How to scan for infected web pages

April 25th, 2016

Here are some common pattterns to look for when scanning web pages for compromised files.  All except the last one create a file where the line is executed called maybeinfected.  You can go through each file and find and remove injected code.  It is typically packed garbled text that hides the code because it is usually obfussicated or encoded to avoid detection.

find . -name '*.php' | while read FILE; do if grep '$GLOBALS' "$FILE"; then echo "$FILE" >> maybeinfected; fi ; done

find . -name '*.php' | while read FILE; do if grep 'eval(base64_decode' "$FILE"; then echo "$FILE" >> maybeinfected; fi ; done

find . -name '*.php' | while read FILE; do if grep '''PCT4BA6ODSE_"$FILE"; then echo "$FILE" >> maybeinfected; fi ; done

Automatically delete any that match a pattern:

find . -name '*.php' | while read FILE; do if grep 'PCT4BA6ODSE_' "$FILE"; then rm  "$FILE" -rf; fi ; done

Windows Update Fails to connect

October 16th, 2015
Delete references to local server to force WSUS to use Microsoft Update Service.
 
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate   HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU

Remote Web Workplace SBS 2008 and Windows 10 RDP Clients

August 25th, 2015

found a work around for this on SBS 2008.  Navigate to "C:\Program Files\Windows Small Business Server\Bin\webapp\Remote" on the SBS server.   In that directory you will find a file named tsweb.aspx, right click it and edit it.  Go about 1/4 to 1/3 of the way through the file and look for the section that looks this:

 

sub window_onload()
Dim targetMachineName
Dim version 
On Error Resume Next
version = MsRdpClient.Version
if Err then
  msgbox ControlLoadFailed_ErrorMessage,0,RemoteDesktopCaption_ErrorMessage
  exit sub
end if  
On Error GoTo 0
if strcomp(version,"6.0.6000") < 0 then
   msgbox IncorrectClientVersion_ErrorMessage, 0, RemoteDesktopCaption_ErrorMessage
   window.close
   exit sub
end if

What I did was to comment out the second part of that statement so it looks like this

'if strcomp(version,"6.0.6000") < 0 then
'   msgbox IncorrectClientVersion_ErrorMessage, 0, RemoteDesktopCaption_ErrorMessage
'   window.close
'   exit sub
'end if

Web Server Serving Pages Slowly?

April 28th, 2015

Linux Servers:

Check the /etc/resolv.conf
Make sure they are all valid and responding...especially the first one!

The remote computer disconnected the session because of an error in the licensing protocol

September 17th, 2014

Easy fix for this problem.  Using the registry editor, delete this key:

HKLM\Software\Microsoft\MSLicensing