This is a home network: a wireless Linksys router serving around 5 wireless devices and 3 wired ones, two PCs and a PS4.
The router is setup to serve DHCP to client devices. It has a setting to change the DNS domain of the network, but it comes set by default to "domain.name" from the factory. This was never changed.
From a few days ago, one of the wired PCs (running Windows 10) had been showing internet issues: slow connection, buffering in videos, and sometimes straight out 404's on every page. Internet Explorer was for some reason setup to detect proxy settings automatically (I don't know if that is the default configuration, but I seriously hope it's not). Disabling that fixed the issue.
However, during the investigation, the browser showed a "Proxy is not responding" page, which surprised me. It stated that the proxy, at a specific IP, was not responding. I then proceeded to go to http://wpad/wpad.dat with the browser and sure enough, a DAT file was downloaded, which seemed to provide two proxy servers: one in Madrid and another one in the US.
Remember that the router is providing "domain.name" as the DNS domain? It turns out that someone must have set up something that serves that DAT file for WPAD in that domain (you can probably get that file right now, I won't provide a link just in case but you can probably figure out the URL). My guess is that those proxies stopped working, and thus the PC started to show those issues.
Needless to say, I changed the domain name in the router immediately.
My main concern right now is multifold:
- Is there a high risk of sensible data leak? I'm talking about banking stuff (which should have gone through HTTPS so I think it won't be affected). I don't know for how long the PC in question was compromised.
- Should I consider formatting the PCs, or nuking the whole network?
- Could the non-Windows machines (the PS4, android devices, a Macbook Pro) have been compromised?