# wpad.dat in Apache error log



## adriftinitland (Nov 12, 2011)

My Apache error log is filled with this error. The odd thing is the IP is always that of my webserver even when I am not accessing it with a browser. I am at my wits end trying to put a stop to this. Has anyone seen anything like this?


```
[Fri Nov 11 09:19:53 2011] [error] [client my ip address] File does not exist: /usr/home/my httpd/public_html/wpad.dat
```

If I create a file wpad.dat then the access log has strange entries as well:


```
my ip address - - [11/Nov/2011:00:25:35 -0600] "HEAD / HTTP/1.1" 200 - "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.106 Safari/535.2"
my ip address - - [11/Nov/2011:04:07:19 -0600] "GET /wpad.dat HTTP/1.1" 404 1010 "-" "WinHttp-Autoproxy-Service/5.1"
my ip address - - [11/Nov/2011:04:21:03 -0600] "GET /wpad.dat HTTP/1.1" 404 1010 "-" "System.Net.AutoWebProxyScriptEngine/2.0.50727.4216"
my ip address - - [11/Nov/2011:06:17:34 -0600] "GET /wpad.dat HTTP/1.1" 404 999 "-" "Mozilla/5.0 (Windows NT 6.0; rv:7.0.1) Gecko/20100101 Firefox/7.0.1"
```


```
FreeBSD mydomain.com 8.2-RELEASE-p3 FreeBSD 8.2-RELEASE-p3 #0: Tue Sep 27 18:07:27 UTC 2011     [email]root@i386-
builder.daemonology.net[/email]:/usr/obj/usr/src/sys/GENERIC  i386
```

apache-2.2.21


----------



## phoenix (Nov 13, 2011)

Do a google search for "proxy autoconfiguration" "proxy.pac" and "wpad.dat" for all the details.

If your web browser is configured to automatically detect proxy settings, then it uses the WPAD protocol, which searches for the wpad.dat file.  That file includes information regarding proxy servers on the network, and is used to configure the web browser settings.  It checks every time the browser starts, everytime a new tab is opened, and possibly every time a URL is fetched.


----------



## adriftinitland (Nov 13, 2011)

Thanks for the reply Freddie.
Yes, I have read just about all there is to read about wpad.dat etc. in the last two weeks.
The problem is my browser problem, "Firefox 8.0" is not not configured to automatically detect proxy settings. I have "No Proxy" in Advanced/Networt/Settings. In addition the error messages are not necessarily written when I am accessing the website, and what is most difficult to understand, it's always my IP address in the error log line. How can this be?
Anyone have a theory?


----------



## kpa (Nov 13, 2011)

Windows has its own automatic proxy detection that is used for all kinds of connections, not just for http. You can disable that at control panel->internet options->connections->lan settings.


----------



## adriftinitland (Nov 13, 2011)

kpa:
Thanks for the post.
Windows 7 has: control panel/network and internet/internet options/connections/LAN settings/ where all proxy options are disabled. It's the same options window that's available in Internet Explorer. I don't use IE. My browser is Firefox.
In addition, the error entries in my Apache log are happening when I am NOT browsing the website so my personal computers settings aren't really relevant. It has something to do with the Apache configuration.


----------



## adriftinitland (Nov 15, 2011)

I am getting this error message written to my Apache error log about every 3 or 4 seconds 24 hours a day so if anyone can help me deal with this I would certainly appreciate any advice or suggestion.


```
[error] [client my ip address] File does not exist: /usr/home/my httpd/public_html/wpad.dat
```


----------



## SirDice (Nov 15, 2011)

It's one of your clients that's causing it, not the apache server itself.


----------



## adriftinitland (Nov 15, 2011)

SirDice:
Thanks for your reply. It must be a robot or script, is that correct? The error occurs around the clock, 24 hours a day, so it can't be an individual clicking a mouse. Do I have that correct? More importantly why does the error log have my IP address in the error message as if I were accessing the site and receiving the error.
How can I stop it?
Thanks again.


----------



## wblock@ (Nov 15, 2011)

Did you enable any of the optional proxy modules in the apache22 install?


----------



## adriftinitland (Nov 15, 2011)

Thanks wblock:
No, I have not done that!
The word "proxy" does not even appear in any configuration files in /usr/local/etc/apache22/. I am completely bewildered by this. It appears I am alone in experiencing this problem as well which makes it even more frustrating.


----------



## SirDice (Nov 15, 2011)

What else is running on that machine?


----------



## adriftinitland (Nov 15, 2011)

Thank you SirDice:


```
# ps -U root

  PID  TT  STAT      TIME COMMAND
    0  ??  DLs    0:03.20 [kernel]
    1  ??  ILs    0:00.01 /sbin/init --
    2  ??  DL     1:07.08 [g_event]
    3  ??  DL     1:06.25 [g_up]
    4  ??  DL     1:25.48 [g_down]
    5  ??  DL     0:09.98 [aac0aif]
    6  ??  DL     0:00.00 [sctp_iterator]
    7  ??  DL     0:00.00 [xpt_thrd]
    8  ??  DL     0:01.85 [pagedaemon]
    9  ??  DL     0:00.00 [vmdaemon]
   10  ??  DL     0:00.00 [audit]
   11  ??  RL   59158:10.72 [idle]
   12  ??  WL    31:50.29 [intr]
   13  ??  DL     1:09.15 [yarrow]
   14  ??  DL     0:28.14 [usb]
   15  ??  DL     0:00.03 [pagezero]
   16  ??  DL     0:07.55 [bufdaemon]
   17  ??  DL     0:13.75 [vnlru]
   18  ??  DL    53:03.62 [syncer]
   19  ??  DL     0:15.40 [softdepflush]
   20  ??  DL     0:05.84 [flowcleaner]
  117  ??  Is     0:00.00 adjkerntz -i
  500  ??  Is     0:00.02 /sbin/devd
  636  ??  Ss     0:08.44 /usr/sbin/syslogd -s
 1038  ??  Ss     0:27.14 /usr/local/libexec/postfix/master
 1116  ??  Is     0:00.22 /usr/sbin/sshd
 1127  ??  Is     0:03.79 /usr/sbin/cron -s
 1151  ??  Is     0:00.01 /usr/sbin/moused -p /dev/psm0 -t auto
 2191  ??  Ss     2:26.87 /usr/local/sbin/dovecot -c /usr/local/etc/dovecot.conf
 2192  ??  S      0:44.47 dovecot-auth
25774  ??  Ss     0:20.35 /usr/local/sbin/httpd -DNOHTTPACCEPT
26631  ??  Ss     0:04.66 /usr/local/bin/perl /usr/local/lib/webmin/miniserv.pl /usr/local/etc/webmin/miniserv.conf
89678  ??  Is     0:00.05 sshd: dennisra [priv] (sshd)
 1258  v0  Is+    0:00.00 /usr/libexec/getty Pc ttyv0
80718  v1  Is+    0:00.00 /usr/libexec/getty Pc ttyv1
 1219  v2  Is+    0:00.00 /usr/libexec/getty Pc ttyv2
 1220  v3  Is+    0:00.00 /usr/libexec/getty Pc ttyv3
 1221  v4  Is+    0:00.00 /usr/libexec/getty Pc ttyv4
 1222  v5  Is+    0:00.00 /usr/libexec/getty Pc ttyv5
 1223  v6  Is+    0:00.00 /usr/libexec/getty Pc ttyv6
 1224  v7  Is+    0:00.00 /usr/libexec/getty Pc ttyv7
89701   0  S      0:00.01 su
89702   0  S      0:00.03 _su (csh)
89705   0  R+     0:00.00 ps -U root
```


