My PC Geek

http://www.utgsolutions.com/2012/01/17/malware-%E2%80%93-and-how-to-prevent-it/

To install using PowerShell, run PowerShell on your Exchange Server 2010 as administrator and run the following commandlets:

Import-Module ServerManager followed by Add-WindowsFeature Web-WMI.

You may find when installing Exchange 2007 or Exchange 2010 that the server repeatedly reports:

A restart from a previous installation is pending. Please restart the system and rerun setup.

Exchange Setup reads the following registry key to determine whether a system restart is required after installation or removal of a software update such as a security update, critical update, or hotfix.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\UpdateExeVolatile

Exchange Setup also checks the following registry key to determine whether a previous software update installation was not completed and the system must be restarted to finish the installation.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations

If setup still complains that a restart is needed after you’ve performed a restart, do the following:

• Open RegEdit.
• Set the HKLM\SOFTWARE\Microsoft\Updates\UpdateExeVolatile key value to 0 or delete it.
• Delete the HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations key.
• Rerun Setup.

I just don’t understand credit card companies that force insecure passwords!  5-10 Characters and letters and numbers only?!?!?!?!?!  There is a lot of fraud that happens with credit cards and you would think DiscoverCard would be on their A game and allow customers to make passwords over 14 chars with special characters.  FAIL!

I opened a chat to see ask the question and this is what I got.

I read this article on Life Hacker.  Yes, I love to hack things other than computers. It is supposed to save you around $100 bucks on your water bill annually.  I am going to test this theory and see if it holds true. HA!

Materials:

• 1 Gatorade Bottle or Water Bottle
• Water or Sand

I tried it with the Gatorade bottle and water and it works.  Just fill the Gatorade bottle with water or sand and place it in the water reservoir.

How To Migrate BE 2010 R2 To A New Backup Exec 2010 R2 Server

Build Secondary BE server with the SAME version you are currently running on BE Server1, make sure both backup Servers are on the same version.  If not make sure you run through ALL Service Packs and hotfixes.

Make Sure SQL Versions are the same.  I recommend installing SQL Express or SQL Server (download from Microsoft) and do not let Backup Exec Install SQL Express.

Backup Exec Version and Revision Number – Write down the Backup Exec version and revision number listed on the Backup Exec Help | About Symantec Backup Exec for Windows Servers menu.

Make note of BE Licenses –  Installed Backup Exec Options, License Keys, and Installation Path – Write down a list of the installed Backup Exec options, license keys and the installation path from the existing Backup Exec installation. Open

Backup Exec. Select Tools | Install Options and License Keys on this Media Serverfrom the Backup Exec menu. After the license keys are obtained, precede through the install screens to obtain the install path. Once this information is obtained, the install can be canceled.

Identify backup-to-disk folder locations – Write down the path of all backup-to-disk folders. To obtain this information, follow these steps.

Open Backup Exec

Select Devices

Highlight Backup-to-Disk Folders, right click and select properties.

Stop all Backup Exec and DLO (if installed) services – Using the Windows Services applet; stop the following Backup Exec services: (Figure 3 and Figure 4)

Backup Exec Agent Browser
Backup Exec Device and Media Service
Backup Exec DLO Administration Service (only if DLO is installed)
Backup Exec DLO Maintenance Service (only if DLO is installed)
Backup Exec Job Engine
Backup Exec Remote Agent for Windows Servers
Backup Exec Server

Stop the Backup Exec SQL Server service (a separate DLO Instance will also exist with 10d)

SQL Server (BKUPEXEC) – This is a SQL Express instance. Stop this instance if it is the instance that the Backup Exec (BEDB) and DLO (BE_DLO) databases are using.

SQL Server (MSSQLSERVER) – This is SQL Server instance (local or remote). This is a default SQL instance. This can be a SQL 2000, SQL 2005, or SQL 2008 instance.  Stop this instance if it is the instance that the Backup Exec (BEDB) and DLO (BE_DLO) databases are using.

SQL Server (SQL2005ONE) – This is a SQL Server named instance (local or remote). This can be a SQL 2000, SQL 2005, or SQL 2008 instance.  Stop this instance if it is the instance that the Backup Exec (BEDB) and DLO (BE_DLO) databases are using.

Copy files – Using Windows Explorer, copy the following Backup Exec directories (files) to a temporary location keeping the directories separate:

C:\Program Files\Symantec\Backup Exec\Data

IMPORTANT NOTE – Do NOT copy the msgq*.*.dat files over to the temporary location (see Figure 5)

BE\CASO message queue files

C:\Program Files\Symantec\Backup Exec\Catalogs

i.      NOTE: If this is a CAS server, make sure to copy over the Catalog folders for the Managed Media Servers as well. These should all be listed under the Catalogs folder.

