Anatomy of a hack: mail server

Today I’ve been fixing a problem with my mail server after someone “hacked” (cracked) it. I’m reconstructing the chain of events as best I can, but the causality wasn’t obvious at the time.

Background: this machine is running Windows Server 2003 SP1 with Exchange Server 2003 SP2.

A few weeks ago, someone gained unauthorised access to the server over the internet. I’m not sure how exactly, but I suspect that they used a buffer overflow in IIS (since the server runs OWA). The server is up to date with all the relevant security patches, so that shouldn’t be possible, but something obviously went wrong.

Continue reading “Anatomy of a hack: mail server”

Firewall blacklist

One of my current projects is configuring ISA 2004 as a firewall. Without wanting to get sidetracked into advocacy debates, all I’ll say is that:
a) It’s a lot better than ISA 2000.
b) It’s annoying that it doesn’t support more than one internet connection, so hopefully they’ll fix that in ISA 2006.

Anyway, today I got hold of some blacklists (i.e. a long list of dodgy websites), and set up rules to block them. While I generally think that enumerating badness is a doomed endeavour, enumerating goodness is a bit tricky for websites, so this seems like a reasonable step (in conjunction with other rules). So, once I’d imported these lists, I then tested them, by trying to access the blocked websites on my PC. This is where typos can cause problems…

Me: “Let’s see, … aargh!”
Server: “Tum te tum, I’m blocking as ordered.”
Me: “Ok, let’s add this site to the list as well, then try that again…”

Similar problems occured with the various permutations of “”. So, when the report gets run tonight, my traffic may look a bit dodgy tomorrow. In the sense of “My eyeballs are bleeding!”

Ah well, it’s a living.

(Just to state the obvious, I don’t recommend following those links, especially if you’re at work!)

HP printer drivers

Here’s an obscure problem that had me banging my head against the wall until I figured out the solution.

If you add a printer to Windows XP/2003 (and possibly other versions too), and choose to share it, there’s an option to install additional drivers. That way, someone running NT4 can connect to it, and automatically get the drivers from your machine. That’s the theory.

In practice, it goes like this:
1. Tick the box for “NT4 support”.
2. Get prompted for the necessary driver files.
3. Go to HP website, find/download relevant files.
4. Tell Windows where to find the files, by browsing to the relevant .inf file.
5. Get the error message “Windows cannot locate a suitable printer driver”.

The issue is that the device name inside the .inf file has to exactly match the device name in Windows XP.

Taking the HP 895Cxi as an example, the original line in the HPDJ.INF file says:
DEVICENAME=”HP DeskJet 895C Series Printer”

I then had to modify this to say:
DEVICENAME=”HP DeskJet 895Cxi”
at which point everything worked fine.

N.B. You can comment out a line in a .inf file by putting a semi-colon at the start, so that’s a useful approach in case you’re worried about breaking anything.

That’s the second time I’ve come across this problem, but there was enough of a time-lag in between that I only remembered “I have to hack around inside the .inf file”. So, now I have a permanent entry to remind me, and hopefully this is useful to someone else too.

Make-shift repairs

“The three most dangerous things in the world are a hardware engineer with a software patch, a computer programmer with a soldering iron, and an end user with an idea…”

Back in my undergrad days, there was one fine Sunday morning when I needed to swap a couple of hard drives around, i.e. the master would become the slave and vice-versa. This was specified with jumpers, but unfortunately I didn’t have enough to actually do the job (you only needed one for “master mode” vs two for “slave mode”, and the stingy manufacturer hadn’t given me a spare). Hmm. However, one of my friends from the CompSci course had come over to visit, and he came up with a solution to this problem. I had an old (broken) pair of headphones, so we cut a piece of cable off that and trimmed away the plastic to get some copper wire. This then got wrapped around the relevant pair of pins, and we stuck some blu-tack on top to hold it in place. Job done! After all, that’s all that a jumper really is, i.e. a conductive wire inside some insulation. Later on, one of my flatmates (an engineering student) woke up, and was horrified at this bodge-job. Meh, that’s what you get for having a lie-in 🙂 Anyway, this worked smoothly until I outgrew the drive.