----------



## phoenix (Nov 15, 2011)

Windows 7 (possibly earlier versions) runs, by default, a service that checks for proxies and configures browsers to use that.  You can see it running in Task Manager if you view processes from all users and expand the description field.  You have to manually disable that service from running at startup.


----------



## adriftinitland (Nov 15, 2011)

Thank you for your post phoenix.
On my Windows PC there is nothing under "Process". On my Windows PC there is a "Service" called "WinHTTP web Proxy Auto Discovery Service" which is stopped.
But how would that have anything to do with my FreeBSD server which is an entirely different machine. Please remember the wpad.dat errors are written to the server log file 24 hours a day when my PC is shut down. I might be missing the point entirely but I can't see how my PC has anything to do with the server error log messages.


----------



## adriftinitland (Nov 15, 2011)

SirDice:

```
# pkg_info

ImageMagick-6.7.3.1 Image processing tools
apache-2.2.21       Version 2.2.x of Apache web server with prefork MPM.
apr-ipv6-devrandom-gdbm-db47-1.4.5.1.3.12_1 Apache Portability Library
autoconf-2.62       Automatically configure source code on many Un*x platforms
autoconf-2.68       Automatically configure source code on many Un*x platforms
autoconf-wrapper-20101119 Wrapper script for GNU autoconf
automake-1.11.1     GNU Standards-compliant Makefile generator (1.11)
automake-wrapper-20101119 Wrapper script for GNU automake
awstats-7.0_2,1     Free real-time logfile analyzer to get advanced web statist
bigreqsproto-1.1.1  BigReqs extension headers
c-ares-1.7.4        An asynchronous DNS resolver library
ca_root_nss-3.12.11_1 The root certificate bundle from the Mozilla Project
cups-client-1.5.0   Common UNIX Printing System: Library cups
cups-image-1.5.0    Common UNIX Printing System: Library cupsimage
curl-7.21.3_2       Non-interactive tool to get files from FTP, GOPHER, HTTP(S)
cyrus-sasl-2.1.25_1 RFC 2222 SASL (Simple Authentication and Security Layer)
db47-4.7.25.4       The Berkeley DB package, revision 4.7
dovecot-1.2.17      Secure and compact IMAP and POP3 servers
expat-2.0.1_2       XML 1.0 parser written in C
fftw3-3.3_1         Fast C routines to compute the Discrete Fourier Transform
fontconfig-2.8.0_1,1 An XML-based font configuration API for X Windows
freetype2-2.4.6     A free and portable TrueType font rendering engine
gamin-0.1.10_4      A file and directory monitoring system
gdbm-1.9.1          The GNU database manager
gettext-0.18.1.1    GNU gettext package
ghostscript9-9.02_4 Ghostscript 9.x PostScript interpreter
gio-fam-backend-2.28.8 FAM backend for GLib\'s GIO library
glib-2.28.8_1       Some useful routines of C programming (current stable versi
gmake-3.82          GNU version of 'make' utility
gsfonts-8.11_5      Standard Fonts for Ghostscript
help2man-1.40.4     Automatically generating simple manual pages from program o
inputproto-2.0.2    Input extension headers
jasper-1.900.1_9    An implementation of the codec specified in the JPEG-2000 s
jbig2dec-0.11       Decoder implementation of the JBIG2 image compression forma
jbigkit-1.6         Lossless compression for bi-level images such as scanned pa
jpeg-8_3            IJG's jpeg compression utilities
kbproto-1.0.5       KB extension headers
lcms-1.19_1,1       Light Color Management System -- a color management library
lcms2-2.2           Light Color Management System -- a color management library
libICE-1.0.7,1      Inter Client Exchange library for X11
libSM-1.2.0,1       Session Management library for X11
libX11-1.4.4,1      X11 library
libXau-1.0.6        Authentication Protocol library for X11
libXaw-1.0.8,1      X Athena Widgets library
libXdmcp-1.1.0      X Display Manager Control Protocol library
libXext-1.3.0_1,1   X11 Extension library
libXmu-1.1.0,1      X Miscellaneous Utilities libraries
libXp-1.0.1,1       X print library
libXpm-3.5.9        X Pixmap library
libXt-1.0.9         X Toolkit library
libcheck-0.9.8      A unit test framework for C
libevent-1.4.14b_2  Provides an API to execute callback functions on certain ev
libfpx-1.2.0.12_1   Library routines for working with Flashpix images
libgcrypt-1.5.0     General purpose crypto library based on code used in GnuPG
libgpg-error-1.10   Common error values for all GnuPG components
libiconv-1.13.1_1   A character set conversion library
liblqr-1-0.4.1_2    An easy to use C/C++ seam carving library
libltdl-2.2.6b      System independent dlopen wrapper
libltdl-2.4_1       System independent dlopen wrapper
libmcrypt-2.5.8     Multi-cipher cryptographic library (used in PHP)
libpthread-stubs-0.3_3 This library provides weak aliases for pthread functions
libtool-2.2.6b      Generic shared library support script
libtool-2.4_1       Generic shared library support script
libxcb-1.7          The X protocol C-language Binding (XCB) library
libxml2-2.7.8_1     XML parser library for GNOME
libxslt-1.1.26_3    The XSLT C library for GNOME
m4-1.4.16,1         GNU m4
makedepend-1.0.3,1  A dependency generator for makefiles
