• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

wpad.dat in Apache error log

adriftinitland

Member

Thanks: 1
Messages: 57

#1
My Apache error log is filled with this error. The odd thing is the IP is always that of my webserver even when I am not accessing it with a browser. I am at my wits end trying to put a stop to this. Has anyone seen anything like this?

Code:
[Fri Nov 11 09:19:53 2011] [error] [client my ip address] File does not exist: /usr/home/my httpd/public_html/wpad.dat
If I create a file wpad.dat then the access log has strange entries as well:

Code:
my ip address - - [11/Nov/2011:00:25:35 -0600] "HEAD / HTTP/1.1" 200 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.106 Safari/535.2"
my ip address - - [11/Nov/2011:04:07:19 -0600] "GET /wpad.dat HTTP/1.1" 404 1010 "-" "WinHttp-Autoproxy-Service/5.1"
my ip address - - [11/Nov/2011:04:21:03 -0600] "GET /wpad.dat HTTP/1.1" 404 1010 "-" "System.Net.AutoWebProxyScriptEngine/2.0.50727.4216"
my ip address - - [11/Nov/2011:06:17:34 -0600] "GET /wpad.dat HTTP/1.1" 404 999 "-" "Mozilla/5.0 (Windows NT 6.0; rv:7.0.1) Gecko/20100101 Firefox/7.0.1"
Code:
FreeBSD mydomain.com 8.2-RELEASE-p3 FreeBSD 8.2-RELEASE-p3 #0: Tue Sep 27 18:07:27 UTC 2011     [email]root@i386-
builder.daemonology.net[/email]:/usr/obj/usr/src/sys/GENERIC  i386
apache-2.2.21
 

phoenix

Administrator
Staff member
Administrator
Moderator

Thanks: 1,033
Messages: 3,822

#2
Do a google search for "proxy autoconfiguration" "proxy.pac" and "wpad.dat" for all the details.

If your web browser is configured to automatically detect proxy settings, then it uses the WPAD protocol, which searches for the wpad.dat file. That file includes information regarding proxy servers on the network, and is used to configure the web browser settings. It checks every time the browser starts, everytime a new tab is opened, and possibly every time a URL is fetched.
 

adriftinitland

Member

Thanks: 1
Messages: 57

#3
Thanks for the reply Freddie.
Yes, I have read just about all there is to read about wpad.dat etc. in the last two weeks.
The problem is my browser problem, "Firefox 8.0" is not not configured to automatically detect proxy settings. I have "No Proxy" in Advanced/Networt/Settings. In addition the error messages are not necessarily written when I am accessing the website, and what is most difficult to understand, it's always my IP address in the error log line. How can this be?
Anyone have a theory?
 

kpa

Beastie's Twin

Thanks: 1,673
Messages: 6,084

#4
Windows has its own automatic proxy detection that is used for all kinds of connections, not just for http. You can disable that at control panel->internet options->connections->lan settings.
 

adriftinitland

Member

Thanks: 1
Messages: 57

#5
kpa:
Thanks for the post.
Windows 7 has: control panel/network and internet/internet options/connections/LAN settings/ where all proxy options are disabled. It's the same options window that's available in Internet Explorer. I don't use IE. My browser is Firefox.
In addition, the error entries in my Apache log are happening when I am NOT browsing the website so my personal computers settings aren't really relevant. It has something to do with the Apache configuration.
 

adriftinitland

Member

Thanks: 1
Messages: 57

#6
I am getting this error message written to my Apache error log about every 3 or 4 seconds 24 hours a day so if anyone can help me deal with this I would certainly appreciate any advice or suggestion.

Code:
[error] [client my ip address] File does not exist: /usr/home/my httpd/public_html/wpad.dat
 

SirDice

Administrator
Staff member
Administrator
Moderator

Thanks: 5,476
Messages: 25,637

#7
It's one of your clients that's causing it, not the apache server itself.
 

adriftinitland

Member

Thanks: 1
Messages: 57

#8
SirDice:
Thanks for your reply. It must be a robot or script, is that correct? The error occurs around the clock, 24 hours a day, so it can't be an individual clicking a mouse. Do I have that correct? More importantly why does the error log have my IP address in the error message as if I were accessing the site and receiving the error.
How can I stop it?
Thanks again.
 

wblock@

Administrator
Staff member
Administrator
Moderator
Developer

Thanks: 3,558
Messages: 13,856

#9
Did you enable any of the optional proxy modules in the apache22 install?
 

