My Admin Journal

Wednesday, February 24, 2016

Quasi-Failover DHCP 2008 R2

I was given a client recently that was running out of IP addresses on their DHCP server.

After some investigation I discovered that they had 2 DHCP server on the same AD and on the same network. Let say the network is 192.168.1.0, it had a subnet mask of 255.255.0.0. No really it does have that subnet mask. Anyways, the 2 DHCP servers are giving out the same scope of 192.168.1.1 - 192.168.1.254. DHCP1 was giving an exclusion of 192.168.1.1 - 192.168.1.170 and DHCP2 had an exclusion of 192.168.170 - 254. Of course there were other exclusions for servers and printers but you get the point.

After looking a little bit deeper I noticed that the DHCP1 server was not giving out any leases. This didn't make sense until I fully thought about what was happening here.

The reason DHCP2 server was the only one giving out IP addresses is because it is, for lack of a better term, faster. The reason is because once a machine has made contact with a DHCP server, even if it’s out of addresses, it will NOT try a different DHCP server. It will keep trying that same DHCP server for an address. This is why the DHCP1 is not giving out leases, its to slow to answer.

So, since DHCP2 is always the fastest, it always replies first, even if its full. The one way of testing, and verifying, this is to turn off the DHCP2 services on DHCP2, momentarily, and do a request for an address from a device. Then look at DHCP1 to see if it gave out the address to that device. Of course we tested this and it worked as I expected.

Doing an “ipconfig /release” and then an “ipconfig /renew” on a computer would give you the request needed for testing. I would not do this on a computer that already has an address that you need to use to turn the DHCP services back on, maybe do this on a temp PC.

So basically in this configuration there is a quasi-failover DHCP system in place. If DHCP2 is offline then DHCP1 would pick up and start handing out addresses. Of course this is not the best way to setup a failover DHCP environment, but, it kinda works. Here is the correct way:

https://technet.microsoft.com/en-us/library/hh831385.aspx

I hope this helps someone in their endeavour of trying to figure out why a DHCP might not be giving out leases.

New-MailboxExportRequest not recognized

If you go and try to use New-MailboxExportRequest and get "New-MailboxExportRequest' is not recognized as the name of a cmdlet. That's because your user is not part of the ManagementRole.

To fix this run the below command in PowerShell from the Exchange server.

New-ManagementRoleAssignment -Role "Mailbox Import Export" -user UserName

UserName is the that you are using to run the command new-mailboxexportrequest.

Log out then log back in and you should be fine to to go.

Solution found at:
https://social.technet.microsoft.com/Forums/exchange/en-US/d6bbff4b-8be0-4b4f-925d-1c5db5c31cc4/newmailboxexportrequest-is-not-recognized-as-the-name-of-a-cmdlet?forum=exchangesvrgenerallegacy

Monday, February 8, 2016

Trojan-Downloader.Win32.VB.eql (Translated)

Trojan-Downloader.Win32.VB.eql

Translated from
https://securelist.social-kaspersky.com/ru/descriptions/Trojan-Downloader.Win32.VB.eql

Technical details

This Trojan downloads without your knowledge on your computer other software. The program is a Windows application (PE EXE-file). Its size is 1509125 bytes.

Installation

Once launched, the Trojan copies its body to the Windows system directory under the name "WINSP00L.EXE":

% System% \ WINSP00L.EXE

To start automatically each time you start the system, the Trojan adds a link to its executable file in the system registry:

[HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ Run]
"WINSP00L" = "% System% \ WINSP00L.EXE"

Load

Once launched, the Trojan extracts from its body to the catalog "E_4" in the temporary directory of the current user the following files:

% Temp% \ E_4 \ krnln.fnr - 1110016 bytes
% Temp% \ E_4 \ shell.fne - 61440 bytes
% Temp% \ E_4 \ eAPI.fne - 335872 bytes
% Temp% \ E_4 \ internet.fne - 196608 bytes
% Temp% \ E_4 \ spec.fne - 86016 bytes
% Temp% \ E_4 \ RegEx.fne - 167936 bytes
% Temp% \ E_4 \ dp1.fne - 126,976 bytes
% Temp% \ E_4 \ com.run - 278528 bytes

Then copy them to the Windows system directory under the same name:

% System% \ krnln.fnr
% System% \ shell.fne
% System% \ eAPI.fne
% System% \ internet.fne
% System% \ spec.fne
% System% \ RegEx.fne
% System% \ dp1.fne
% System% \ com.run

In addition, it removes the Windows system directory files:

% System% \ ul.dll - 2404 bytes
% System% \ og.dll - 692 bytes
% System% \ og.edt - 512 bytes

After completing these steps, the Trojan accesses the following address:

http: //www.*****base.cn/install.htm pn = M080410?