mysql-client-5.0.92 Multithreaded SQL database (client)
mysql-server-5.0.92 Multithreaded SQL database (server)
oniguruma-4.7.1     A BSDL Regular Expressions library compatible with POSIX/GN
openssl-1.0.0_6     SSL and crypto library
p5-Authen-PAM-0.16_1 A Perl interface to the PAM library
p5-Locale-gettext-1.05_3 Message handling functions
p5-Net-SSLeay-1.42  Perl5 interface to SSL
p5-Net-XWhois-0.90_4 Whois Client Interface for Perl5
pcre-8.13_1         Perl Compatible Regular Expressions library
pdflib-7.0.4        A C library for dynamically generating PDF
pear-1.9.3          PEAR framework for PHP
pecl-pdflib-2.1.8   A PECL extension to create PDF on the fly
perl-5.8.9_6        Practical Extraction and Report Language
php5-5.3.8          PHP Scripting Language
php5-bcmath-5.3.8   The bcmath shared extension for php
php5-bz2-5.3.8      The bz2 shared extension for php
php5-ctype-5.3.8    The ctype shared extension for php
php5-curl-5.3.8     The curl shared extension for php
php5-dom-5.3.8      The dom shared extension for php
php5-extensions-1.5 A "meta-port" to install PHP extensions
php5-filter-5.3.8   The filter shared extension for php
php5-gd-5.3.8       The gd shared extension for php
php5-hash-5.3.8     The hash shared extension for php
php5-iconv-5.3.8    The iconv shared extension for php
php5-json-5.3.8     The json shared extension for php
php5-mbstring-5.3.8 The mbstring shared extension for php
php5-mcrypt-5.3.8   The mcrypt shared extension for php
php5-mysql-5.3.8    The mysql shared extension for php
php5-mysqli-5.3.8   The mysqli shared extension for php
php5-openssl-5.3.8  The openssl shared extension for php
php5-pdo-5.3.8      The pdo shared extension for php
php5-pdo_sqlite-5.3.8 The pdo_sqlite shared extension for php
php5-posix-5.3.8    The posix shared extension for php
php5-session-5.3.8  The session shared extension for php
php5-simplexml-5.3.8 The simplexml shared extension for php
php5-sqlite-5.3.8   The sqlite shared extension for php
php5-sqlite3-5.3.8  The sqlite3 shared extension for php
php5-tokenizer-5.3.8 The tokenizer shared extension for php
php5-xml-5.3.8      The xml shared extension for php
php5-xmlreader-5.3.8 The xmlreader shared extension for php
php5-xmlrpc-5.3.8   The xmlrpc shared extension for php
php5-xmlwriter-5.3.8 The xmlwriter shared extension for php
php5-zip-5.3.8      The zip shared extension for php
php5-zlib-5.3.8     The zlib shared extension for php
pkg-config-0.25_1   A utility to retrieve information about installed libraries
png-1.4.8           Library for manipulating PNG images
portaudit-0.5.17    Checks installed ports against a list of security vulnerabi
portmaster-3.10     Manage your ports without external databases or languages
postfix-current-2.9.20111012,4 A secure alternative to widely-used Sendmail
printproto-1.0.5    Print extension headers
python26-2.6.7_1    An interpreted object-oriented programming language
qpopper-2.53_5      Berkeley POP 3 server (now maintained by Qualcomm)
rsync-3.0.9         A network file distribution/synchronization utility
sqlite3-3.7.8       An SQL database engine in a C library
t1lib-5.1.2_1,1     A Type 1 Rasterizer Library for UNIX/X11
tcl-8.5.10          Tool Command Language
tcl-modules-8.5.10  Tcl common modules
tiff-4.0.0_2        Tools and library routines for working with TIFF images
unzip-6.0_1         List, test and extract compressed files in a ZIP archive
webmin-1.570        Web-based interface for system administration for Unix
webp-0.1.3          Google WebP image format conversion tool
xcb-proto-1.6       The X protocol C-language Binding (XCB) protocol
xcmiscproto-1.2.1   XCMisc extension headers
xextproto-7.2.0     XExt extension headers
xf86bigfontproto-1.2.0 XFree86-Bigfont extension headers
xorg-macros-1.15.0  X.Org development aclocal macros
xproto-7.0.22       X11 protocol headers
xtrans-1.2.6        Abstract network code for X
```


----------



## wblock@ (Nov 15, 2011)

Back up a second.  The errors shown in post #1 are obfuscated so the point isn't clear.  The server is standalone, without any browser installed, right?  Is "my IP address" in post #1 the address of the server, or another machine?

It looks like the requests are coming from a Windows workstation with Safari and Firefox.  Line #3 is interesting, and I'd guess it's either Java or some C# thing.  Please post more of the server errors, particularly the ones that appear when the server is on.

Do you have a wireless access point?


----------



## adriftinitland (Nov 15, 2011)

Thank you wblock@
It is a standalone server. There is no browser installed on the server.
"my IP address" above is the publicly accessible ip address of my server. NOT another machine.
You are correct about Firefox. It is interesting because isn't even suppose to look for a wpad.dat file. It is or was an Internet Explorer thing that I don't think is part of current usage.
I have wireless on my desktop PC which is not being used. The server has no wireless.
I'll post more error shortly.
Thank you. I am grateful for your interest.


