Tuesday, 6 March 2018

ieplaro.exe mining trojan spreading over SMB (EternalBlue) removal

Since I had to deal with this nasty monster over the weekend,and most (all) websites versions of cleaning instructions are as informative as "Download our program to remove" I thought i'd post this

Symptoms in our case was
* Server CPU Usage High
* Slowdowns
* SMB shares working intermittently
* Microsoft Exchange services failing to start up (especially RPC)
* Outlook/OWA email connectivity issues

The first clue was a program called iexplaro.exe running and hammering the CPU. Terminating this program had little effect as it ended up respawning seconds later. It turns out,this Trojan creates a windows service and a few other programs spread out over the harddrive to protect this operation

C:\windows\IDE had a hidden folder and applications,attrib -h -r -s in admin command line unhides it. The windows service was named Oracle Java (or somesuch - use msconfig and hide windows services,or regedit to dig out the naughty services),c:\program files (x86)\ also had a hidden exe,and lastly c:\windows had a few exe's (variants of svchost name)

Alternative solution to removing the executables is Malwarebytes Antimalware,which found and removed the services and other exe's

After cleanup however the windows services still wouldn't start up cleanly,I was about to format and reload,however reading the one batch file the Trojan uses to "install" gave a clue as to what was still hampering progress: IPSEC "firewall" rules

This Article describes a mining Trojan with a similar strategy,but again no cleaning instructions

Key section of the Trojan's damage below:
netsh ipsec static add policy name=netbc
netsh ipsec static add filterlist name=block
netsh ipsec static add filteraction name=block action=block
netsh ipsec static add filter filterlist=block any srcmask=32 srcport=0 dstaddr=me dstport=445 protocol=tcp description=445
netsh ipsec static add rule name=block policy=netbc filterlist=block filteraction=block
netsh ipsec static set policy name=netbc assign=y

Open a CMD prompt as administrator
To confirm you have these ipsec rules messing you around use the following command

netsh ipsec static show all

If a huge list of text appears you likely have the ipsec rules preventing access

To remove this junk use the following command,it will remove all rules each of the above "sections" on ipsec - policy,filterlist,filteraction,filter,rule

netsh ipsec static delete all

Restart the server and it should recover and start all services again

Wednesday, 24 January 2018

Pebble + NavMe Android issues

Good day blogfolk and persons of the reading variety

I know it's been a while since I added any nice technical blurbs but here's a pretty handy one

If you,like me,still use a Pebble Smartwatch, and your NavMe integration refuses to pick up navigation from your Android here's a few steps to try PROPERLY resolve the issue:

1) Reset Pebble smartwatch to default
2) Connect the Pebble to your Pebble App on the Phone
3) Install NavMe app from the App Store
4) Install NavMe app to Pebble
5) Give your Pebble AND NavMe Notification Access
6) Give Pebble AND NavMe Autostart access (This is important and few sites/people mention it)
7) Restart phone

Your NavMe on Pebble should now pick up Google Navigation again

Friday, 26 June 2015

How to recreate the Group Policy Settings for WSUS clients when it's missing


Wednesday, 3 September 2014

CRM2011 get_lookupStyle error onload for Phone Call activity

Been experiencing a strange issue where an error message would pop up on the Phone Call activity of CRM2011. Some background is we have a phone call tracking system that would trigger the Phone Call entity with a call reference and phone number whenever a call was ended. This has been working fine since CRM4.0 but I believe rollup 12+ either broke or changed the functionality slightly

The culprit seems to be the SwapLookups function SwapLookups( crmForm.all.from, crmForm.all.to )

To solve this I had to edit the Onload and Onchange events and rewrite the SwapLookups to use my own code,below the code should you need to do the same

function DirectionChange()
var tempwho = Xrm.Page.getAttribute("from").getValue();

This replicates the functionality of Swaplookups partially,it stores the Sender field value,blanks it,then changes the recipient field value to this stored value (this is for incoming calls as CRM defaults to Outgoing)

Wednesday, 23 July 2014

How to install Windows 8.1 without creating a Microsoft Account when upgrading from Windows 7/8

Click on link Create a new account (near the bottom of screen, below the “Don’t have an account?” text)
When the sign up form appears click on Sign in without a Microsoft account (also on the bottom).
This will log you in using your existing account details

Monday, 21 July 2014

Exchange 2003 SP1 DLLs

I was giving Digiscope from Lucid8 a try to see how it performs. My biggest gripe was that it didn't include DLLs for accessing Exchange Databases

Here are direct download links to Exchange 2003 SP1 Dlls should you need it


Thursday, 17 July 2014

How to stop the SBCore service (SBS2003)

Found from here

how to stop the SBCore service

Anyway, down to business…
- Tools you'll need – Process Explorer from www.sysInternals.com

As you probably know, you have a service called SBCore or "SBS Core Services", which executes the following process: C:\WINDOWS\system32\sbscrexe.exe

If you kill it, it just restarts – and if you try and stop it you are told Access Denied.

If you fire up Process Explorer, you can select the process and Suspend it, now we can start to disable the thing.

Run RegEdit32.exe and expand the nodes until you reach the following hive / key:

Right click this, hit permissions and give the "Administrators" group on the local machine full access ( don't forget to replace permissions on child nodes ). F5 in regedit and you'll see all of the values and data under this key.

Select the "Start" DWORD and change it from 2 to 4 – this basically sets the service to the "Disabled" state as far as the MMC services snap-in (and windows for that matter) is concerned.

Next, adjust the permissions on the file C:\WINDOWS\system32\sbscrexe.exe so that EVERYONE account is denied any sort of access to this file.

Then go back to process explorer, and kill the sbscrexe.exe process, if it doesn't restart – congratulations!

Load up the services MMC snap-in and you should find that "SBS Core Services" is stopped and marked as Disabled.