Feb 09

Installing Windows 7 for Testing

Productivity, Technology  Tagged , No Comments »
Posted by

A client asked me how to best install Windows 7 for testing. His son is interested in it, and he thought his son's machine could afford being wiped to install the new OS.

I instead told him to use VirtualPC to do the job.

A quick Google later, and I pointed him to these directions as they were as full featured and complete a set as I've seen... and I didn't have to type them myself. :-)

Nice job, Abbas!

Feb 01

Don’t Overlook Scheduled Tasks / AT when cleaning malware…

Technology  Tagged , , No Comments »
Posted by

One of our clients picked up some sort of infection over the weekend. The sucker was persistent, and after running the usual battery of utilities -- RootkitRevealer, SDFix, ComboFix, Stinger running inside a WinXP PE shell -- we got rid of the thing.

When I checked the post-infection System Event Viewer log, however, I got an interesting message:

Event Type:Error
Event Source:Schedule
Event Category:None
Event ID:7901
Date:1/31/2009
Time:9:00:00 PM
User:N/A
Computer:XXX03
Description:
The At46.job command failed to start due to the following error:
The system cannot find the file specified.

Huh? At46.job? I know the machine doesn't use the AT scheduler... let's see...

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\administrator\>at
Status ID Day Time Command Line
-------------------------------------------------------------------------------
 1 Each M T W Th F S Su 12:26 AM C:\WINDOWS\system32\Hi3TR1uq.exe
 10 Each M T W Th F S Su 9:00 AM C:\WINDOWS\system32\Hi3TR1uq.exe
 11 Each M T W Th F S Su 10:00 AM C:\WINDOWS\system32\Hi3TR1uq.exe
 12 Each M T W Th F S Su 11:00 AM C:\WINDOWS\system32\Hi3TR1uq.exe
 13 Each M T W Th F S Su 12:00 PM C:\WINDOWS\system32\Hi3TR1uq.exe
 14 Each M T W Th F S Su 1:00 PM C:\WINDOWS\system32\Hi3TR1uq.exe
 15 Each M T W Th F S Su 2:00 PM C:\WINDOWS\system32\Hi3TR1uq.exe
 16 Each M T W Th F S Su 3:00 PM C:\WINDOWS\system32\Hi3TR1uq.exe
 17 Each M T W Th F S Su 4:00 PM C:\WINDOWS\system32\Hi3TR1uq.exe
 18 Each M T W Th F S Su 5:00 PM C:\WINDOWS\system32\Hi3TR1uq.exe
 19 Each M T W Th F S Su 6:00 PM C:\WINDOWS\system32\Hi3TR1uq.exe
 2 Each M T W Th F S Su 1:00 AM C:\WINDOWS\system32\Hi3TR1uq.exe
 20 Each M T W Th F S Su 7:00 PM C:\WINDOWS\system32\Hi3TR1uq.exe
 21 Each M T W Th F S Su 8:00 PM C:\WINDOWS\system32\Hi3TR1uq.exe
Error 22 Each M T W Th F S Su 9:00 PM C:\WINDOWS\system32\Hi3TR1uq.exe

And so forth, with hourly jobs listed down thru job 72. (It kept adding duplicate schedules...)tasksched

You can see we got the infection eradicated before 9 PM, because the 9PM AT job show errors. :-)

For those of you who prefer a GUI, you can see the same thing in the Scheduled Tasks pane in Control Panel

So, don't overlook the AT scheduler as a place where infection might hide in an effort to replicate itself. This is the first time I've seen it there, and it will be a place I look at from here out...

Jan 23

Beware of New Linksys Layout and Port (Range) Forwarding

Technology, Tips  Tagged , , 4 Comments »
Posted by

Got an email from a client this morning complaining that he could not access his SBS 2003 Remote Web Workplace.

He was getting a 403.6 error -- IP Address rejected.

This didn't make any sense, since we want every IP address to be able to access the site and access to the site was fine earlier in the week.

Even after re-running the CEICW (Configure E-Mail and Internet Connection Wizard) a few times, I couldn't connect to the site from outside the local subnet.

The only thing that had changed recently was our swapping out of their existing router for a new Linksys WRT110.

I've set up enough SBS boxes to know which ports we want to open. So I clicked on the "Applications and Gaming" tab and put in the mappings for ports 25, 80, 110, 143, 443-444, 3389 and 4125.

However, I didn't put them where I thought I did.

When you click on the "Applications and Gaming" tab in a WRT54G router, you're taken to a "Port Range Forwarding" page.

Linksys has been doing itthis way for years.

Not so in the WRT110 series!