adriftinitland

Member

Thanks: 1
Messages: 57

#10
Thanks wblock:
No, I have not done that!
The word "proxy" does not even appear in any configuration files in /usr/local/etc/apache22/. I am completely bewildered by this. It appears I am alone in experiencing this problem as well which makes it even more frustrating.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Thanks: 5,476
Messages: 25,637

#11
What else is running on that machine?
 

adriftinitland

Member

Thanks: 1
Messages: 57

#12
Thank you SirDice:

Code:
# ps -U root

  PID  TT  STAT      TIME COMMAND
    0  ??  DLs    0:03.20 [kernel]
    1  ??  ILs    0:00.01 /sbin/init --
    2  ??  DL     1:07.08 [g_event]
    3  ??  DL     1:06.25 [g_up]
    4  ??  DL     1:25.48 [g_down]
    5  ??  DL     0:09.98 [aac0aif]
    6  ??  DL     0:00.00 [sctp_iterator]
    7  ??  DL     0:00.00 [xpt_thrd]
    8  ??  DL     0:01.85 [pagedaemon]
    9  ??  DL     0:00.00 [vmdaemon]
   10  ??  DL     0:00.00 [audit]
   11  ??  RL   59158:10.72 [idle]
   12  ??  WL    31:50.29 [intr]
   13  ??  DL     1:09.15 [yarrow]
   14  ??  DL     0:28.14 [usb]
   15  ??  DL     0:00.03 [pagezero]
   16  ??  DL     0:07.55 [bufdaemon]
   17  ??  DL     0:13.75 [vnlru]
   18  ??  DL    53:03.62 [syncer]
   19  ??  DL     0:15.40 [softdepflush]
   20  ??  DL     0:05.84 [flowcleaner]
  117  ??  Is     0:00.00 adjkerntz -i
  500  ??  Is     0:00.02 /sbin/devd
  636  ??  Ss     0:08.44 /usr/sbin/syslogd -s
 1038  ??  Ss     0:27.14 /usr/local/libexec/postfix/master
 1116  ??  Is     0:00.22 /usr/sbin/sshd
 1127  ??  Is     0:03.79 /usr/sbin/cron -s
 1151  ??  Is     0:00.01 /usr/sbin/moused -p /dev/psm0 -t auto
 2191  ??  Ss     2:26.87 /usr/local/sbin/dovecot -c /usr/local/etc/dovecot.conf
 2192  ??  S      0:44.47 dovecot-auth
25774  ??  Ss     0:20.35 /usr/local/sbin/httpd -DNOHTTPACCEPT
26631  ??  Ss     0:04.66 /usr/local/bin/perl /usr/local/lib/webmin/miniserv.pl /usr/local/etc/webmin/miniserv.conf
89678  ??  Is     0:00.05 sshd: dennisra [priv] (sshd)
 1258  v0  Is+    0:00.00 /usr/libexec/getty Pc ttyv0
80718  v1  Is+    0:00.00 /usr/libexec/getty Pc ttyv1
 1219  v2  Is+    0:00.00 /usr/libexec/getty Pc ttyv2
 1220  v3  Is+    0:00.00 /usr/libexec/getty Pc ttyv3
 1221  v4  Is+    0:00.00 /usr/libexec/getty Pc ttyv4
 1222  v5  Is+    0:00.00 /usr/libexec/getty Pc ttyv5
 1223  v6  Is+    0:00.00 /usr/libexec/getty Pc ttyv6
 1224  v7  Is+    0:00.00 /usr/libexec/getty Pc ttyv7
89701   0  S      0:00.01 su
89702   0  S      0:00.03 _su (csh)
89705   0  R+     0:00.00 ps -U root
 

phoenix

Administrator
Staff member
Administrator
Moderator

Thanks: 1,033
Messages: 3,822

#13
Windows 7 (possibly earlier versions) runs, by default, a service that checks for proxies and configures browsers to use that. You can see it running in Task Manager if you view processes from all users and expand the description field. You have to manually disable that service from running at startup.
 

adriftinitland

Member

Thanks: 1
Messages: 57

#14
Thank you for your post phoenix.
On my Windows PC there is nothing under "Process". On my Windows PC there is a "Service" called "WinHTTP web Proxy Auto Discovery Service" which is stopped.
But how would that have anything to do with my FreeBSD server which is an entirely different machine. Please remember the wpad.dat errors are written to the server log file 24 hours a day when my PC is shut down. I might be missing the point entirely but I can't see how my PC has anything to do with the server error log messages.
 