1. C:\Program Files\Symantec\Backup Exec\IDR (if present)
2. C:\Program Files\Symantec\Backup Exec\Reports\Saved
3. Backup-to-Disk folders as mentioned.

Moving The Data To Then New Backup Exec Server
1. Stop all Backup Exec services – Stop all Backup Exec services.

2. Stop the SQL Services .

3. Copy Files – Copy the Backup Exec files from the temporary directories, overwriting the data, catalogs, and Intelligent Disaster Recovery (IDR) folders on the new system.

4. On the new or target system, create a folder where the new Backup to Disk folders will reside.  Copy the saved off .bkf file(s) from the temporary location into this folder.

NOTE: Perform Step 5 only if you are moving the installation to a system with a DIFFERENT computer name. If the installation is being moved to a system with the SAME computer name, skip this step and go to the next step, step 6. Step 5 is required because the new database will have the name of the old database and will have to be changed before the Backup Exec services can start.

5. Rename the DataPartition name for the Backup Exec Database that was copied.

Refer to the steps mentioned below:

a. Start the SQL Server (BKUPEXEC) service or SQL Service where Backup Exec is installed.

b. Open a command prompt and type Sqlcmd -E -S servername\BKUPEXEC
c. If successfully connected to the server, the following prompt appears: 1>  This indicates a connection to the Backup Exec instance using Sqlcmd.

Use bedb

<Press enter>

Type go

<Press enter>

SELECT partitionname FROM datapartition

<Press enter>

Type go

<Press enter>

After pressing ENTER the original server name is listed.  Running this query will yield the current database partition name that the database has (which is the old one)

Change this name from the original server name to the new Backup Exec  server name by typing the command below. This will update the database with the partition name of the new server.

UPDATE DataPartition SET PartitionName=‘<this server name>’ WHERE PartitionID =0

<Press enter>

Type go

<Press enter>

· Run the select statement again and verify that the name was changed to the new server name:

SELECT PartitionName FROM DataPartition

<Press enter>

Type go

6. Start all Backup Exec services – Start all the Backup Exec services which were stopped in Step 1.

Open Be to make sure everything is there.

NOTE: Make sure before you begin shut down your VM’s on the host you are updating and put it in maintenance mode.

1. Download the update package for ESXi 4.1.  You can grab the update here:

Download

2. Download VMware vCLI here and install it on your Windows box.

3. Copy the downloaded ZIP package – the update-form-esxi4.1-4.1_update01.zip to the bin directory of WMware vCli.

4. Open the vCLI command prompt and CD to the c:\Program Files\VMware\VMware vSphere CLI\bin directory

Now you will need to use the command vihost update in folowing format: vihostupdate –server host name or IP address -i -b location of the ESXi upgrade ZIP bundle -B ESXi4.1-to-ESXi4.1UPDATE01

Command should reflect to the example below:

perl vihostupdate.pl –server 10.111.29.40 –username root –password password -i -b update-from-esxi4.1-4.1_update01.zip

The update takes about 15 to 20 minutes and will need a reboot.  Re-Open your vSphere client and it should prompt to update your client.

I had an instance where a customer called in asking for help.  They had a mail data store filling up with Transactional logs very quickly.  Well they needed to do a backup to flush the logs quickly.  Well it turns out they had backup issues and this could not be done.  It was only a matter of minutes the transaction logs would fill up disk space and would unmount the store.  In this instance we needed to turn on Circular logging on the data store.

What is circular logging?

In a nutshell circular logging is where the Exchange server recycles its transaction logs.  Exchange relies on write-ahead logs to store events before they are committed to the database.  Once 4 of these transaction logs have been filled up, Circular Logging assumes that by now the first log must have been processed and reuses that log for fresh transactions.

Where Do You Find the Enable Circular Logging Setting?

1. Launch the Exchange Management Console (EMC).
2. Navigate to Organization Configuration –> Mailbox
3. From Database Management, select the appropriate database (DB1).
4. Seek the Maintenance tab, Enable circular logging is the last checkbox.

WARNING! – This is only temporarily until you get your backup solution working again.  Doing so and the worse happens you will have to restore the whole last full backup.

Now onto Troubleshooting:  High Transaction logs.

1. Install EXMON

http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=11461

Install the MSI on your Exchange Server

C:\Program Files (x86)\Exchange User Monitor

Look into this directory and import the

C:\Program Files (x86)\Exchange User Monitor\ExMon.reg

Now run the C:\Program Files (x86)\Exchange User Monitor\ExMon.exe as an Administrator.

