Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-24-2010 07:36 PM
I have performed a search for this topic on this site with no true success.
I've had some infected computers that were cleaned...yet the cleaning process did not detect nor reset the browser proxy settings that were set to 127.0.0.1. Yes....I know this is bad.
Goal: Using Lansweeper, display know computers that have a browser with this (or any..but distinguished)proxy setting. This could help identify infected computers that have yet to cause the user enough grief to contact IT Department.
Issues I suspect that need to be considered:
- Browsers could be IE (6 through 8), Firefox, Chrome
- Setting may be linked to the current user
Preventing Proxy Changes with GPO may be worth considering. However, there are some limited conditions here in which some users have legitimate purpose for the change.
Similarily, if there are other valuable checks to detect the possible hole/tunnel in the routes...I welcome your response. For instance, the existance of any type of vpn tunneling protocol/configuration detected or file replication technology such as MS Live Sync (yes I know the SW inventory hits that specific one).
I've had some infected computers that were cleaned...yet the cleaning process did not detect nor reset the browser proxy settings that were set to 127.0.0.1. Yes....I know this is bad.
Goal: Using Lansweeper, display know computers that have a browser with this (or any..but distinguished)proxy setting. This could help identify infected computers that have yet to cause the user enough grief to contact IT Department.
Issues I suspect that need to be considered:
- Browsers could be IE (6 through 8), Firefox, Chrome
- Setting may be linked to the current user
Preventing Proxy Changes with GPO may be worth considering. However, there are some limited conditions here in which some users have legitimate purpose for the change.
Similarily, if there are other valuable checks to detect the possible hole/tunnel in the routes...I welcome your response. For instance, the existance of any type of vpn tunneling protocol/configuration detected or file replication technology such as MS Live Sync (yes I know the SW inventory hits that specific one).
Labels:
- Labels:
-
Archive
2 REPLIES 2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-24-2010 09:19 PM
You won't be able to scan the HKEY_CURRENT_USER key with registry scanning.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-24-2010 08:57 PM
Mozilla settings look to be stored in a file called prefs.js.
On my system it was located here:C:\Users\MYUSERNAME\Application Data\Mozilla\Firefox\Profiles\a68dhkmj.default\prefs.js.
The profile directory name (a68dhkmj.default) appears to be unique and maybe randomly generated.
A profile for the current user can be accessed here: "%APPDATA%\Mozilla\"
Accessing "%APPDATA%\Mozilla\" resulted in the profile being found in the subdirectory: Firefox\Profiles\a68dhkmj.default
The file "profiles.ini" exists in the directory Roaming\Mozilla\Firefox. It contains the lines:
Name=default
IsRelative=1
Path=Profiles/a68dhkmj.default
Within the file: prefs.js is the following line:
user_pref("network.proxy.http", "127.0.0.1");
XXXXXXXXXXXXXX
IE appears to store the proxy settings in the registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
127.0.0.1:80
AND
HKEY_USERS\S-1-5-21-1993962763-1123\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
127.0.0.1:80[size=8][/size]
On my system it was located here:C:\Users\MYUSERNAME\Application Data\Mozilla\Firefox\Profiles\a68dhkmj.default\prefs.js.
The profile directory name (a68dhkmj.default) appears to be unique and maybe randomly generated.
A profile for the current user can be accessed here: "%APPDATA%\Mozilla\"
Accessing "%APPDATA%\Mozilla\" resulted in the profile being found in the subdirectory: Firefox\Profiles\a68dhkmj.default
The file "profiles.ini" exists in the directory Roaming\Mozilla\Firefox. It contains the lines:
Name=default
IsRelative=1
Path=Profiles/a68dhkmj.default
Within the file: prefs.js is the following line:
user_pref("network.proxy.http", "127.0.0.1");
XXXXXXXXXXXXXX
IE appears to store the proxy settings in the registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
127.0.0.1:80
AND
HKEY_USERS\S-1-5-21-1993962763-1123\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
127.0.0.1:80[size=8][/size]