----------



## phoenix (Nov 15, 2011)

Can you post some more log entries?  If you must obfuscate the IPs, can you replace them with more meaningful indicators like "server IP", "desktop IP", "other desktop IP", etc?

Firefox uses WPAD if it is set to "auto-detect proxy settings".  In fact, every browser (now, Safari was one of the last to get support for WPAD protocol) will use WPAD if set to auto-detect.  The other option is to let DHCP send the location of the proxy.pac file, or to manually enter the URL for the proxy.pac file.


----------



## adriftinitland (Nov 15, 2011)

Thank you phoenix:

Wouldn't every Apache server have a multiple of wpad.dat "File does not exist" errors written to the error log then?

All errors are like this:

```
[Thu Nov 10 06:28:59 2011] [error] [client my server's unique public ip address] File does not exist: /usr/home/username/public_html/wpad.dat
[Thu Nov 10 06:29:16 2011] [error] [client my server's unique public ip address] File does not exist: /usr/home/username/public_html/wpad.dat
[Thu Nov 10 06:29:24 2011] [error] [client my server's unique public ip address] File does not exist: /usr/home/username/public_html/wpad.dat
[Thu Nov 10 06:29:36 2011] [error] [client my server's unique public ip address] File does not exist: /usr/home/username/public_html/wpad.dat
[Thu Nov 10 06:30:43 2011] [error] [client my server's unique public ip address] File does not exist: /usr/home/username/public_html/wpad.dat
[Thu Nov 10 06:31:44 2011] [error] [client my server's unique public ip address] File does not exist: /usr/home/username/public_html/wpad.dat
[Thu Nov 10 06:33:19 2011] [error] [client my server's unique public ip address] File does not exist: /usr/home/username/public_html/wpad.dat
[Thu Nov 10 06:36:41 2011] [error] [client my server's unique public ip address] File does not exist: /usr/home/username/public_html/wpad.da
[Thu Nov 10 06:39:14 2011] [error] [client my server's unique public ip address] File does not exist: /usr/home/username/public_html/wpad.dat
[Thu Nov 10 06:39:17 2011] [error] [client my server's unique public ip address] File does not exist: /usr/home/username/public_html/wpad.dat
[Thu Nov 10 06:39:18 2011] [error] [client my server's unique public ip address] File does not exist: /usr/home/username/public_html/wpad.dat
[Thu Nov 10 06:39:45 2011] [error] [client my server's unique public ip address] File does not exist: /usr/home/username/public_html/wpad.dat
[Thu Nov 10 06:43:41 2011] [error] [client my server's unique public ip address] File does not exist: /usr/home/username/public_html/wpad.dat
```


----------



## wblock@ (Nov 15, 2011)

Removing details like the user agent from the logs is just making it harder to diagnose.  Post them verbatim.  If you have to hide the IP address, change it to "server IP" or "windows IP" but don't change anything else.

If the requests all come from the server itself but use different user agents, I'd suspect a PHP or webmin exploit.


----------



## adriftinitland (Nov 15, 2011)

Thanks for the post wblock.
User agents were not removed.
Private message sent.


----------



## wblock@ (Nov 15, 2011)

Sorry, I was thinking of /var/log/httpd-access.log.  The corresponding entries from that file would show the user agent and maybe other useful information.


----------



## DutchDaemon (Nov 16, 2011)

@adriftinitland, you _really_ need to start formatting your posts now, thanks.


----------



## adriftinitland (Nov 16, 2011)

DutchDaemon:
Sorry, I will try in future.


----------



## SirDice (Nov 16, 2011)

Did you change any of the log formats or are those still standard?

Normally the first IP address on a line in the access.log is the source address of the request. I'm definitely not seeing those wpad requests so it's not something that's caused by apache itself. If the source address is the same address as the server the request must also originate on the server.


----------



## adriftinitland (Nov 16, 2011)

Thanks SirDice:
Maybe this will aide you.
I did not change the log format:

```
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common
```

From the error log:

```
[Wed Nov 16 00:15:48 2011] [error] [client My public servers static ip address] File does not exist: /usr/home/username/public_html/wpad.dat
[Wed Nov 16 00:15:48 2011] [error] [client My public servers static ip address] File does not exist: /usr/home/username/public_html/wpad.dat
[Wed Nov 16 00:15:48 2011] [error] [client My public servers static ip address] File does not exist: /usr/home/username/public_html/wpad.dat
[Wed Nov 16 00:15:48 2011] [error] [client My public servers static ip address] File does not exist: /usr/home/username/public_html/wpad.dat
[Wed Nov 16 00:15:48 2011] [error] [client My public servers static ip address] File does not exist: /usr/home/username/public_html/wpad.dat
[Wed Nov 16 00:15:48 2011] [error] [client My public servers static ip address] File does not exist: /usr/home/username/public_html/wpad.dat
[Wed Nov 16 00:22:24 2011] [error] [client My public servers static ip address] File does not exist: /usr/home/username/public_html/wpad.dat
```

Corresponding From the access log:

```
My public servers static ip address - - [16/Nov/2011:00:15:48 -0600] "GET /wpad.dat HTTP/1.1" 404 1010 "-" "SeaPort/3.0"
My public servers static ip address - - [16/Nov/2011:00:15:48 -0600] "GET /wpad.dat HTTP/1.1" 404 1010 "-" "SeaPort/3.0"
My public servers static ip address - - [16/Nov/2011:00:15:48 -0600] "GET /wpad.dat HTTP/1.1" 404 1010 "-" "SeaPort/3.0"
My public servers static ip address - - [16/Nov/2011:00:15:48 -0600] "GET /wpad.dat HTTP/1.1" 404 1010 "-" "SeaPort/3.0"
My public servers static ip address - - [16/Nov/2011:00:15:48 -0600] "GET /wpad.dat HTTP/1.1" 404 1010 "-" "SeaPort/3.0"
My public servers static ip address - - [16/Nov/2011:00:15:48 -0600] "GET /wpad.dat HTTP/1.1" 404 1010 "-" "SeaPort/3.0"
```

Fromm Google: SeaPort is Microsoft SeaPort Search Enhancement Process. 
http://www.brighthub.com/computing/windows-platform/articles/25609.aspx
I don't have this installed on my desktop.