This utility will let you know which mailbox is doing all the chatter. It is possible you may have some malware on the workstation relaying messages off your Exchange. Or high volume of spam.

2. Relay

Make sure your server isn’t open to relay messages from anything. If relay is wide open you could be subject for spam or malware using your server to do their dirty work.

First off,   be very CAREFUL what you click and browse!  Do not click RANDOM links or LIKE buttons on Facebook. Do not click suspicious POST!  If you click it’s GAME OVER!  Remove yourself from the Administrators Group. If you don’t have permission to install applications like administrators neither does the Virus.  Keep your machine PATCHED! If you see a message that Microsoft wants to update!  UPDATE!  Patch your 3rd PARTY apps (ADOBE, Flash, Java), these applications have vulnerabilities too!  Install Personal Software Inspector http://secunia.com/vulnerability_scanning/personal/ it’s free and patches 3rd party apps automatically for you.  Install Antivirus (yes it’s pointless but you have to have it).   Free AVG is one of the best Free  Antivirus out there.   Install FireFox and ONLY use Firefox when browsing the internet. Install the NO SCRIPT and FLASH Block Plugin for FireFox.  This BLOCKS 95% of the drivebydownloads (It’s not perfect, but it helps tremendously).  Avoid using IE, CHROME.  If you follow these simple instructions you will be very SAFE on the internet.  Trust me.

Some Reference Links

FireFox: http://www.mozilla.com/en-US/firefox/new/

FlashBlock: https://addons.mozilla.org/en-US/firefox/addon/flashblock/

NoScript: http://noscript.net/

FreeAVG: http://free.avg.com/us-en/homepage

PSI – Personal Software Inspector:  http://secunia.com/vulnerability_scanning/personal/

Last week, we saw reports about TDL4—the most recent iteration of TDSS—exhibit self-propagation routines. The worm component, which Trend Micro detects as WORM_OTORUN.ASH, was first discovered in early March and we have been seeing a continuous increase in this malicious operation based on our internal statistics. North America and Japan, in particular, appear to have the most number of infected systems.

This data also suggests that the TDSS gang has been busy capitalizing on this worm to expand their botnet. Just recently, however, they added a new trick to the worm. This time, it now includes code, which turns the infected system into a Dynamic Host Configuration Protocol (DHCP) server with a domain name system (DNS) setting that points to a malicious IP address.

According to Trend Micro Threats Analyst Brian Cortes, once the rogue DHCP has been connected to a LAN, it confuses other computers in the network to use the rogue DHCP over the network’s real domain controller. As a result, these computers use the malicious DNS server instead of the legitimate one. The malicious IP address, when accessed, shows a fake browser update site that leads to either a copy of itself or to a TDL4 binary download.

Trend Blog

This can be easily protected against using DHCP Snooping on Cisco or any major Switching companies.

Enable DHCP Snooping

ciscoswitch(config)# ip dhcp snooping

Enable DHCP Snooping on VLANs

DHCP snooping can be enabled on one or more VLANs or a range of VLANs

ciscoswitch(config)# ip dhcp snooping vlan number 100

The above enables dhcp snooping on VLAN 100

To enable on more VLANs

ciscoswitch(config)# ip dhcp snooping vlan number 10-15 100 110

where the DHCP snooping is enabled on VLAN 10-15, 100 and 110

Enable DHCP Option 82

This allows DHCP option 82 message insertions into the packets. Option 82 is the Relay Agent Information Option as described in RFC 3046

ciscoswitch(config)# ip dhcp snooping information option

Configure Trust Interface

Interface not explcicitly configured as a trust interface is treated as an untrusted interface.

ciscoswitch(config)# interface fa0/0

ciscoswitch(config-if)# ip dhcp snooping trust

DHCP Snooping Rate limiting (optional)

Rate limiting allows restricting the number of DHCP packets per second (pps) that an interface can receive

ciscoswitch(config-if)# ip dhcp snooping limit rate 202

Where “202″ indicates that the interface can receive “202″ messages per second

This should configure DHCP Snooping on Cisco IOS switches.

Display DHCP Snooping

ciscoswitch# show ip dhcp snooping
DHCP Snooping is configured on the following VLANs:
10-15 100 110
Insertion of option 82 information is enabled.
Interface           Trusted        Rate limit (pps)
———           ——-        —————-
FastEthernet2/1     yes            10
FastEthernet2/2     yes            none
FastEthernet3/1     no             20

Display DHCP Snooping Binding Table

ciscoswitch# show ip dhcp snooping binding
MacAddress      IP Address      Lease (seconds)      Type        VLAN      Interface
———–     ———–     —————-     —–       —–     ————
0000.0100.0201  10.0.0.1        1600                 dynamic     100       FastEthernet2/1