OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Eric Lee Steadle (esteadleSPINNAKERNET.COM)
Date: Thu Sep 06 2001 - 17:26:49 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    I don't think you're being attacked.

    First, the request came from within your own network because both IPs are 192.168.1.x.
    nsplayer.exe is Microsoft Netshow.
    wpad.dat is a proxy configuration file that clients look for to tell them how to cache content coming from your web server.
    Check this out: http://www.volera.com/Support/KnowledgeBase/00012_Customizing_Web_Proxy_Auto.html

    ERX

    >-----Original Message-----
    >From: Steve Topilnycky [mailto:steve_topilnyckyCOMPUSERVE.COM]
    >Sent: Thursday, September 06, 2001 2:34 PM
    >To: win2ksecadviceLISTSERV.NTSECURITY.NET
    >Subject: Strang Log Entry
    >
    >
    >Hi
    >I have just opened my web server to the net, and in reviewing
    >the first day it
    >was live, I have the following entries, starting at 15:51:01
    >to on until
    >17:54:23. If I understand the log correctly, it appears that
    >something was
    >attempting to do a GET request for wpad.dat. Since no such
    >file exists on my
    >server with that name, obviously it was not found. Is this
    >some sort of
    >attack, or test.. I'm running NT 4 SP6a, and the latest hot fixes.
    >
    >Also has anyone heard of a user agent using the name of
    >NSPlayer/4.1.0.3925 -
    >
    >Any thoughts..
    >
    >
    >
    >#Fields: date time c-ip cs-username s-sitename s-computername
    >s-ip cs-method
    >cs-uri-stem cs-uri-query sc-status sc-win32-status sc-bytes cs-bytes
    >time-taken s-port cs-version cs(User-Agent) cs(Cookie) cs(Referer)
    >
    >2001-09-06 15:51:01 192.168.1.1 - W3SVC1 VIPER 192.168.1.7 GET
    >/wpad.dat - 404
    >2 623 120 80 80 HTTP/1.1 NSPlayer/4.1.0.3925 - -
    >--
    >Regards,
    >
    >Steve Topilnycky
    >
    >_____________________________________________________________________
    >** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
    >** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
    >SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net

    _____________________________________________________________________
    ** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
    ** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
    SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net