Wednesday, February 24, 2016

Quasi-Failover DHCP 2008 R2

I was given a client recently that was running out of IP addresses on their DHCP server. 

After some investigation I discovered that they had 2 DHCP server on the same AD and on the same network. Let say the network is 192.168.1.0, it had a subnet mask of 255.255.0.0. No really it does have that subnet mask. Anyways, the 2 DHCP servers are giving out the same scope of 192.168.1.1 - 192.168.1.254. DHCP1 was giving an exclusion of 192.168.1.1 - 192.168.1.170 and DHCP2 had an exclusion of 192.168.170 - 254. Of course there were other exclusions for servers and printers but you get the point. 

After looking a little bit deeper I noticed that the DHCP1 server was not giving out any leases. This didn't make sense until I fully thought about what was happening here. 

The reason DHCP2 server was the only one giving out IP addresses is because it is, for lack of a better term, faster. The reason is because once a machine has made contact with a DHCP server, even if it’s out of addresses, it will NOT try a different DHCP server. It will keep  trying that same DHCP server for an address. This is why the DHCP1 is not giving out leases, its to slow to answer. 

So, since DHCP2 is always the fastest, it always replies first, even if its full. The one way of testing, and verifying, this is to turn off the DHCP2 services on DHCP2, momentarily, and do a request for an address from a device. Then look at DHCP1 to see if it gave out the address to that device. Of course we tested this and it worked as I expected. 

Doing an “ipconfig /release” and then an “ipconfig /renew” on a computer would give you the request needed for testing. I would not do this on a computer that already has an address that you need to use to turn the DHCP services back on, maybe do this on a temp PC.

So basically in this configuration there is a quasi-failover DHCP system in place. If DHCP2 is offline then DHCP1 would pick up and start handing out addresses. Of course this is not the best way to setup a failover DHCP environment, but, it kinda works. Here is the correct way:

I hope this helps someone in their endeavour of trying to figure out why a DHCP might not be giving out leases. 

New-MailboxExportRequest not recognized

If you go and try to use New-MailboxExportRequest and get "New-MailboxExportRequest' is not recognized as the name of a cmdlet.  That's because your user is not part of the ManagementRole.

To fix this run the below command in PowerShell from the Exchange server.

New-ManagementRoleAssignment -Role "Mailbox Import Export" -user UserName


UserName is the that you are using to run the command new-mailboxexportrequest.

Log out then log back in and you should be fine to to go.



Solution found at:
https://social.technet.microsoft.com/Forums/exchange/en-US/d6bbff4b-8be0-4b4f-925d-1c5db5c31cc4/newmailboxexportrequest-is-not-recognized-as-the-name-of-a-cmdlet?forum=exchangesvrgenerallegacy 

Monday, February 8, 2016

Trojan-Downloader.Win32.VB.eql (Translated)

Trojan-Downloader.Win32.VB.eql


Translated from
https://securelist.social-kaspersky.com/ru/descriptions/Trojan-Downloader.Win32.VB.eql 


Technical details

This Trojan downloads without your knowledge on your computer other software. The program is a Windows application (PE EXE-file). Its size is 1509125 bytes.

Installation

Once launched, the Trojan copies its body to the Windows system directory under the name "WINSP00L.EXE":
% System% \ WINSP00L.EXE
To start automatically each time you start the system, the Trojan adds a link to its executable file in the system registry:
[HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ Run]
"WINSP00L" = "% System% \ WINSP00L.EXE"