At the time of writing, this link was not working. The file is located on this link is stored in the temporary Internet files directory and launched for execution. Filename - random. And also drawn to the following address:

http://www.microsoft.com
http://hi.baidu.com/siletoyou
http://www.baihe.googlepages.com/ul.htm
http://www.bloguser.googlepages.com/au.htm

After that, remove the file from its body with a name composed of the current date and time, for example 20090929153554.exe and places it in the Windows system directory:

% System% \ 20090929153554.exe

This file has a size of 9216 bytes.
The extracted file gets executed and then deleted.
In addition, the Trojan spreads via removable media under the name "Recycled.exe". "Autorun.inf" file is also created to automatically run the Trojan file in the root directory of removable media.

Removal Instructions

If your PC was not protected by Antivirus and got infected with this malware, then remove it, proceed as follows:

Using Task Manager to terminate the Trojan process:
```
WINSP00L.EXE
```
Delete the original Trojan file (its location on the infected computer will depend on how the program originally penetrated the victim machine).
Delete the copy of the Trojan:
```
% System% \ WINSP00L.EXE
```

Remove files and directories created by the Trojan:

% Temp% \ E_4 \ krnln.fnr
% Temp% \ E_4 \ shell.fne
% Temp% \ E_4 \ eAPI.fne
% Temp% \ E_4 \ internet.fne
% Temp% \ E_4 \ spec.fne
% Temp% \ E_4 \ RegEx.fne
% Temp% \ E_4 \ dp1.fne
% Temp% \ E_4 \ com.run
% Temp% \ E_4
% System% \ krnln.fnya
% System% \ shell.fne
% System% \ eAPI.fne
% System% \ internet.fne
% System% \ spec.fne
% System% \ RegEx.fne
% System% \ dp1.fne
% System% \ com.run
% System% \ ul.dll
% System% \ og.dll
% System% \ og.edt

Remove key registry :

[HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ Run]
"WINSP00L" = "% System% \ WINSP00L.EXE"

Check removable media for files:
```
Recycled.exe
autorun.inf
```
In case of detection - remove them.
Clear Temporary Internet Files directory, containing infected files ( How to delete infected files from Temporary Internet Files folder? ):
And perform a full scan of your computer with Kaspersky Antivirus Update your antivirus databases ( download a trial version ).

Tuesday, February 2, 2016

Robocopy to the backup rescue

So recently I had a client that had a SBS 2008 box that had a RAID issue. It had what known as a Punctured RAID , I will call it PR in this post. You can more on that here: http://www.dell.com/support/Article/us/en/04/438291/EN. The wonderful thing about a PR is they rear their ugly head till its too late. Well this client was too late.

The main reason I found out about this PR is that this clients Backup Exec kept failing. After fighting with the Backup Exec for over a week I finally found in the error logs something about this PR. This is what was making the Backup Exec fail. I could get into a lengthy discussion on this and at some point in time I might do that.

Needless to say because we couldn't use anything we threw at this server to back it up with out failing, and we tried a lot of options, I decided to use robocopy to try and keep at least a file level backup running for this server till we came up with a final solution for this issue.

So this is the script I ended up making. I ran this as a nightly scheduled task with System user privileges.

I know the script is kinda hacky and could be written better and more efficiently but it has a lot going on in it and I wanted to share.

So basically it stops some services, robocopys files to an external drive then starts the services back up.

With the mir option in the robocopy it made the copy very fast every night because it only grabbed what had been modified.

I used "net stop" and "net start" for some of the services.

I also used Powershell command Stop-Service and Start-Services to start/start other services.

I broke out the main directories in the c: drive so that i could log what was happening in each directory when the robocopy ran.

In the robocopy sections I used the options:

/MIR :: MIRror a directory tree (equivalent to /E plus /PURGE).

/XJD :: eXclude Junction points for Directories.

/R:n :: number of Retries on failed copies: default 1 million.

/W:n :: Wait time between retries: default is 30 seconds.

/TEE :: output to console window, as well as the log file

/LOG:file :: output status to LOG file (overwrite existing log).

net stop msexchangeadtopology /y

net stop msftesql-exchange /y

net stop msexchangeis /y

net stop msexchangesa /y

net stop iisadmin /y

PowerShell.exe -Command "Stop-Service *sql* -Force"

robocopy "c:\Boot" "F:\Backuprobocopy\Boot" /MIR /XJD /w:1 /r:1 /V /tee /log:"f:\backuprobocopyBoot.log"

robocopy "c:\dell" "F:\Backuprobocopy\dell" /MIR /XJD /w:1 /r:1 /V /tee /log:"f:\backuprobocopydell.log"

robocopy "c:\drivers" "F:\Backuprobocopy\drivers" /MIR /XJD /w:1 /r:1 /V /tee /log:"f:\backuprobocopydrivers.log"