adriftinitland

Member

Thanks: 1
Messages: 57

#15
SirDice:
Code:
# pkg_info

ImageMagick-6.7.3.1 Image processing tools
apache-2.2.21       Version 2.2.x of Apache web server with prefork MPM.
apr-ipv6-devrandom-gdbm-db47-1.4.5.1.3.12_1 Apache Portability Library
autoconf-2.62       Automatically configure source code on many Un*x platforms
autoconf-2.68       Automatically configure source code on many Un*x platforms
autoconf-wrapper-20101119 Wrapper script for GNU autoconf
automake-1.11.1     GNU Standards-compliant Makefile generator (1.11)
automake-wrapper-20101119 Wrapper script for GNU automake
awstats-7.0_2,1     Free real-time logfile analyzer to get advanced web statist
bigreqsproto-1.1.1  BigReqs extension headers
c-ares-1.7.4        An asynchronous DNS resolver library
ca_root_nss-3.12.11_1 The root certificate bundle from the Mozilla Project
cups-client-1.5.0   Common UNIX Printing System: Library cups
cups-image-1.5.0    Common UNIX Printing System: Library cupsimage
curl-7.21.3_2       Non-interactive tool to get files from FTP, GOPHER, HTTP(S)
cyrus-sasl-2.1.25_1 RFC 2222 SASL (Simple Authentication and Security Layer)
db47-4.7.25.4       The Berkeley DB package, revision 4.7
dovecot-1.2.17      Secure and compact IMAP and POP3 servers
expat-2.0.1_2       XML 1.0 parser written in C
fftw3-3.3_1         Fast C routines to compute the Discrete Fourier Transform
fontconfig-2.8.0_1,1 An XML-based font configuration API for X Windows
freetype2-2.4.6     A free and portable TrueType font rendering engine
gamin-0.1.10_4      A file and directory monitoring system
gdbm-1.9.1          The GNU database manager
gettext-0.18.1.1    GNU gettext package
ghostscript9-9.02_4 Ghostscript 9.x PostScript interpreter
gio-fam-backend-2.28.8 FAM backend for GLib\'s GIO library
glib-2.28.8_1       Some useful routines of C programming (current stable versi
gmake-3.82          GNU version of 'make' utility
gsfonts-8.11_5      Standard Fonts for Ghostscript
help2man-1.40.4     Automatically generating simple manual pages from program o
inputproto-2.0.2    Input extension headers
jasper-1.900.1_9    An implementation of the codec specified in the JPEG-2000 s
jbig2dec-0.11       Decoder implementation of the JBIG2 image compression forma
jbigkit-1.6         Lossless compression for bi-level images such as scanned pa
jpeg-8_3            IJG's jpeg compression utilities
kbproto-1.0.5       KB extension headers
lcms-1.19_1,1       Light Color Management System -- a color management library
lcms2-2.2           Light Color Management System -- a color management library
libICE-1.0.7,1      Inter Client Exchange library for X11
libSM-1.2.0,1       Session Management library for X11
libX11-1.4.4,1      X11 library
libXau-1.0.6        Authentication Protocol library for X11
libXaw-1.0.8,1      X Athena Widgets library
libXdmcp-1.1.0      X Display Manager Control Protocol library
libXext-1.3.0_1,1   X11 Extension library
libXmu-1.1.0,1      X Miscellaneous Utilities libraries
libXp-1.0.1,1       X print library
libXpm-3.5.9        X Pixmap library
libXt-1.0.9         X Toolkit library
libcheck-0.9.8      A unit test framework for C
libevent-1.4.14b_2  Provides an API to execute callback functions on certain ev
libfpx-1.2.0.12_1   Library routines for working with Flashpix images
libgcrypt-1.5.0     General purpose crypto library based on code used in GnuPG
libgpg-error-1.10   Common error values for all GnuPG components
libiconv-1.13.1_1   A character set conversion library
liblqr-1-0.4.1_2    An easy to use C/C++ seam carving library
libltdl-2.2.6b      System independent dlopen wrapper
libltdl-2.4_1       System independent dlopen wrapper
libmcrypt-2.5.8     Multi-cipher cryptographic library (used in PHP)
libpthread-stubs-0.3_3 This library provides weak aliases for pthread functions
libtool-2.2.6b      Generic shared library support script
libtool-2.4_1       Generic shared library support script
libxcb-1.7          The X protocol C-language Binding (XCB) library
libxml2-2.7.8_1     XML parser library for GNOME
