Using packet capture to find virus infected clients
By · CommentsToday a customer started to get a lot of their e-mails bounced. In fact they could not even e-mail me to let me know about the problem as my own mail servers were rejecting their messages.
The reason for this was because their IP address had been listed on the CBL.
I had a poke around the server and everything seemed to be in good order; patched up to date, virus scanner had nothing interesting to report, netstat did not show any abnormal connections and Exchange queues seemed normal. So I assumed that the problem must be coming from one of the network PCs.
This customer has a dual nic SBS 2003 Standard edition server, not my preferred set-up, but the system had to be implemented in this way to fit in with existing infrastructure. It is not possible to see what traffic is passing through the NAT gateway on RRAS with the built in tools, but Microsoft Netmon 3.1 should be able to show up any strange network traffic. I installed it and ran the following filter:
Tcp.dstport == 25 and ipv4.Address != 192.168.200.1
192.168.200.1 is the IP address of the internet facing NIC on the SBS machine.
Within a couple of minutes this filter showed all the machines on the network sending SMTP based traffic except for the SBS server itself. Fortunately there was only one. I took remote control of the machine and from the command line ran:
netstat -ano |find ?��Ǩ?�:25?��Ǩ�?
The output of this command showed me the local processes which were attempting to communicate with other hosts on port 25 and gave me confirmation that this PC was definitely infected with some kind of mass mailing virus or worm. Killing the process listed by the netstat command stopped the mass mailer and gave some breathing space to find the cause of the problem.
Turns out the machine in question had its virus checker disabled. So I turned it back on and ran a full scan which turned up almost 6,000 files infected with W32/MyDoom.
Once the problem had been found it was easy to sort, but because I have so few customers with this set-up it had not occurred to me how little visibility you get over network traffic with the SBS 2003 standard edition tools.
The joys of travelling sales laptops 
Sending backup tape reminder e-mails
By · CommentsThis is just a very quick script written in response to a question posted in one of the SBS yahoo groups.
It sends an e-mail to a specified recipient reminding them to change the backup tape in a server. The SBS backup system does this automatically, so this is meant for use on SBS servers using something other than the in-built SBS backup.
Installation is simply a case of extracting the contents of this zip file to a folder on your SBS server and then changing the variables at the top of the script to appropriate values for your environment.
Once done you can test interactively from a command line by running “cscript tapereminder.vbs” and once you are happy with the results setup a scheduled task to do the job daily.
Windows update automatic e-mail notification
By · CommentsAs the number of servers that I am responsible for managing increases, it becomes more difficult to ensure that they are all patched up to date.
As most of the machines I manage are SBS boxes I thought that it would be nice to put something together which behaves in much the same way as the SBS generated e-mail alerts.
So, the result is a script which sends e-mail notifications to a specified address and gives details of which patches are available to be installed. The administrator can choose which of the four patch levels will trigger an e-mail alert (Critical, Important, Moderate & Low).
If there are no outstanding patches at the appropriate alert levels to be installed then the script will quit without sending an e-mail.
The script is then run as a scheduled task every evening and I can quickly see if I have anything to action. The report includes links to the relevant KB articles and further information made available by Microsoft.
The script only takes a couple of minutes to setup as there are only six settings at the top of the file…
Setting any of the following to 1 will generate trigger alerts for that particular update severity:
- AlertCritical
- AlertImportant
- AlertModerate
- AlertLow
- EmailFrom – Specifies the e-mail address the report will be sent from.
- EmailTo – Specifies the e-mail address to send the reports to.
As shown above I have been running with AlertCritical/AlertImportant set to 1 and the other two set to 0.
So, if you want to receive email alerts all you need to do is download this Zip file, extract the contents to a folder on your server and then edit the variables at the top of the script. To perform a test run go into a command prompt and change directory to the location where you extracted the script and run:
cscript winupdates.vbs
With any luck you should get an e-mail soon after with the results. If you find that it is not generating you an e-mail as expected, one reason may be that there are no patches available to install. Bear in mind that not all items from Windows update will appear. For example “Internet Explorer 7″ is not a patch and therefore will not be listed.
Running the script interactively as above will take a few moments while Windows Update(or WSUS if you have it installed) are checked for new updates.