Load

Once launched, the Trojan extracts from its body to the catalog "E_4" in the temporary directory of the current user the following files:
% Temp% \ E_4 \ krnln.fnr - 1110016 bytes
% Temp% \ E_4 \ shell.fne - 61440 bytes
% Temp% \ E_4 \ eAPI.fne - 335872 bytes
% Temp% \ E_4 \ internet.fne - 196608 bytes
% Temp% \ E_4 \ spec.fne - 86016 bytes
% Temp% \ E_4 \ RegEx.fne - 167936 bytes
% Temp% \ E_4 \ dp1.fne - 126,976 bytes
% Temp% \ E_4 \ com.run - 278528 bytes
Then copy them to the Windows system directory under the same name:
% System% \ krnln.fnr
% System% \ shell.fne
% System% \ eAPI.fne
% System% \ internet.fne
% System% \ spec.fne
% System% \ RegEx.fne
% System% \ dp1.fne
% System% \ com.run
In addition, it removes the Windows system directory files:
% System% \ ul.dll - 2404 bytes
% System% \ og.dll - 692 bytes
% System% \ og.edt - 512 bytes
After completing these steps, the Trojan accesses the following address:
http: //www.*****base.cn/install.htm pn = M080410?
At the time of writing, this link was not working. The file is located on this link is stored in the temporary Internet files directory and launched for execution. Filename - random. And also drawn to the following address:
http://www.microsoft.com
http://hi.baidu.com/siletoyou
http://www.baihe.googlepages.com/ul.htm
http://www.bloguser.googlepages.com/au.htm
After that, remove the file from its body with a name composed of the current date and time, for example 20090929153554.exe and places it in the Windows system directory:
% System% \ 20090929153554.exe
This file has a size of 9216 bytes. 
The extracted file gets executed and then deleted. 
In addition, the Trojan spreads via removable media under the name "Recycled.exe". "Autorun.inf" file is also created to automatically run the Trojan file in the root directory of removable media.


Removal Instructions

If your PC was not protected by Antivirus and got infected with this malware, then remove it, proceed as follows:
  1. Using Task Manager to terminate the Trojan process:
    WINSP00L.EXE
  2. Delete the original Trojan file (its location on the infected computer will depend on how the program originally penetrated the victim machine).
  3. Delete the copy of the Trojan:
    % System% \ WINSP00L.EXE
  4. Remove files and directories created by the Trojan:
    % Temp% \ E_4 \ krnln.fnr
    % Temp% \ E_4 \ shell.fne
    % Temp% \ E_4 \ eAPI.fne
    % Temp% \ E_4 \ internet.fne
    % Temp% \ E_4 \ spec.fne
    % Temp% \ E_4 \ RegEx.fne
    % Temp% \ E_4 \ dp1.fne
    % Temp% \ E_4 \ com.run
    % Temp% \ E_4
    % System% \ krnln.fnya
    % System% \ shell.fne
    % System% \ eAPI.fne
    % System% \ internet.fne
    % System% \ spec.fne
    % System% \ RegEx.fne
    % System% \ dp1.fne
    % System% \ com.run
    % System% \ ul.dll
    % System% \ og.dll
    % System% \ og.edt
    Remove key registry :
    [HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ Run]
    "WINSP00L" = "% System% \ WINSP00L.EXE"
  5. Check removable media for files:
    Recycled.exe
    autorun.inf
    In case of detection - remove them.
  6. Clear Temporary Internet Files directory, containing infected files ( How to delete infected files from Temporary Internet Files folder? ):
  7. And perform a full scan of your computer with Kaspersky Antivirus Update your antivirus databases ( download a trial version ).

Tuesday, February 2, 2016

Robocopy to the backup rescue

Robocopy to the backup rescue


So recently I had a client that had a SBS 2008 box that had a RAID issue. It had what known as a Punctured RAID , I will call it PR in this post. You can more on that here: http://www.dell.com/support/Article/us/en/04/438291/EN. The wonderful thing about a PR is they rear their ugly head till its too late. Well this client was too late.

The main reason I found out about this PR is that this clients Backup Exec kept failing. After fighting with the Backup Exec for over a week I finally found in the error logs something about this PR. This is what was making the Backup Exec fail. I could get into a lengthy discussion on this and at some point in time I might do that. 

Needless to  say because we couldn't use anything we threw at this server to back it up with out failing, and we tried a lot of options, I decided to use robocopy to try and keep at least a file level backup running for this server till we came up with a final solution for this issue. 

So this is the script I ended up making. I ran this as a nightly scheduled task with System user privileges. 

I know the script is kinda hacky and could be written better and more efficiently but it has a lot going on in it and I wanted to share. 

So basically it stops some services, robocopys files to an external drive then starts the services back up. 

With the mir option in the robocopy it made the copy very fast every night because it only grabbed what had been modified.