libxslt-1.1.26_3    The XSLT C library for GNOME
m4-1.4.16,1         GNU m4
makedepend-1.0.3,1  A dependency generator for makefiles
mysql-client-5.0.92 Multithreaded SQL database (client)
mysql-server-5.0.92 Multithreaded SQL database (server)
oniguruma-4.7.1     A BSDL Regular Expressions library compatible with POSIX/GN
openssl-1.0.0_6     SSL and crypto library
p5-Authen-PAM-0.16_1 A Perl interface to the PAM library
p5-Locale-gettext-1.05_3 Message handling functions
p5-Net-SSLeay-1.42  Perl5 interface to SSL
p5-Net-XWhois-0.90_4 Whois Client Interface for Perl5
pcre-8.13_1         Perl Compatible Regular Expressions library
pdflib-7.0.4        A C library for dynamically generating PDF
pear-1.9.3          PEAR framework for PHP
pecl-pdflib-2.1.8   A PECL extension to create PDF on the fly
perl-5.8.9_6        Practical Extraction and Report Language
php5-5.3.8          PHP Scripting Language
php5-bcmath-5.3.8   The bcmath shared extension for php
php5-bz2-5.3.8      The bz2 shared extension for php
php5-ctype-5.3.8    The ctype shared extension for php
php5-curl-5.3.8     The curl shared extension for php
php5-dom-5.3.8      The dom shared extension for php
php5-extensions-1.5 A "meta-port" to install PHP extensions
php5-filter-5.3.8   The filter shared extension for php
php5-gd-5.3.8       The gd shared extension for php
php5-hash-5.3.8     The hash shared extension for php
php5-iconv-5.3.8    The iconv shared extension for php
php5-json-5.3.8     The json shared extension for php
php5-mbstring-5.3.8 The mbstring shared extension for php
php5-mcrypt-5.3.8   The mcrypt shared extension for php
php5-mysql-5.3.8    The mysql shared extension for php
php5-mysqli-5.3.8   The mysqli shared extension for php
php5-openssl-5.3.8  The openssl shared extension for php
php5-pdo-5.3.8      The pdo shared extension for php
php5-pdo_sqlite-5.3.8 The pdo_sqlite shared extension for php
php5-posix-5.3.8    The posix shared extension for php
php5-session-5.3.8  The session shared extension for php
php5-simplexml-5.3.8 The simplexml shared extension for php
php5-sqlite-5.3.8   The sqlite shared extension for php
php5-sqlite3-5.3.8  The sqlite3 shared extension for php
php5-tokenizer-5.3.8 The tokenizer shared extension for php
php5-xml-5.3.8      The xml shared extension for php
php5-xmlreader-5.3.8 The xmlreader shared extension for php
php5-xmlrpc-5.3.8   The xmlrpc shared extension for php
php5-xmlwriter-5.3.8 The xmlwriter shared extension for php
php5-zip-5.3.8      The zip shared extension for php
php5-zlib-5.3.8     The zlib shared extension for php
pkg-config-0.25_1   A utility to retrieve information about installed libraries
png-1.4.8           Library for manipulating PNG images
portaudit-0.5.17    Checks installed ports against a list of security vulnerabi
portmaster-3.10     Manage your ports without external databases or languages
postfix-current-2.9.20111012,4 A secure alternative to widely-used Sendmail
printproto-1.0.5    Print extension headers
python26-2.6.7_1    An interpreted object-oriented programming language
qpopper-2.53_5      Berkeley POP 3 server (now maintained by Qualcomm)
rsync-3.0.9         A network file distribution/synchronization utility
sqlite3-3.7.8       An SQL database engine in a C library
t1lib-5.1.2_1,1     A Type 1 Rasterizer Library for UNIX/X11
tcl-8.5.10          Tool Command Language
tcl-modules-8.5.10  Tcl common modules
tiff-4.0.0_2        Tools and library routines for working with TIFF images
unzip-6.0_1         List, test and extract compressed files in a ZIP archive
webmin-1.570        Web-based interface for system administration for Unix
webp-0.1.3          Google WebP image format conversion tool
xcb-proto-1.6       The X protocol C-language Binding (XCB) protocol
xcmiscproto-1.2.1   XCMisc extension headers
xextproto-7.2.0     XExt extension headers
xf86bigfontproto-1.2.0 XFree86-Bigfont extension headers
xorg-macros-1.15.0  X.Org development aclocal macros
xproto-7.0.22       X11 protocol headers
xtrans-1.2.6        Abstract network code for X
 