Once you have completed a successful test you can go ahead and setup a scheduled task. Assuming an installation directory of “c:\scripts” the scheduled task command should look something like this:
C:\WINDOWS\system32\cscript.exe c:\scripts\winupdates.vbs
Also worth a mention that I have used this on standard(non-sbs) Windows servers and it works well.
Perhaps if enough people use this script, it will actually save as much time as it took to make it, but I doubt it. 
The ISMTPOnArrival_OnArrival event sink in Exchange 2003 can be used to trigger code to perform various tasks. I have recently used this method to strip attachments from messages and then FTP them to a remote machine, based on the message subject and recipient.
In this, more basic example the entire message is saved to the filesystem in .eml format to a folder specified within a variable. The script could be made much more elaborate with the addition of a couple of arrays to specify multiple subjects/locations. The idea is that you could setup a system where e-mails can be automatically filed without having to depend on user intevention and avoiding the requirement for 3rd party software.
This can be implemented by following the example from this Microsoft Knowlegbase article. The file referred to in the article called SMTPREG.VBS can be found here on MSDN. Instead of the SMTPMsgCheck.vbs file referenced in the article create a file called SMTPSubjectCheck.vbs and insert the following code(you will also need to modify the registration batch file accordingly) :
<SCRIPT LANGUAGE="VBScript">
Sub IEventIsCacheable_IsCacheable()
'To implement the interface, and return S_OK implicitly
End Sub
Sub ISMTPOnArrival_OnArrival(ByVal Msg, EventStatus )
Dim Pos, SubjectToFind, SaveFolder, MsgStream
SubjectToFind="Project1"
SaveFolder="c:\\"
Pos=InStr(1,Msg.Subject,SubjectToFind,1)
if Pos <> 0 then
set MSGStream= Msg.Getstream
SaveFile=SaveFolder & Msg.Senton & "-" & msg.subject & ".eml"
SaveFile=Replace(SaveFile, "/", "_")
SaveFile=Replace(SaveFile, " ", "_")
SaveFile=Replace(SaveFile, ":", "_",3)
MsgStream.SaveToFile savefile,2
MsgStream.Close
Set MsgStream = Nothing
End if
End Sub
</SCRIPT>
In this example the script is looking for a subject line that contains the text “project1″(not case sensitive) and saving it to the root of c:
I have attached a zip file to the blog post with all the required files in one zip file, just be cautious of using it if you already have event sinks registered(drop the files into c:\eventsink).
subjectcheck.zip
Tunneling RDP over SSH with the version 6 RDP Client
By · CommentsI regularly use SSH to connect to customer systems and tunnel various different sorts of traffic through it (Telnet, ODBC, RDP etc). In certain cases, I have no other method of remote access to systems other than SSH.
This has not been a problem until I recently upgraded to Windows Vista which includes remote desktop connection v6, which will not allow connections to 127.0.0.1 on any port, it complains with the error message:
“The client could not connect. You are already connected to the console of this computer. A new console session cannot be established”
Which of course is true, if I were trying to connect to 3389.
So today after spending significant effort in the last couple of months I have found a simple solution to the problem:
I realize there probably are not that many people out there using SSH to tunnel RDP, but if you are then RDP 6 has been a real pain until now.
Exchange 2003 SP2 IMF Keyword Manager
By · CommentsExchange 2003 sp2 comes with an updated intelligent message filter. One of the new features of the updated IMF is the ability to add a custom weighting file that gives administrators more control over incoming mail.
I have used this file a few times on customers systems, usually to allow certain automated e-mails through the IMF which were being incorrectly identified as spam.
The problem is that Microsoft have not included a GUI to edit the MSExchange.UceContentFilter.xml file. ?Ǭ�So it must be generated by hand, and while this isn’t difficult, it is not very convenient and it is easy to make a mistake.
I was looking for an excuse to have a play with Visual Basic 2005 and so I have made a little utility to make creating and managing the MSExchange.UceContentFilter.xml a little easier.
Becomes….
The utility can be downloaded from here.(Requires .net 2.0).
If you need more information on how to implement the custom weighting feature then see:
Microsoft Exchange Server 2003 Service Pack 2 Release Notes
Microsoft Exchange Server Intelligent Message Filter v2 Operations Guide