----------



## SirDice (Nov 16, 2011)

Don't read to much into those user-agent strings. I can create any user-agent I want. It's just a string the HTTP client sends to the server.

The requests aren't originating on your desktop so it's no use looking there. All those requests come from the server itself.

I see you only posted a limited process list. Keep in mind the offending application may be running on some other account besides root. Could you post a _full_ list?


----------



## wblock@ (Nov 16, 2011)

Interesting.  Note the time stamps for all six requests are identical.  Look back through the log.  Are all the requests for wpad.dat from SeaPort, or do some have a different user agent?

My feeling is this is some webmin or PHP exploit looking for a bigger vulnerability.  Check the webmin logs and other logs to see what else was happening at that time.  Install ports-mgmt/portaudit if you don't have it already.  Deinstall anything unnecessary.


----------



## adriftinitland (Nov 16, 2011)

Thank you SirDice:

# ps (which option to use?)


----------



## adriftinitland (Nov 16, 2011)

Thank you wblock:
Please see below:


```
"My servers public IP address" - - [16/Nov/2011:02:03:32 -0600] "GET /wpad.dat HTTP/1.1" 404 999 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2"
"My servers public IP address" - - [16/Nov/2011:02:03:32 -0600] "GET /wpad.dat HTTP/1.1" 404 999 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2"
"My servers public IP address" - - [16/Nov/2011:02:03:34 -0600] "GET /wpad.dat HTTP/1.1" 404 1010 "-" "-"
"My servers public IP address" - - [16/Nov/2011:02:03:35 -0600] "GET /wpad.dat HTTP/1.1" 404 1010 "-" "System.Net.AutoWebProxyScriptEngine/2.0.50727.5448"
```

Check out the third entry below from 157.55.16.221 a request for /wpad.dat. That's an ip for microsoft.com.

```
157.55.16.221 - - [16/Nov/2011:02:00:45 -0600] "GET /customer_testimonials.php?cPath=80&products_id=2216&&testimonial_id=24 HTTP/1.1" 200 5392 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
157.55.16.221 - - [16/Nov/2011:02:00:45 -0600] "GET /customer_testimonials.php?cPath=94_206&products_id=9041&&testimonial_id=6 HTTP/1.1" 200 5579 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
157.55.16.221 - - [16/Nov/2011:02:00:56 -0600] "GET /"My servers public IP address" - - [16/Nov/2011:02:03:32 -0600] "GET /wpad.dat HTTP/1.1" 404 999 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2"
"My servers public IP address" - - [16/Nov/2011:02:03:32 -0600] "GET /wpad.dat HTTP/1.1" 404 999 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.874.120 Safari/535.2"
"My servers public IP address" - - [16/Nov/2011:02:03:34 -0600] "GET /wpad.dat HTTP/1.1" 404 1010 "-" "-"
"My servers public IP address" - - [16/Nov/2011:02:03:35 -0600] "GET /wpad.dat HTTP/1.1" 404 1010 "-" "System.Net.AutoWebProxyScriptEngine/2.0.50727.5448"customer_testimonials.php?cPath=196_203&testimonial_id=22&&testimonial_id=38 HTTP/1.1" 200 6129 "-" "Mozilla/5.0
```


----------



## wblock@ (Nov 16, 2011)

The customer_testimonials URL is actually on your server, right?  So bingbot gets that URL from your server.  Three minutes later, something claiming to be a Microsoft Javascript web thing runs on the server and looks for wpad.dat.

I don't know anything about server-side Javascript, or why it would wait for three minutes.  But that's what it looks like, a Javascript blob that runs on the server.  Whether that's even possible with what's installed, or it's just camouflage for an exploit... don't know.

Make sure your Windows system is actually off.  Default is just to sleep, and I swear I've caught the Ethernet LEDs on at least one notebook flashing when it was "off", which I assumed to be it sort-of waking up to get yet another huge update.


----------



## adriftinitland (Nov 16, 2011)

Thanks wblock:

Yes, customer_testimonials.php is on the server. It's been there since early 2009 and the error messages just started so I don't *think* that has anything to do with it.

No server-side Javascript installed on the server.

No Windows system on the server.


----------



## DutchDaemon (Nov 17, 2011)

Do you have any proxy server running on that server (or a proxy setting activated in e.g. Apache itself)? If it's running on the public IP address it may intercept/redirect HTTP requests from your LAN to 'itself'.


----------



## wblock@ (Nov 17, 2011)

DutchDaemon said:
			
		

> Do you have any proxy server running on that server (or a proxy setting activated in e.g. Apache itself)? If it's running on the public IP address it may intercept/redirect HTTP requests from your LAN to 'itself'.



That's an interesting idea, and reminds me of something I noticed but then forgot earlier: the server IP address in those requests ought to be 127.0.0.1, but it's showing up as the outside address instead.


----------



## DutchDaemon (Nov 17, 2011)

Exactly, that's why I suspect that the original requests come from 'outside', rather than from a local process babbling over lo0 (excluding the customary redirect to localhost:3128 for most transparent Squid proxy setups -- some people do run these setups on one and the same interface, binding the proxy to the public IP address).


----------



## adriftinitland (Nov 17, 2011)

Thank you DutchDaemon and wblock:

In the /etc/hosts file I have:

```
::1                     localhost localhost.my_fqdn.com
127.0.0.1               localhost localhost.my_fqdn.com
192.168.1.10            localhost  mail.my_fqdn.com my_fqdn.com
```

I have great difficulty understanding networking and I did not setup this part of the server. Could this explain the server requests from my domains IP address? If so, what to do about it as it clouds the issue we are trying to get at.


----------



## wblock@ (Nov 17, 2011)

Showing what's in /etc/rc.conf might be helpful.  It could be something to do with a firewall, or possibly software that has been installed outside of ports.  The person who set it up is not available to answer questions?


----------



## adriftinitland (Nov 17, 2011)

wblock:
No, not available. Networking was set up a couple years ago.

