“dd” is the linux command for taking byte by byte copies of files. Since a hard disk behaves sort of like a big file in linux, we can use “dd” to take a copy or image.

It is a good idea to zero all free space on the original disk before taking the image. This will make the empty space easier to compress. So if possible, mount the original disk, cd onto it and run the following commands to create file to fill the remaining hard disk space with zeros, you can then delete the file.

# dd if=/dev/zero of=delete.me bs=8M
# rm delete.me

Then to take the image of a disk detected as /dev/sda

# dd if=/dev/sda conv=sync,noerror bs=64K | gzip -c  > sda-dd-image.gz

You could have omitted the gzip bit to create an uncompressed image.

# dd if=/dev/sda conv=sync,noerror bs=64K of=sda-dd-image.gz

To check your progress, you can open another terminal and send the dd process a kill -USR1 signal.

# watch -n 10 killall -USR1 dd

To restore, use

# gunzip -c sda-dd-image.gz | dd of=/dev/sda conv=sync,noerror bs=64K

Or if you are restoring from an uncompressed image

# dd if=image.dd of=/dev/sda conv=sync,noerror bs=64K

You can also mount an uncompressed image without restoring it back to a drive. There is a little bit of maths to figure out where the partition starts.

First run fdisk on your disk image

# fdisk -l -u -C 592 /media/sdb1/image.dd

Disk /media/sdb1/image.dd: 80.0 GB, 80026361856 bytes
255 heads, 63 sectors/track, 9729 cylinders, total 156301488 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0xb1579d08
Device                Boot Start End       Blocks    Id System
/media/sdb1/image.dd1 *    63    156280319 78140128+ 7  HPFS/NTFS/exFAT

This shows that the partition we are interested in starts at sector 63. So multiply by 512 bytes per sector, our partition starts at byte 32256.
Make a folder to mount the image on, and then mount it as follows

# mkdir /media/loop
# mount -o loop,offset=32256 -t ntfs /media/sdb1/image.dd /media/loop

Check all is present with

# df
Filesystem           1K-blocks      Used Available Use% Mounted on
/dev/sda1             78140128   3895592  74244536   5% /media/sda1
/dev/sdb1            1442145212 1368096272    792140 100% /media/sdb1
/dev/loop2            78140128   5566440  72573688   8% /media/loop

To stop Microsoft Security Essentials from the command line or a batch file.

sc stop MsMpSvc

taskkill /f /im msseces.exe

Stopping the service will pop up a warning message which is handled by “msseces.exe”. SO we need to kill that process to

To start it again, you can try. This will run the scanner service, but may not show up in the system tray.

sc start MsMpSvc

Regards

One of my clients started having their emails to certain know recipients bounce with

"550 Recipient unknown"

After a bit of digging, it turned out that all recipients were with 3 organisations who were using the same mail server and anitspam system from a local ISP.

My client use an in-house mail server with a fixed IP and proper host name.

We contacted the local ISP and they finally informed us that the IP was listed with DroneBL.org.

DroneBL had us listed for the following reason:

Automatically determined botnet IPs (experimental)

I have no idea who, when or why this happened, or more importantly what happened. There was no facility to drill down for more details. But it was simple enough to de-list it. In fact it looks like it would be simple enough to sign up and blacklist anyone we had a grudge against.

But getting back to the original bounce message. What is the point in sending incorrect bounce error messages. Spammers do not give a s*** about error messages, they are more concerned about sending out the remaining 500,000 mails they have before dawn.

My Spam Policy

• Do not bounce spam, only bounce proper errors.
• Anything you do bounce, you must provide a proper meaningful reason or message. If you don’t, it makes absolutely no sense to bounce.
• Let spam through but filter it into a separate folder. Preferably on the intended users desktop so they can search it easily.
• If messages are getting put into spam erroneously then the recipient can search for it and bring it to the attention of some techie who can the examine the headers to determine exactly why it was marked as Spam.