I used "net stop" and "net start" for some of the services.
I also used Powershell command Stop-Service  and Start-Services to start/start other services.

I broke out the main directories in the c: drive so that i could log what was happening in each directory when the robocopy ran.
In the robocopy sections I used the options:
/MIR :: MIRror a directory tree (equivalent to /E plus /PURGE).
/XJD :: eXclude Junction points for Directories.
/R:n :: number of Retries on failed copies: default 1 million.
/W:n :: Wait time between retries: default is 30 seconds.
/TEE :: output to console window, as well as the log file
/LOG:file :: output status to LOG file (overwrite existing log).






net stop msexchangeadtopology /y
net stop msftesql-exchange /y
net stop msexchangeis /y
net stop msexchangesa /y
net stop iisadmin /y

PowerShell.exe -Command "Stop-Service *sql* -Force"




robocopy "c:\Boot"  "F:\Backuprobocopy\Boot" /MIR /XJD    /w:1 /r:1 /V /tee /log:"f:\backuprobocopyBoot.log"
robocopy "c:\dell"  "F:\Backuprobocopy\dell" /MIR /XJD    /w:1 /r:1 /V /tee /log:"f:\backuprobocopydell.log"
robocopy "c:\drivers"  "F:\Backuprobocopy\drivers" /MIR /XJD    /w:1 /r:1 /V /tee /log:"f:\backuprobocopydrivers.log"
robocopy "c:\ExchangeSetupLogs"  "F:\Backuprobocopy\ExchangeSetupLogs" /MIR /XJD    /w:1 /r:1 /V /tee /log:"f:\backuprobocopyExchangeSetupLogs.log"
robocopy "c:\inetpub"  "F:\Backuprobocopy\inetpub" /MIR /XJD    /w:1 /r:1 /V /tee /log:"f:\backuprobocopyinetpub.log"
robocopy "c:\OpenManage"  "F:\Backuprobocopy\OpenManage" /MIR /XJD    /w:1 /r:1 /V /tee /log:"f:\backuprobocopyOpenManage.log"
robocopy "c:\PerfLogs"  "F:\Backuprobocopy\PerfLogs" /MIR /XJD    /w:1 /r:1 /V /tee /log:"f:\backuprobocopyPerfLogs.log"
robocopy "c:\Program Files"  "F:\Backuprobocopy\Program Files" /MIR /XJD    /w:1 /r:1 /V /tee /log:"f:\backuprobocopyProgram Files.log"
robocopy "c:\Program Files (x86)"  "F:\Backuprobocopy\Program Files (x86)" /MIR /XJD    /w:1 /r:1 /V /tee /log:"f:\backuprobocopyProgram Files (x86).log"
robocopy "c:\ProgramData"  "F:\Backuprobocopy\ProgramData" /MIR /XJD    /w:1 /r:1 /V /tee /log:"f:\backuprobocopyProgramData.log"
robocopy "c:\Scripts"  "F:\Backuprobocopy\Scripts" /MIR /XJD    /w:1 /r:1 /V /tee /log:"f:\backuprobocopyScripts.log"
robocopy "c:\Shared Data"  "F:\Backuprobocopy\Shared Data" /MIR /XJD    /w:1 /r:1 /V /tee /log:"f:\backuprobocopyShared Data.log"
robocopy "c:\Users"  "F:\Backuprobocopy\Users" /MIR /XJD    /w:1 /r:1 /V /tee /log:"f:\backuprobocopyUsers.log"
robocopy "c:\Windows"  "F:\Backuprobocopy\Windows" /MIR /XJD    /w:1 /r:1 /V /tee /log:"f:\backuprobocopyWindows.log"
rem robocopy "c:\WSUS"  "F:\Backuprobocopy\WSUS" /MIR /XJD    /w:1 /r:1 /V /tee /log:"f:\backuprobocopyWSUS.log"





net start msexchangeadtopology /y
net start msftesql-exchange /y
net start msexchangeis /y
net start msexchangesa /y
net start iisadmin /y

PowerShell.exe -Command "Start-Service -name """MSsql*""" " 

PowerShell.exe -Command "Start-Service -name """MSExchange*""" "

PowerShell.exe -Command "Start-Service -name """BackupExec*""" "