/etc/rc.conf:

```
# -- sysinstall generated deltas -- # Sun Jan  3 12:40:52 2010
# Created: Sun Jan  3 12:40:52 2010
# Enable network daemons for user convenience.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just the overrides from /etc/defaults/rc.conf.
hostname="my_fqdn.com"
ifconfig_bge0="inet 192.168.1.10 netmask 255.255.255.0 broadcast 192.168.1.255"
defaultrouter="192.168.1.1"
moused_enable="YES"
sshd_enable="YES"
apache22_enable="YES"
apche22_http_accept_enable="YES"
mysql_enable="YES"
ntpdate_enable="YES"
ntpdate_flags="north-america.pool.ntp.org"
postfix_enable="YES"
dovecot_enable="YES"
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
clear_tmp_enable="YES"  # Clear /tmp at startup, added 8/30/2011
blanktime="no"
# Starts webmin
webmin_enable="YES"
```


----------



## DutchDaemon (Nov 17, 2011)

Please also post the output of [cmd=]sockstat -l4[/cmd] (in 
	
	



```
tags, this time ;))
```


----------



## adriftinitland (Nov 17, 2011)

DutchDaemon: I am happy to do that and thank you for your interest.


```
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
postfix  local      16532 15 udp4   *:18252               *:*
postfix  smtpd      16528 6  tcp4   *:25                  *:*
dovecot  pop3-login 16526 4  tcp4   *:110                 *:*
dovecot  pop3-login 16526 5  tcp4   *:995                 *:*
dovecot  pop3-login 16521 4  tcp4   *:110                 *:*
dovecot  pop3-login 16521 5  tcp4   *:995                 *:*
www      httpd      16519 3  tcp4 6 *:80                  *:*
www      httpd      16519 4  tcp4   *:*                   *:*
www      httpd      16519 5  tcp4 6 *:443                 *:*
www      httpd      16519 6  tcp4   *:*                   *:*
www      httpd      16518 3  tcp4 6 *:80                  *:*
www      httpd      16518 4  tcp4   *:*                   *:*
www      httpd      16518 5  tcp4 6 *:443                 *:*
www      httpd      16518 6  tcp4   *:*                   *:*
dovecot  pop3-login 16516 4  tcp4   *:110                 *:*
dovecot  pop3-login 16516 5  tcp4   *:995                 *:*
www      httpd      16458 3  tcp4 6 *:80                  *:*
www      httpd      16458 4  tcp4   *:*                   *:*
www      httpd      16458 5  tcp4 6 *:443                 *:*
www      httpd      16458 6  tcp4   *:*                   *:*
www      httpd      16419 3  tcp4 6 *:80                  *:*
www      httpd      16419 4  tcp4   *:*                   *:*
www      httpd      16419 5  tcp4 6 *:443                 *:*
www      httpd      16419 6  tcp4   *:*                   *:*
www      httpd      16418 3  tcp4 6 *:80                  *:*
www      httpd      16418 4  tcp4   *:*                   *:*
www      httpd      16418 5  tcp4 6 *:443                 *:*
www      httpd      16418 6  tcp4   *:*                   *:*
www      httpd      16410 3  tcp4 6 *:80                  *:*
www      httpd      16410 4  tcp4   *:*                   *:*
www      httpd      16410 5  tcp4 6 *:443                 *:*
www      httpd      16410 6  tcp4   *:*                   *:*
www      httpd      16402 3  tcp4 6 *:80                  *:*
www      httpd      16402 4  tcp4   *:*                   *:*
www      httpd      16402 5  tcp4 6 *:443                 *:*
www      httpd      16402 6  tcp4   *:*                   *:*
www      httpd      16349 3  tcp4 6 *:80                  *:*
www      httpd      16349 4  tcp4   *:*                   *:*
www      httpd      16349 5  tcp4 6 *:443                 *:*
www      httpd      16349 6  tcp4   *:*                   *:*
www      httpd      16199 3  tcp4 6 *:80                  *:*
www      httpd      16199 4  tcp4   *:*                   *:*
www      httpd      16199 5  tcp4 6 *:443                 *:*
www      httpd      16199 6  tcp4   *:*                   *:*
www      httpd      16192 3  tcp4 6 *:80                  *:*
www      httpd      16192 4  tcp4   *:*                   *:*
www      httpd      16192 5  tcp4 6 *:443                 *:*
www      httpd      16192 6  tcp4   *:*                   *:*
root     httpd      5049  3  tcp4 6 *:80                  *:*
root     httpd      5049  4  tcp4   *:*                   *:*
root     httpd      5049  5  tcp4 6 *:443                 *:*
root     httpd      5049  6  tcp4   *:*                   *:*
root     perl       26631 6  tcp4   *:10000               *:*
root     perl       26631 7  udp4   *:10000               *:*
dovecot  imap-login 2198  4  tcp4   *:143                 *:*
dovecot  imap-login 2198  5  tcp4   *:993                 *:*
dovecot  imap-login 2197  4  tcp4   *:143                 *:*
dovecot  imap-login 2197  5  tcp4   *:993                 *:*
dovecot  imap-login 2196  4  tcp4   *:143                 *:*
dovecot  imap-login 2196  5  tcp4   *:993                 *:*
root     dovecot    2191  6  tcp4   *:143                 *:*
root     dovecot    2191  7  tcp4   *:993                 *:*
root     dovecot    2191  8  tcp4   *:110                 *:*
root     dovecot    2191  9  tcp4   *:995                 *:*
root     sshd       1116  4  tcp4   *:22                  *:*
root     master     1038  12 tcp4   *:25                  *:*
root     syslogd    636   7  udp4   *:514                 *:*
```


----------



## wblock@ (Nov 17, 2011)

rc.conf doesn't set up a publically-addressable IP address at all.  So I'm going to guess that HTTP traffic is being forwarded by the default router, and that the mystery requests are also coming from there.


----------



## adriftinitland (Nov 17, 2011)

Thanks wblock:

I believe you are correct. Is there anything I can do to get to the bottom of this?