robocopy "c:\ExchangeSetupLogs" "F:\Backuprobocopy\ExchangeSetupLogs" /MIR /XJD /w:1 /r:1 /V /tee /log:"f:\backuprobocopyExchangeSetupLogs.log"

robocopy "c:\inetpub" "F:\Backuprobocopy\inetpub" /MIR /XJD /w:1 /r:1 /V /tee /log:"f:\backuprobocopyinetpub.log"

robocopy "c:\OpenManage" "F:\Backuprobocopy\OpenManage" /MIR /XJD /w:1 /r:1 /V /tee /log:"f:\backuprobocopyOpenManage.log"

robocopy "c:\PerfLogs" "F:\Backuprobocopy\PerfLogs" /MIR /XJD /w:1 /r:1 /V /tee /log:"f:\backuprobocopyPerfLogs.log"

robocopy "c:\Program Files" "F:\Backuprobocopy\Program Files" /MIR /XJD /w:1 /r:1 /V /tee /log:"f:\backuprobocopyProgram Files.log"

robocopy "c:\Program Files (x86)" "F:\Backuprobocopy\Program Files (x86)" /MIR /XJD /w:1 /r:1 /V /tee /log:"f:\backuprobocopyProgram Files (x86).log"

robocopy "c:\ProgramData" "F:\Backuprobocopy\ProgramData" /MIR /XJD /w:1 /r:1 /V /tee /log:"f:\backuprobocopyProgramData.log"

robocopy "c:\Scripts" "F:\Backuprobocopy\Scripts" /MIR /XJD /w:1 /r:1 /V /tee /log:"f:\backuprobocopyScripts.log"

robocopy "c:\Shared Data" "F:\Backuprobocopy\Shared Data" /MIR /XJD /w:1 /r:1 /V /tee /log:"f:\backuprobocopyShared Data.log"

robocopy "c:\Users" "F:\Backuprobocopy\Users" /MIR /XJD /w:1 /r:1 /V /tee /log:"f:\backuprobocopyUsers.log"

robocopy "c:\Windows" "F:\Backuprobocopy\Windows" /MIR /XJD /w:1 /r:1 /V /tee /log:"f:\backuprobocopyWindows.log"

rem robocopy "c:\WSUS" "F:\Backuprobocopy\WSUS" /MIR /XJD /w:1 /r:1 /V /tee /log:"f:\backuprobocopyWSUS.log"

net start msexchangeadtopology /y

net start msftesql-exchange /y

net start msexchangeis /y

net start msexchangesa /y

net start iisadmin /y

PowerShell.exe -Command "Start-Service -name """MSsql*""" "

PowerShell.exe -Command "Start-Service -name """MSExchange*""" "

PowerShell.exe -Command "Start-Service -name """BackupExec*""" "

Thursday, January 14, 2016

Get Exchange Server Database Size and Mailbox Size

This is something you would be simple, and it is, if you know the commands. Unfortunately if you have an Exchange 2007 it is different than a 2010.

In my environment I have both so my script decides which it is and spits out the report for 2007 or 2010.

One of the reasons I am writing this is to DRILL into my head that these scripts MUST be run as administrator, not run by an administrator.. I mean Right Click the powershell and "Run As Administrator". If you do not run as administrator your database will return 0. Yes it returns 0.

So.. here is the script. Enjoy.

Get-MailboxStatistics -Server $env:computername | Select DisplayName, ItemCount, TotalItemSize | Sort-Object TotalItemSize -Descending | Export-CSV C:\temp\MBSizes.csv

$TheVersion = Get-ExchangeServer | select *

if ($TheVersion.AdminDisplayVersion.major -like "14"){$version14 = "yes"

Get-MailboxDatabase -Status | select ServerName,Name,DatabaseSize | Export-CSV C:\temp\DBSize.csv

}

else {

Get-MailboxDatabase | foreach-object {add-member -inputobject $_ -membertype noteproperty -name mailboxdbsizeinGB -value ([math]::Round(([int64](get-wmiobject cim_datafile -computername $_.server -filter ('name=''' + $_.edbfilepath.pathname.replace("\","\\") + '''')).filesize / 1GB),2)) -passthru} | Sort-Object mailboxdbsizeinGB -Descending | select identity,mailboxdbsizeinGB | Export-CSV -NoTypeInformation C:\temp\DBSize.csv

}

Friday, October 16, 2015

Download MP3s with Powershell

So I found a site with some MP3s that I wanted but didn't want to download but didn't want to right click.. Save as.. blah blah.. so after some searching and modifing some scripts i made this.

Change the 2 variables $theurl ; the website URL, and $storagedir ; the place you want to store them and watch it go. It has some thing built into it that takes care of url variables, direct url, and some url encoding issues. I tried to comment it as much as I could.