I was given a client’s laptop which, although it could get connected to the internet, and I could even remote access it, it could not browse or collect emails. I could not find anything wrong, I ran multiple scans with Norton, MS Security Essentials and MalWareBytes but found nothing. The only thing I noticed was that when trying to run putty, it gave some kind of out of buffers or quota error.

This laptop was running Windows XP and it was time to upgrade to Windows 7 anyway, so I just wiped it and reinstalled.

A few weeks later my own desktop started showing the same problem. After running for a while, I could not browse or collect email, and putty was showing this quota/buffer thingy error again.  (shoulda wrote the damn thing down.)

I suspected that Firefox was causing the problem, so I disabled all add-ons etc., and even stopped using Firefox.

Later, I installed a new version of MalWareBytes to run it’s scan, I selected to install a trial of the pro version. The scan found nothing, but the resident MalWareBytes started picking up attempts to connect to a suspect IP address: 199.80.55.13.

I googled malwarebytes 199.80.55.13, and found this:

http://forums.malwarebytes.org/index.php?showtopic=92872

In this discussion, TDSSKiller seemed to find the rootkit, but not clean it. TDSSKiller did not find anything wrong on my computer. At the end of that discussion, after running an ESET scan, a Java update and Adobe Reader are removed and all’s well again.

So I went straight to Add/Remove Programs, removed any Java updates and Adobe Reader. My computer seems to be behaving better now. No more pop ups from MWB about dodgy IP addresses.

I am now running the ESET Scan. I’ll post back here when it’s done.

Some helpful cleanup tools:

http://download.bleepingcomputer.com/sUBs/dds.scr

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

I just did my first CentOS 6 minimum install.

First thing is the usual network config tools are not available, so you need to temporarily do it by hand, until you can yum in the tools you want.

ifconfig eth0 192.168.1.2
echo "nameserver 192.168.1.254" >> /etc/resolv.conf
route add default gw 192.168.1.254 eth0

These 3 commands will get you going.
If you are on a DHCP network, there’s an even quicker way

dhclient eth0

After getting connected, you can then install the text based network configurator.

yum install system-config-network-tui

The minimal install only includes vi as a text editor, so I installed nano.

yum install nano

Now you will need to edit the configuration file to make it active on boot.

nano /etc/sysconfig/network-scripts/ifcfg-eth0

and set ONBOOT=”YES”

I’ve tried this on a VirtualBox VM with the network interface in bridge mode, and on a bare metal installation.

This answer is taken almost verbatim from here

One possible cause is corrupt printer drivers.

Solution 1: Remove all printer drivers and reinstall them

First lets see if we have faulty hardware

• Quantum/Maxtor – PowerMax – http://www.maxtor.com/en/support/downloads/powermax.htm

• Western Digital – Data LifeGuard Tools (DLGDiag) – http://support.wdc.com/download/

• Hitachi/IBM – Drive Fitness Test (DFT) – http://www.hgst.com/hdd/support/download.htm

• Seagate – SeaTools – http://www.seagate.com/support/seatools/

• Fujitsu – Diagnostic Tool – http://www.fcpa.com/download/hard-drives/

• Samsung – Disk manager – http://www.samsung.com/Products/Hard…ies/shdiag.htm

Every time Windows XP starts, Autochk.exe is called by the Kernel to scan all volumes to check if the volume dirty bit is set. If the dirty bit is
set, autochk performs an immediate chkdsk /f on that volume. Chkdsk /f verifies file system integrity and attempts to fix any problems with the
volume. If while running Windows, you attempt to run chkdsk on the boot volume or other mounted volume, the dirty bit is set so that it runs at the next reboot.

A command line utility, “chkntfs” displays or modifies the checking of disk at boot time.

chkntfs /d

…restores the machine to the default behavior: as described above

To check whether the dirty bit is set.

fsutil dirty query C:

or

chkntfs c:

The only way to clear the dirty bit is to run chkdsk to try to clear it.

When chkdsk runs at boot time it records its output to a file called Bootex.log in the root of the volume being checked. The Winlogon
service then moves the contents of each Bootex.log file to the Application Event log.