----------



## SirDice (Nov 17, 2011)

Ok, so the server is running on a 192.168.1.0/24 address. Your server doesn't have a public IP address so there must be something in front of it, some firewall or router perhaps?

I'm guessing there's a slight configuration error that makes every request from the internet appear on the webserver to come from that one public IP address. A NAT configured the wrong way around would do that.


----------



## adriftinitland (Nov 17, 2011)

Thanks SirDice:
I have a Comcast Business class router with a static IP address then a Cisco RVS4000 4-Port Gigabit Security Router. What would you like to know about the configuration or set up? I'll do my best to provide. I can supply a screen capture if that's more convenient.


----------



## SirDice (Nov 18, 2011)

Can you access the website from the outside, I mean to test?

Try and get a page on your website that doesn't exist but can easily be found in the access log. Something like /thisdoesnotexist.html.

Then search for it in the logs and see what the source address is.


----------



## adriftinitland (Nov 18, 2011)

Thanks SirDice:
Yes, I am doing that from my cellphone now. Well conceived experiment by the way.
I tried two files. One the infamous wpad.dat.

```
[Fri Nov 18 08:22:03 2011] [error] [client 208.54.37.202] File does not exist: /usr/home/usrname/public_html/wpad.dat
[Fri Nov 18 08:22:46 2011] [error] [client 208.54.37.202] File does not exist: /usr/home/usrname/public_html/nohelp.html
```
208.54.37.202 is my cellphone ip.


----------



## SirDice (Nov 18, 2011)

Ok, that means there's no NAT happening, at least not on traffic that's originating on the internet. That's good. The more things we can rule out the better.

Still leaves us with the question where it does come from :\

Which of the two boxes, the cisco or the comcast, has your public IP address assigned to?


----------



## adriftinitland (Nov 18, 2011)

SirDice:
Good question. Now my ignorance will show. I believe the Comcast router has the public IP address. In the Comcast router configuration window under 
	
	



```
Gateway Summary/ Network/Internet Settings/WAN Internet IP Address 	My public IP address ###.###.###.###
```

However in the Cisco router under 
	
	



```
Setup/WAN/Internet Connection Type/Static IP/Internet IP Address/ My public IP address ###.###.###.###
```

So I don't really know for sure.


----------



## adriftinitland (Nov 24, 2011)

If I run this command: [CMD=]"ipconfig /displaydns"[/CMD] on my desktop pc in Windows Powershell one of the dns entries is this:

```
Record Name . . . . . : wpad.my_fqdn.com
    Record Type . . . . . : 1
    Time To Live  . . . . : 4237
    Data Length . . . . . : 4
    Section . . . . . . . : Answer
    A (Host) Record . . . : my IP address
```

Where would this come from?  
	
	



```
Record Name . . . . . : wpad.my_fqdn.com
```

Could this be something that was configured at my domain name registration site?


----------



## wblock@ (Nov 25, 2011)

Possible.  Seems like something that should not be available outside the LAN, but DNS registrars vary in quality.  Try dig(1) on wpad.my_fqdn.com on the FreeBSD system.  If named running on the FreeBSD server, you should use an upstream DNS server for the query:
`% dig @upstream-dns-server wpad.my_fqdn.com`


----------



## adriftinitland (Nov 25, 2011)

Thanks for reply wblock:
named is not enabled on the server. 
	
	



```
named_enable="NO"  # Run named, the DNS server (or NO).
```

[CMD="dig"]wpad.my_fqdn.com[/CMD]


```
; <<>> DiG 9.6.-ESV-R3 <<>> wpad.my_mqdn.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14975
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;wpad.my_mqdn.com.               IN      A

;; ANSWER SECTION:
wpad.my_mqdn.com.        6782    IN      A       My server IP ***.***.***.***

;; Query time: 45 msec
;; SERVER: 68.87.77.130#53(68.87.77.130)
;; WHEN: Fri Nov 25 09:31:25 2011
;; MSG SIZE  rcvd: 49
```

Also tried:
[CMD="dig"]@68.87.77.130 wpad.my_fqdn.com[/CMD]


```
; <<>> DiG 9.6.-ESV-R3 <<>> @68.87.77.130 wpad.my_fqdn.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3339
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;wpad.my_fqdn.com.               IN      A

;; ANSWER SECTION:
wpad.my_fqdn.com        7200    IN      A       My server IP ***.***.***.***

;; Query time: 103 msec
;; SERVER: 68.87.77.130#53(68.87.77.130)
;; WHEN: Fri Nov 25 09:38:28 2011
;; MSG SIZE  rcvd: 49
```

and then for the heck of it:
[CMD="dig"]@68.87.77.130 *different*.my_fqdn.com[/CMD]


```
; <<>> DiG 9.6.-ESV-R3 <<>> @68.87.77.130 different.my_fqdn.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59095
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;different.my_fqdn.com.          IN      A

;; ANSWER SECTION:
different.my_fqdn.com.   7200    IN      A       My server IP ***.***.***.***

;; Query time: 66 msec
;; SERVER: 68.87.77.130#53(68.87.77.130)
;; WHEN: Fri Nov 25 09:40:28 2011
;; MSG SIZE  rcvd: 54
```

What this tells me I do not know. Is the information useful?

My registrar for domain name is Network Solutions and I can not find anything in the configuration section or elsewhere that has anything to do with wpad.


----------



## wblock@ (Nov 25, 2011)

adriftinitland said:
			
		

> Thanks for reply wblock:
> named is not enabled on the server.
> 
> 
> ...



That's from /etc/defaults/rc.conf.  Those are defaults, and should not be changed.  If you were to set 
	
	



```
named_enable="YES"
```
 in /etc/rc.conf (overriding the default), then named would run.

Anyway, it's /etc/rc.conf that's important.

(Note: the parameter in the cmd tag is for a prompt.  The command itself goes between the tags.)



> [CMD="dig"]wpad.my_fqdn.com[/CMD]
> 
> 
> ```
> ...



If the name wasn't found, you'd get a status: NXDOMAIN message.  But instead it says, "sure, I've got that name and address, here it is."

