NinjaTek

NinjaTek

Tuesday, November 15, 2011

Restore Folders that have been Hidden by a Virus

A common move for a virus is to change all the folders on a drive to Hidden System Folders. This gets very confusing when you see the drive is 80% used, but only has a few files on it…

As soon as you realise something funny like this has happened, run an Anti-Virus Scan on the drive (whoever borrowed your drive doesn’t have adequate AV protection). Once you have got a clean result you need to get your folders back.

To View the hidden folders:
dir /ah

To remove the Hidden and System attributes from folders:
attrib *. -h -s /s /d

Step by Step:

  1. Open a command prompt (Start -> CMD)
  2. Type in: cd\ (This will take you to the root of the drive)
  3. Type in the affected drive letter, eg: E:
  4. To view the hidden folders, type in: dir /ah
  5. To make them all visible again, type in: attrib *. -h -s /s /d

-Ninjatek

MailMarshal – Still receiving mail from a Blacklisted Domain/Email Address

If you have Blacklisted a domain or single address but still receive mails from someone at that domain, I have two possible solutions for you.

Take a look at this hypothetical example:

  1. A user receives an email from a company with an ‘aggressive’ marketing campaign (spam)

  2. The user replies using as many expletives as possible

  3. The spammers now know they are getting through your anti-spam protection, so email the user more than ever.

  4. The user now asks IT to block the spammer.

  5. IT blocks the spammer’s email address.

  6. Spam still gets through.

  7. IT blocks the spammer’s whole domain.

  8. Spam still gets through.

Option 1:

When the user replies to the spammer (Step 2), Mail Marshal adds the spammers address to its Auto-Harvested Whitelist. Even when IT adds the email address to the Blacklist, the whitelist takes precedence.

To resolve, simply delete the entry from the Auto-Harvested Whitelist.


Option 2:

If the Spamee has never responded to the Spammer (ie, start at Step 4 in above example), then they could be using an email marketing company to send their spam out for them, in which case the Email address might be different to the address/domain that you have blacklisted.

By default MailMarshal has a Connection Rule to check against the Global Blacklist to block mails coming into the organization. The only problem with that is a Connection Rule can only see the address, so in the case of our example the mail will still get through.

To deal with this you will need to create a new Standard Rule to be able to check the originator address header field (Sender address). This Rule will then catch any mails that make it past the default Connection Rule.



References:

http://www.m86security.com/KB/Print12238.aspx



Happy Blocking!

-Ninjatek

Thursday, October 20, 2011

Move WSUS Database and Content Directory to another Drive

WSUS is great, but when it starts filling up your server's already full hard drive it turns into a problem.

Here are the steps to move your WSUS Database and Content Directory from C:\WSUS to D:\WSUS on the same server (D: being the new hard drive you just installed)


Moving the Content Directory

From a Command Prompt, locate WSUSUTIL.exe (C:\Program Files\Update Services\Tools) and run the following:

wsusutil.exe movecontent D:\WSUS\ D:\WSUS\move.log

(where D:\WSUS is the destination)


Moving the WSUS Database


1. Stop Update Services and IIS Admin Service

2. Open MS SQL Server Management Studio Express

3. Connect to Database Engine - \\.\pipe\MSSQL$MICROSOFT##SSEE\sql\query

4. Detach SUSDB (Tasks->Detach); Tick the Drop Connections box

5. Move the SUSDB Folder from C:\WSUS to the new location

6. Attach SUSDB (Right Click Databases -> Attach)


This can also be done via CMD Prompt without SQL Studio – Something I have not tested yet:


To detach:
SQLCMD.EXE -E -S np:\\.\pipe\MSSQL$MICROSOFT##SSEE\sql\query -Q "sp_detach_db 'SUSDB'"



To attach:
SQLCMD.EXE -E -S np:\\.\pipe\MSSQL$MICROSOFT##SSEE\sql\query -Q "sp_attach_db @dbname=N'SUSDB',@filename1=N'D:\WSUSDB\SUSDB.mdf', @filename2=N'D:\WSUSDB\SUSDB_log.ldf'"



And that's it. Now you have more space on C: for that cat-lady to store more photo's of Mittens :-/

Tuesday, July 19, 2011

Mailbox Move Fails in Exchange 2010



During a recent migration project from Exchange 2003 to Exchange 2010, I received an error while moving a mailbox over to the new server…




Active Directory operation failed on ADSERVER. This error is not retriable. Additional information: Insufficient access rights to perform the operation.
Active directory response: 00002098: SecErr: DSID-03150BB9, problem 4003
(INSUFF_ACCESS_RIGHTS), data 0
The user has insufficient access rights.




After comparing the AD user’s ACL against another user that was already migrated, I noticed some major differences. The problem was that sometime in the past someone had fiddled where they shouldn’t have been fiddling…



Solution:



In Active Directory, go to View and tick Advanced Features
Go to the user’s properties, select the Security Tab
Click Advanced
Tick “Include inheritable permissions from this object’s parent”

Saturday, June 25, 2011

BackupExec 2010 not completing job: “Remove Media from the Drive”

When I ran the first backup job on the newly installed HP LTO-5 Ultrium 3280 Tape drive, it gave an interesting alert.

The alert was: “Please remove the media from the drive

Odd…

Apparently since LTO4, the drive has a sensor to check whether there is a tape in the slot or not. If you have set the job to automatically eject the media, then BackupExec will not complete the job until you manually remove the tape from the drive, even though it is ejected, OR respond to the alert.

The solution is to create an automatic response to this specific alert, telling BackupExec to clear the alert when it comes up. This will enable the job to complete successfully.


To set the Automatic Response:

Alerts -> Configure Alert Categories -> Media Remove -> Automatically clear alert after: 1min

The log as per Windows Event Viewer Application Log:

Log Name: Application
Source: Backup Exec
Date: 6/22/2011 11:22:25 PM
Event ID: 58063
Task Category: None
Level: Information
Keywords: Classic
User: N/A
Computer: BackupSVR
Description:
Backup Exec Alert: Media Remove
(Server: " BackupSVR ") (Job: "Full Daily Backup") Please remove the media from the drive, and Respond OK.

Wednesday, February 2, 2011

How to NOT use remote gateway with Windows VPN

Have you ever been connected to a VPN, then realise you need to download something, so you have to disconnect the VPN to get your local network’s fast download speed? Well you don’t actually have to...

I use the Windows VPN client a lot to connect to a lot of my remote clients, and as long as the portion of their network that I need to connect to doesn’t run over multiple subnets, I don’t need to use the default gateway of the remote network. This means you can be connected to the VPN and still use the internet using your local connection. It’s a lot faster than over the VPN I promise :-)

The option you need to change is nicely hidden away, so I understand why this is not a well-known feature:
  • Right Click on the VPN connection
  • Click Properties
  • Select the Networking Tab
  • Click TCP/IP v4
  • Click Properties
  • Click Advanced
  • Untick Use default gateway on remote network



Thursday, January 27, 2011

Recover POP Mail Password


If you work with clients with POP mail accounts at all, then this tool is going to save you A LOT of time and effort when they lose their password (NOTE: not IF, WHEN)


It’s called Mail PassView (created by the legends at NirSoft) and it supports pretty much any mail client there is. It also makes a great tool for when you need to backup a PC. Just export all the mail accounts and details to a text file and copy that over with the rest of the data.

Do you have any really useful freeware apps to share? Send a link to ninjatek777@gmail.com