Now you're brought to a "Single Port Forwarding" page. It looks kinda similar:

But instead of there being a port RANGE, it's a single port. So when you put 443 in the first box and 444 in the second box of the WRT110, it MAPS 443 to 444, and that causes your SSL authentication to fail and your IP to be rejected. It doesn't work like you think. For that, you need to go here:

And if you were to put 443 and 444 in the boxes, then it all works...

So, the moral of the story is, make sure you're forwarding your ports correctly.

Aug 29

Brothers In Arms – ExchangeRecovery.org

Technology No Comments »
Posted by

I was working for a client late last night, applying the usual slew of patches Microsoft had given us on Tuesday. I rebooted the server, and when it came back up, it didn't bring Exchange with it.

Much gnashing of ensued. Ive recovered my fair share of Exchange stores, but this one just wasnt coming back.

The event viewer was full of errors from the Exchange service:

Event Type: Error
Event Source: ESE
Event Category: Logging/Recovery
Event ID: 494

Description:
Information Store (3860) First Storage Group: Database recovery failed with error -1216 because it encountered references to a database, x:\pathtoourdatabase\priv1.edb, which is no longer present. The database was not brought to a Clean Shutdown state before it was removed (or possibly moved or renamed). The database engine will not permit recovery to complete for this instance until the missing database is re-instated. If the database is truly no longer available and no longer required, procedures for recovering from this error are available in the Microsoft Knowledge Base or by following the more information link at the bottom of this message.

The frustrating part of all of this was the Exchange database was where it should have been (contrary to the above error).

By the time I gave up, it was 4:30 AM and I had hit the wall. I fell asleep on the couch with a laptop next to me, watching BackupExec attempt a restore of the public folder store.

I woke up to BackupExec having failed to restore the backup. (Note to self: make sure the Veritas user is in both the "Backup Operators" and "Administrator" group on SBS 2003. Once we did that, BackupExec did what it should.)

I started an offline backup of the Exchange store and headed to the client site. I knew mail was being spooled on the mail gateway -- the AWESOME spam-killing ESVA Virtual Appliance -- so I wasnt worried about losing any inbound mail.

In the morning, tho, getting the store to mount was still not happening.

I did a Google search for a firm like mine that specialized in Exchange recovery. The google led me to ExchangeRecovery.org and a great tech named Jon.

The receptionist answered promptly and transferred me over to an Exchange specialist.

Jon was as helpful as a fella could be. I opened a VNC port for him and he ran thru the litany of tests I had done, plus a few more I hadn't. Everything passed the integrity checks. the event viewer had mentioned there were issues in replaying the transaction logs, so he moved the transaction log files out of the MDBDATA directory and that seemed to do the trick. The store came right back up. Since the store was in a clean state when it shutdown, we didnt lose any mail.

I cant recommend Jon enough he was good humored, professional and a joy to work with. Should we come across any more Exchange issues requiring expert assistance -- or at the least a second set of eyes -- his speed dial is the one I'll be hitting.

Jul 08

Get your Mac ready for the beach!

Technology, Tips  Tagged , , , No Comments »
Posted by

I've recently run into some space issues on my primary partition on my home Mac Mini. Not really problems, since I've got 200GB of additional storage attached to it, but you never want to have a primary partition wanting for space (on any system, as you need that "free space" for the page file/virtual memory).

On Windows machines, I recommend using a tool like SpaceMonger to profile your hard drive(s) and delete unwanted files, etc. (Note - NEVER DELETE a file unless you know what it is, what it does, and that it's unnecessary or redundant)

On my Mac, I had already analyzed my disk, moved or deleted things that didn't belong on my system drive, but I still didn't have as much free space as I'd like. And that's when I discovered Xslimmer.

Most (90%) of Mac programs are now "Universal Binary" programs, meaning that they can run on older, PowerPC-powered Macs as well as new, Intel-powered machines. Which means (basically) that there's two sets of code on every program that's on your hard drive. Additionally, Mac programs often ship (download) with multiple language packs to support a broader range of users. I only speak English, so I rarely (never) need to run a program in Spanish. Or Dutch. Or whatever they speak in Kazakhstan.

What Xslimmer does is analyzes your applications folder, and strips out the code you don't need. If you have a PowerPC Mac, it will strip out the Intel code from your apps, and vice versa. It also removes unnecessary language packs from your apps. The initial analysis and "slimming" took about an hour (during which time I was still able to work without any memory hit) and it saved me almost 4.5GB of space!

So if you've got some Mac bloat (and lots of applications), Xslimmer might help your Mac fit into its thin jeans again!

Previous Entries Next Entries
WordPress Theme & Icons by N.Design Studio. WPMU Theme pack by WPMU-DEV.
Entries RSS Comments RSS Log in