# =================================================================================

# = =

# = Variables to change. Begin =

# = =

# =================================================================================

$theurl = "http://www.sky-animes.com/music/LQ/7185"

$storagedir = "C:\source\mp3\FullMetal"

# =================================================================================

# = =

# = Variables to change. End =

# = =

# =================================================================================

$response = Invoke-WebRequest -Uri $theurl -UseBasicParsing -Verbose

$links = $response.Links

$imgurlinks = @()

$webclient = New-Object System.Net.WebClient

Write-Output "-------------------------------------------------------------------------"

$response.Links.href

Write-Output "-------------------------------------------------------------------------"

md $storagedir -ErrorAction SilentlyContinue

ForEach ($link in $links){ #loop through all the hrefs on the page with a ForEach

$href = $link.href #put the href to Variable.

if ($href -like "*.mp3" ) { #Look for only mp3's hrefs

$filename = $href.Split("/")[-1]

#Write-Output "Href: " $href

#Write-Output "FileName: " $filename

if ($filename -like "*?*"){ #does the filename have a query?

$filename2 = $filename.Split("?")[0] #make the filename2 the filename without any queries

} #End If

else{

$filename2 = $filename #since no queries were found just make the filename2 the name of the orginal filename

} # End Else

if($href -contains "http://"){ #does the href have a direct path to the file? if not lets try and add in the orignating url to it so it can find it.

$newhref = $href #No need to mess with the href.. just pass it to the newhref and move along.

} #End http:// if

else{

$newhref = $theurl + "\" + $href #put together theUrl and the Href to make a path to try.

} #End http:// else

$newFile = $filename2.Replace("%20","-") # Replace %20 url encoded spaces with an Underscore for the new mp3 file.

$newFile = $newFile.Replace("&","-and-") # Replace & url encoded spaces with an "-and-" for the new mp3 file.

$newFile = $newFile.Replace("---","-") # Replace & url encoded spaces with an "-and-" for the new mp3 file.

$newFile = "$storagedir\$newFile" #put together the path and the file of where to put the file when downloaded.

$newhref = $newhref.Replace("&","&")

Write-Output "Href Location: " $newhref

Write-Output "Download Location: " $newFile

$webclient.DownloadFile($newhref,$newFile) #download the file using the href and the file we just put together above.

} #end MP3 If.

} #end ForEach

explorer $storagedir #open the output folder

Thursday, September 10, 2015

Turn off those Firewalls–Remotely–With PowerShell

Yet again I was given a task at work. This task was to turn off the Firewalls on hundreds of servers. So instead of logging into each one manually and changing the profiles on all the Firewall Profiles; Domain, Private and Public. I decided let us let PowerShell shine again.Now, they didn’t want the Firewall Services stopped, just the Profile states to be off. So after a little research and some help from some co-workers I put this script together.

Let’s talk about something thing through before I go into the script. The easiest way to turn off these Profile states is to run.

netsh advfirewall set allprofiles state off

This of course needs to be run locally on the machine. So I figured why not just use psexec to run the script. So I made a loop for the servers, looped it on the psexec and away it ran.. It ran VERY slowly. I had hundreds of these to run through. This would not work. So I decided to try and use PowerShell Invoke-Command. This required to have a session started using Enter-PSSession. Which of course gave this error.

Enter-PSSession : Connecting to remote server Server01 failed with the following error message : WinRM cannot process the request

Well that’s not going to work because I need to have the WinRM service installed. I don’t have the much time to get approvals to install the WinRM service on all these machines. So I remembered one of my coworkers had run scripts against a remote machine the other week using PowerShell. So I asked for his secret. The secret was Invoke-WmiMethod. Here is the code simply put.

Invoke-WmiMethod -class Win32_process -name Create -ArgumentList (“CMD.EXE /C netsh advfirewall set allprofiles state off”) –ComputerName Server01

This actually runs the script against the server with no Invoke-Command or other service to be installed. So I set off to write the full script and it is FAST. Sooo much faster than I was hoping for.

$command = "netsh advfirewall set allprofiles state off"

$cmd = "CMD.EXE /C " +$command

ForEach ($server in Get-Content "c:\scripts\computers.txt")

{

$theProc = Invoke-WmiMethod -class Win32_process -name Create -ArgumentList ($cmd) -ComputerName $server

If($theProc.ReturnValue -eq "0"){write-host "$server - Completed successfully"}else{write-host "$server - Completed UNsuccessfully"}

}

Now one of the downfalls of this is, you don’t know if the script worked. Of course you can go see on the server if the script did what it was supposed to do, but that is not what I am talking about. Basically you don’t get the output of the cmd. All you get is ReturnValue of 0 if the command went through correctly. Not that your script ran successfully. Just that your little cmd soldier has been sent into the field with the operations it was told to do successfully.