If you really want to, you can disable the chkdsk at boot completely

Go to:  http://www.kellys-korner-xp.com/xp_tweaks.htm

Read the instructions at the top of the page. Scroll down to: 82. – Disable or Enable Check Disk Upon Boot

The problem can be caused by recently installed software. I’ve heard of a case of Yahoo Messenger causing it.

The best solution to crashing Outlook 2010 problems is Thunderbird, but if that’s not an option, here are some things you could try:

The most common crashing problem I have come across is where it crashes every time it tries to send an email.

Safe Mode

Try starting Outlook in safe mode, and see if the crashing stops.

Method 1: Hold down the Crtl key while running Outlook. It asks whether you want to run in safe mode.

Method 2: Go to the “Run” dialog or call up a command console and type one of the following

1. outlook /safe – Starts Outlook without Microsoft Exchange Client Extensions (ECE), the Reading Pane, or toolbar customizations. Component Object Model (COM) add-ins are turned off.
2. outlook /safe:1 – Starts Outlook with the Reading Pane off.
3. outlook /safe:3 – Starts Outlook with Microsoft Exchange Client Extensions (ECE) turned off, but listed in the Add-In Manager. Component Object Model (COM) add-ins are turned off.
4. outlook /safe:4 – Starts Outlook without loading outcmd.dat (customized toolbars).

Repair PST files

The Microsoft PST repair tool is called SCANPST.EXE and can be found here: C:\Program Files\Microsoft Office\Office14

Your PST files are probably in one or both of these locations:

• C:\Documents and Settings\promoters\Local Settings\Application Data\Microsoft\Outlook
• C:\Documents and Settings\promoters\My Documents\Outlook Files

I still use Microsoft Photo editor for some simple tasks. It’s fast and fine for cropping screen captures.

The problem is that it normally only shows when the window is maximised. If you try to restore it to a normal window, it remains running, but disappears off the screen.

There are 3 methods I have found to solve this:

1. • Right-click on it’s taskbar icon and choose Move. The cursor should change shape to indicate you are in move mode.
   • Press any one of the keyboard’s arrow keys and move your mouse to position the window on your desktop.

2. Alt-tab to the window. Press Alt+Space, Press M, Press an Arrow key, and then move your mouse.
3. Right-click on empty space on the taskbar and click “Cascade Windows”.

Out of the box, CentOS5 installs Sendmail using Procmail as local delivery agent, and Dovecot. The inbox is in /var/spool/mail/~ and any user folders are stored in mbox format in ~/mail/

If we access an email account with IMAP, there are some issues with folders and sub-folders. The solution to these problems, is to swap over to Maildir.

To do so, we need to make some changes to Dovecot & Procmail

Edit “/etc/procmailrc” and change:

ORGMAIL=$HOME/Maildir/
DEFAULT=$HOME/Maildir/

Edit “/etc/dovecot” and change:

mail_location = maildir:~/Maildir
pop3_uidl_format = %08Xu%08Xv

If you prefer to use Webmin:

Servers -> Procmail Mail Filter -> Manually Edit Configuration.

Servers -> Dovecot IMAP/POP3 Server -> Mail Files

and set

Mail file location = "Inbox and folders in ~/Maildir"
UIDL format = "Other.. %08Xu%08Xv"

Transferring old Emails

The dovecot instructions are here.

I just downloaded the mb2md.pl script and did the rest by hand.

I logged in as root and ran the following commands for each user

First let’s import the old inbox into the Maildir format. This will also create the ~username/Maildir folder if it does not exist.

./mb2md.pl -s /var/spool/mail/linuxusername -d ~linuxusername/Maildir

Second lets import any existing other folders

./mb2md.pl -s ~linuxusername/mail -R -d ~linuxusername/Maildir

Finally we fix the file ownerships:

chown -R linuxusername:groupname /home/season/homes/linuxusername/Maildir/.*
chown -R linuxusername:groupname /home/season/homes/linuxusername/Maildir/*