae4596a&phaseAccess=27cd03582c17bf852365043c7bce7b30&p=ca9c37b5756817ecbd1e39e94f585447
[object Object]    hxxps://mlmpreis.com/verizon.net/newdr/o1
[object Object]    hxxp://ofertas2020-submarino.club
[object Object]    hxxps://b-sfr.com/
[object Object]    hxxps://newyears-eve.com/ex/cel/page.php?email=
[object Object]    hxxps://newyears-eve.com/ex/cel/page.php?email=&_rand=13vqcr8bp0gud&lc=1033&id=64855&mkt=en-us&cbcxt=mai&snsc=1
[object Object]    hxxps://newyears-eve.com/ex/cel/login.php?l=_JeHFUq_VJOXK0QWHtoGYDw1774256418&fid_13InboxLight_aspxn_1774256418=&fid_125289964252813InboxLight99642_Product-email=&email=
[object Object]    hxxps://paypal-newlogin.com/
[object Object]    hxxp://saldao-dobahianinho.com
[object Object]    hxxp://anoperfeitopravc.com/mobile/carrinho.php
[object Object]    hxxp://saldaoobahianinho.com/mobile/login.php
[object Object]    hxxp://saldomaiobahianinho.com/mobile/carrinho.php
[object Object]    hxxp://djchewalk.net/canada/taxb

 

 

Edited by itman
Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...