wblock@

Administrator
Staff member
Administrator
Moderator
Developer

Thanks: 3,558
Messages: 13,856

#16
Back up a second. The errors shown in post #1 are obfuscated so the point isn't clear. The server is standalone, without any browser installed, right? Is "my IP address" in post #1 the address of the server, or another machine?

It looks like the requests are coming from a Windows workstation with Safari and Firefox. Line #3 is interesting, and I'd guess it's either Java or some C# thing. Please post more of the server errors, particularly the ones that appear when the server is on.

Do you have a wireless access point?
 

adriftinitland

Member

Thanks: 1
Messages: 57

#17
Thank you wblock@
It is a standalone server. There is no browser installed on the server.
"my IP address" above is the publicly accessible ip address of my server. NOT another machine.
You are correct about Firefox. It is interesting because isn't even suppose to look for a wpad.dat file. It is or was an Internet Explorer thing that I don't think is part of current usage.
I have wireless on my desktop PC which is not being used. The server has no wireless.
I'll post more error shortly.
Thank you. I am grateful for your interest.
 

phoenix

Administrator
Staff member
Administrator
Moderator

Thanks: 1,033
Messages: 3,822

#18
Can you post some more log entries? If you must obfuscate the IPs, can you replace them with more meaningful indicators like "server IP", "desktop IP", "other desktop IP", etc?

Firefox uses WPAD if it is set to "auto-detect proxy settings". In fact, every browser (now, Safari was one of the last to get support for WPAD protocol) will use WPAD if set to auto-detect. The other option is to let DHCP send the location of the proxy.pac file, or to manually enter the URL for the proxy.pac file.
 

adriftinitland

Member

Thanks: 1
Messages: 57

#19
Thank you phoenix:

Wouldn't every Apache server have a multiple of wpad.dat "File does not exist" errors written to the error log then?

All errors are like this:
Code:
[Thu Nov 10 06:28:59 2011] [error] [client my server's unique public ip address] File does not exist: /usr/home/username/public_html/wpad.dat
[Thu Nov 10 06:29:16 2011] [error] [client my server's unique public ip address] File does not exist: /usr/home/username/public_html/wpad.dat
[Thu Nov 10 06:29:24 2011] [error] [client my server's unique public ip address] File does not exist: /usr/home/username/public_html/wpad.dat
[Thu Nov 10 06:29:36 2011] [error] [client my server's unique public ip address] File does not exist: /usr/home/username/public_html/wpad.dat
[Thu Nov 10 06:30:43 2011] [error] [client my server's unique public ip address] File does not exist: /usr/home/username/public_html/wpad.dat
[Thu Nov 10 06:31:44 2011] [error] [client my server's unique public ip address] File does not exist: /usr/home/username/public_html/wpad.dat
[Thu Nov 10 06:33:19 2011] [error] [client my server's unique public ip address] File does not exist: /usr/home/username/public_html/wpad.dat
[Thu Nov 10 06:36:41 2011] [error] [client my server's unique public ip address] File does not exist: /usr/home/username/public_html/wpad.da
[Thu Nov 10 06:39:14 2011] [error] [client my server's unique public ip address] File does not exist: /usr/home/username/public_html/wpad.dat
[Thu Nov 10 06:39:17 2011] [error] [client my server's unique public ip address] File does not exist: /usr/home/username/public_html/wpad.dat
[Thu Nov 10 06:39:18 2011] [error] [client my server's unique public ip address] File does not exist: /usr/home/username/public_html/wpad.dat
[Thu Nov 10 06:39:45 2011] [error] [client my server's unique public ip address] File does not exist: /usr/home/username/public_html/wpad.dat
[Thu Nov 10 06:43:41 2011] [error] [client my server's unique public ip address] File does not exist: /usr/home/username/public_html/wpad.dat
 

wblock@

Administrator
Staff member
Administrator
Moderator
Developer

Thanks: 3,558
Messages: 13,856

#20
Removing details like the user agent from the logs is just making it harder to diagnose. Post them verbatim. If you have to hide the IP address, change it to "server IP" or "windows IP" but don't change anything else.

If the requests all come from the server itself but use different user agents, I'd suspect a PHP or webmin exploit.
 

wblock@

Administrator
Staff member
Administrator
Moderator
Developer

Thanks: 3,558
Messages: 13,856

#22
Sorry, I was thinking of /var/log/httpd-access.log. The corresponding entries from that file would show the user agent and maybe other useful information.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Thanks: 5,476
Messages: 25,637

#25
Did you change any of the log formats or are those still standard?

Normally the first IP address on a line in the access.log is the source address of the request. I'm definitely not seeing those wpad requests so it's not something that's caused by apache itself. If the source address is the same address as the server the request must also originate on the server.