You should also get an AUTHORITY section that shows who is authoritative for those addresses.  (Hint: worldnic.com is Network Solutions.)  So log in to their web interface or contact them and have them remove the wpad entry.


----------



## adriftinitland (Nov 25, 2011)

wblock: Thanks again.
Not enabled in /etc/rc.conf.

I can do this:


> So log in to their web interface or contact them and have them remove the wpad entry.



But my question is, I get the same response to each of the three inquiries so how do I know there is an entry for wpad? Wouldn't there have to be an entry for 
	
	



```
different.my_fqdn.com
```
 as well?

I am confused as you can tell.


----------



## wblock@ (Nov 25, 2011)

Are you saying different.my_fqdn.com doesn't actually exist?  So these return results instead of a "cannot resolve" error?

```
% ping obviouslyfake.my_fqdn.com
% ping notreallythere.my_fqdn.com
% ping neverdefined.my_fqdn.com
```

Wildcard DNS?


----------



## adriftinitland (Nov 25, 2011)

wblock:

The only thing that exists is 
	
	



```
my_fqdn.com
```

there is no 
	
	



```
wpad.my_fqdn.com
```
or

```
different.my_fqdn.com
```
etc. etc.


----------



## adriftinitland (Nov 25, 2011)

In this section:


```
;; ANSWER SECTION:
wpad.my_mqdn.com.        6782    IN      A       My server IP ***.***.***.***
```



> dig


 must just be hitting on 
	
	



```
my_mqdn.com
```

The 





> wpad


 has nothing to do with the answer.


----------



## adriftinitland (Nov 25, 2011)

Yes, they return results:

[CMD="ping"]obviouslyfake.my_fqdn.com[/CMD]


```
PING obviouslyfake.my_fqdn.com (my_ip: ***.***.***.***): 56 data bytes
64 bytes from my_ip: ***.***.***.***: icmp_seq=0 ttl=64 time=1.023 ms
64 bytes from my_ip: ***.***.***.***: icmp_seq=1 ttl=64 time=1.126 ms
64 bytes from my_ip: ***.***.***.***: icmp_seq=2 ttl=64 time=1.124 ms
64 bytes from my_ip: ***.***.***.***: icmp_seq=3 ttl=64 time=1.126 ms
64 bytes from my_ip: ***.***.***.***: icmp_seq=4 ttl=64 time=1.124 ms
--- obviouslyfake.my_fqdn.com ping statistics ---
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 1.023/1.105/1.126/0.041 ms
```


[CMD="ping"]my_fqdn.com[/CMD]

```
PING localhost (192.168.1.10): 56 data bytes
64 bytes from 192.168.1.10: icmp_seq=0 ttl=64 time=0.041 ms
64 bytes from 192.168.1.10: icmp_seq=1 ttl=64 time=0.033 ms
64 bytes from 192.168.1.10: icmp_seq=2 ttl=64 time=0.029 ms
64 bytes from 192.168.1.10: icmp_seq=3 ttl=64 time=0.027 ms
64 bytes from 192.168.1.10: icmp_seq=4 ttl=64 time=0.027 ms
--- localhost ping statistics ---
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.027/0.031/0.041/0.005 ms
```


----------



## wblock@ (Nov 26, 2011)

Yes, that's wildcard DNS.  Maybe the previous admin set that up.


----------



## adriftinitland (Dec 12, 2011)

After weeks of trying I have no solution to the problem of the error messages for wpad.dat in my error_log file: 
	
	



```
File does not exist
```
This creates huge log files so I have decided to try and filter out this particular error message so it doesn't continue to bloat the error logs. If you can point me in the right direction to do that please let me know.


----------



## wblock@ (Dec 12, 2011)

What happened with the effort to get the wildcard DNS turned off?


----------



## adriftinitland (Dec 14, 2011)

Thanks for your reply wblock. I apologize. I did not know the goal was to turn off wildcard DNS. However, I am at a loss on how to accomplish that. I do not have bind installed on my server.


----------



## wblock@ (Dec 14, 2011)

Contact your DNS registrar.


----------



## adriftinitland (Dec 15, 2011)

wblock:
I have delete this dns record:

```
* (all others) .mfqdn.com 7200
```
Will that cure the error_log problem?


----------



## wblock@ (Dec 15, 2011)

As soon as the DNS records propagate, whatever is trying to query wpad.my_mqdn.com will not be able to resolve that.  So it *should* stop.


----------



## adriftinitland (Dec 15, 2011)

Hallelujah!
That appears to have worked. No more wpad.dat errors in the error_log. I can hardly believe it but I am extremely grateful. Thank you wblock.

An interesting side effect. I was unable to send or receive mail through the server after the DNS A record change. I got it working again by changing my email program settings to 
	
	



```
mfqdm.com
```
 from 
	
	



```
pop3.mfqdn.com
```
 and to 
	
	



```
mfqdn.com
```
 from 
	
	



```
smtp.mfqdn.com
```

Why that change was required I do not understand but it doesn't seem right.


----------



## DutchDaemon (Dec 15, 2011)

I'm assuming then that pop3.mfqdn.com = smtp.mfqdn.com = mfqdn.com? Either give them all the same A record, or give the other two CNAME records to mfqdn.com.


----------



## wblock@ (Dec 15, 2011)

Yes, add DNS entries for pop3 and smtp.  And that neatly explains what was going on.  Whoever set up the domain initially saved themselves a tiny bit of time by using wildcard DNS.  That time saved was really at the expense of the people who would have to work on it later.  Just another lesson that even trivial things ought to be done right, because later they might become nontrivial.


----------



## adriftinitland (Dec 15, 2011)

DutchDaemon:

Yes, all the myfqdn.com are the same in every instance.


----------



## adriftinitland (Dec 15, 2011)

wblock thanks!

I think I have the mx records correct. Might take a few hours to tell for sure. I'll report back.


----------



## adriftinitland (Dec 20, 2011)

Thanks wblock!
Everything is functioning as expected. My server's error_log is back to a reasonable size. There are no longer thousands of wpad.dat error messages everyday. Mail server is fine. Life is good.
Again, thank you and Happy Holidays!


----------

