Author Archive
Recovering saved FTP Passwords using a simple netmon filter
Posted by: | CommentsToday I needed to FTP some files to a site that I have used on and off for a number of years. Because I have recently installed Windows 7 I needed to setup the site again in my FTP Client, Core FTP.
Although my old machine still has the connection setup I was not able to see the cached/saved password. Although it is possible to export the sites, the password remained encrypted and I wanted to document the actual password.
There are a lot of tools, some free and some which you have to pay for which will recover the cached FTP password for you. Some of these looked a bit questionable and as FTP is an entirely unencrypted service I thought it should be easy to sniff the password out of the FTP traffic itself.
Turns out that it really is very easy and the saved password can be retreived instantly using netmon.
So here is how to do it.
Create a new capture filter in netmon and enter the following:
tcp.Port==21 and property.TCPPayload.contains("PASS")
Should look like this:
Then click on the start button to begin capture. Then open your FTP client which contains the cached password and connect to the FTP server.
As soon as you have made a succesful connection switch back to netmon and stop the capture. You should then be able to see the FTP password in clear text in the capture window, something like this:
I spotted a lot of posts from people trying to recover or export their saved FTP passwords from CoreFTP and CuteFTP and many programs are designed specifically for this purpose. This is quick and simple and does not depend on any 3rd party software and should work with any FTP client.
Hope this helps someone.
Errors during verify phase of backup to USB Drives on BackupExec 10d
Posted by: | CommentsWhen backing up to external USB drives from Backup Exec 10d it may fail on the verification stage with the following errors:
Final error: 0xe00084c8 – The backup storage device has failed.
Final error category: Backup Device ErrorsFor additional information regarding this error refer to link V-79-57344-33992
And then…
Final error: 0xe00084c8 – The backup storage device has failed.
Final error category: Backup Device ErrorsFor additional information regarding this error refer to link V-79-57344-33992
In the application event log there may also be the following:
Event Type: Error
Event Source: Backup Exec
Event Category: None
Event ID: 33808
Date: 06/02/2010
Time: 19:02:25
User: N/A
Description:
An error occurred while processing a B2D command.
Drive: ReadMTFData() ReadFile failed (N:\VERITAS\B2D\B2D001024.bkf). Error=1450For more information, click the following link:
http://eventlookup.veritas.com/eventlookup/EventLookup.jhtml
Event Type: Error
Event Source: Backup Exec
Event Category: None
Event ID: 57665
Date: 06/02/2010
Time: 19:02:25
User: N/A
Description:
Storage device “Friday N:” reported an error on a request to read data from media.Error reported:
Insufficient system resources exist to complete the requested service.
.For more information, click the following link:
http://eventlookup.veritas.com/eventlookup/EventLookup.jhtml
Data:
0000: aa 05 00 00 c8 84 00 e0 ª…È.à
0008: 00 80 00 00 00 00 00 00 .……
0010: 92 03 00 00 …
Event Type: Error
Event Source: Backup Exec
Event Category: None
Event ID: 34113
Date: 06/02/2010
Time: 19:02:25
User: N/A
Description:
Backup Exec Alert: Job Failed
(Job: “Friday – Backup to N:”) Friday – Backup to N: — The job failed with the following error: The backup storage device has failed.For more information, click the following link:
http://eventlookup.veritas.com/eventlookup/EventLookup.jhtml
A lot of people have this problem but there seemed to be no definitive answer. For me the following steps solved the problem:
1) From within device manager set the USB drive to “Optimize for performance”:
2) From within Backup Exec Devices – Set the maximum size for Backup-To-Disk files to 2GB
3) From within Backup Exec Devices – Disabled auto-detect device settings and enabled “Buffered Reads” and “Buffered Writes”
There is no clear resolution for this problem. Different settings seem to solve the problem for different systems. This is running on a Dell PowerEdge 2850 / Windows 2003 Standard and 4Gb. Backup size is approx 250Gb.
Enabling ping on Thompson Speedtouch 605s
Posted by: | CommentsTo enable ping on the WAN/Internet interface on the Thompson Speedtouch 605s (and probably lots of other speedtouch models)
Telnet to the router:
Default username is Administrator (note the capital A)
Default password is empty
Then run:
service system ifadd name=PING_RESPONDER group=wan
You should now be able to ping the wan address.
Just been trying to install Exchange 2007 SP1 on a freshly installed Windows 2008 R2 and come up against the following error during the installation of the Mailbox Role:
Mailbox Role
FailedError:
An error occurred. The error code was 3221684229. The message was Access is denied..
Simple fix for this is to run setup.exe in compatibilty mode. I chose Vista SP2 and then the installation went through normally.
But before you go rushing to finish your installation it is worth noting that Exchange 2007 SP2 will not be supported on Windows 2008 R2, and therefore you may want to reconsider doing the installation at all! Read here:
http://msexchangeteam.com/archive/2009/09/21/452567.aspx
I flattened the installation and went back to Windows 2008 Standard.
Update: Microsoft have changed the policy to support Exchange 2007 on Windows 2008 r2:
PPTP VPN Problems with Vista SP1 and ZoneAlarm
Posted by: | CommentsYesterday I advised a customer who is a remote VPN/Terminal Services user to upgrade to Vista SP1 in order to make "Terminal Services Easy Print" available.
After the installation of SP1 the user was not able access the corporate VPN.
When trying to connect Vista hangs at "Verifying username and password" and eventually shows an 828 error. On the server side event 20209 was logged.
There is a discussion on the ZA forums as to where the blame lies for the problem but there does not seem to be a clear answer.
For the sake of simplicity, I have found that:
On Vista SP1 machines with version 7.1.248 of ZoneAlarm free installed PPTP VPN connections to Windows 2003 Based RRAS servers do not work. Also note that disabling ZoneAlarm does not help. Uninstalling the product solved the issue immediately.
Always a pain when you try to solve one problem and create another in the process. On a positive note Terminal Services easy print in Windows 2008 worked really well once we got the user reconnected.
Malware/Virus delivered through fake e-mail from UPS
Posted by: | CommentsI have had several incidents this week of customer systems being infected by executables attached to e-mails appearing to be from UPS.
Looking around the blogs, these e-mails seem to be having a higher than normal infection rate. It is time consuming to get rid of and makes the infected machines unusable and creates a huge number of network connections.
The exact subject line of the email’s that have been received is:
UPS Tracking Number 5440074870
Attached to the e-mail is a zip file containing an executable which when executed installs "XP Security Center".
Much more information about the detail of the actual email can be found on the Trend Malware Blog. The worrying thing about this e-mail is that both of the machines that it infected have their e-mail filtered by very well known external 3rd party mail systems, then have virus scanning on their own Exchange servers and finally on their desktop machines. At the moment this e-mail is still slipping through the net.
This virus does a LOT of clever things to prevent you getting rid of it. I noticed that when trying to run Autoruns from Sysinternals that it just would not work. Renaming the autoruns executable allows it to run. It also stops you being able to install/download Windows Defender, disables system restore, removes the system tools program group amongst other things.
Not a very sophisticated solution but for now I have edited the Exchange IMF custom weighting file on customer systems to ensure that messages with "UPS Tracking" in the subject line are never delivered to the recipients and definitely classed as spam.
I had written a separate post on how to remove the virus manually, but at the moment I am still monitoring the infected machines to ensure they are completely clean.