Today I had a vaguely similar problem, where I couldn’t plug a keyboard into the back of a server (PS2 socket). On closer inspection, it turned out that the black plastic pin from a previous keyboard had broken off inside the socket, so it was stopping the new plug from actually going in far enough. I tried to fish it out with blu-tack, but sadly this trusty source failed me; the hole was too small to push my finger in, and a paper clip couldn’t push enough in. I did a Usenet search (on the grounds that I’m rarely the first person to encounter any specific problem), and someone had suggested putting a small amount of superglue on the end of a toothpick. In theory, this could work well – the glue will stick very strongly to the broken piece of plastic, and pull it out easily. In practice, I suspected that my hand would twitch at the wrong time, and I’d wind up with a toothpick welded into the socket, and protruding a couple of inches out of the back of the machine; not a great improvement. I didn’t have any tweezers that were small enough to fish it out, and trying to pry it out with a paper clip didn’t work; I was able to chip a couple of bits off it with a scalpel, but that was pretty haphazard.

Plan B: It turns out that the black plastic pin isn’t actually essential, i.e. it’s not metal, so it’s not carrying any current. Its only purpose is to help you get the cable positioned properly, since it will only go into the socket if it’s the right way around. So, all I needed to do was trim that pin down to a shorter size, and I’d be able to get the plug into the socket. (Fortunately, I have plenty of sacrificial keyboards lying around.) This is another case where health and safety guidelines don’t quite apply; I had to put my hand all around the plug, so even though I was cutting away from my body, I was still cutting towards my fingers. Anyway, I managed to trim it down without any bloodshed, which was a relief. And that did the trick – I was able to actually use the keyboard after that.

So, singalong at home! “Oh, I’ve been trimming at the cables…” (to the tune of “I’ve been working on the railroad…”)

Everything I need to know I learned from MacGyver 🙂

Digital certificates

I’ve been taking an interest in computer security recently, and as part of that I’ve been investigating digital certificates, primarily in the context of code signing (e.g. applications/macros/plugins).

There seem to be two main misconceptions here (at opposite ends of the scale), which are worth addressing:

1. “If something has been signed then it’s safe.”

2. “Just because something’s been signed, that’s no guarantee of safety, therefore signing is pointless, and it’s just a way for Microsoft to extort money from people while spreading FUD.” (FUD = Fear, Uncertainty, and Doubt.)

Continue reading “Digital certificates”

Event Viewer problems

I’m currently spending an exciting Friday night in the office. Specifically, I’ve been fixing a Windows 2000 PC that’s been running extremely slowly for the past few days. I’ve got that problem solved now (I’m just sticking around to do general maintenance on it), and I thought it was worth documenting here, in case anyone else encounters it.

PC running Windows 2000 Pro with SP4 is extremely slow.

services.exe taking 99% or 100% of CPU time.
Can’t run Event Viewer.
In Admin Tools | Services, the “Event Log” service says “Starting”.

One or more of the event viewer log files was corrupt, so the service couldn’t start, and therefore the application couldn’t run. But the service didn’t fail either, it just kept retrying, which meant that it was tying up the whole CPU.

Change the startup type of that service to “Manual”, then reboot the computer. After rebooting, delete *.evt from
(or just move them to a spare folder), and start the service manually. If this works (which it did in this case), it will recreate the three files, and then you should change the service’s startup type back to “Automatic”.

Further info:
In this case, two of the three files had a size of 512kb. When the service had restarted, I ran Event Viewer, and looked at the properties for each of the logs. They all had a maximum size of 512kb, and they were also configured to overwrite events after 7 days. I’ve changed this setting to be “Override events as needed”. My theory is that the files got corrupted because Windows tried to add new events, but it had run out of space, and it couldn’t delete the old entries because they were less than 7 days old. Normally this would just give an error message on the screen, but I think it’s best to avoid this configuration in general (I really don’t know why Microsoft made this the default). So, if you’re working on any other machines, take a minute to change this setting over.

LaTeX formatting

I’m currently doing an MSc; this includes a project, and there are regulations about how to write up the final report. In particular:

“The project report must also contain listings of all source code. The source code listings must be contained in an appendix, and do not count towards the 40 page limit for the project report. The code listings must be presented in a compact format (printed double-sided, and with two pages to a side).”
“It is strongly recommended that the document typesetting system TEX or LATEX is used.”

Continue reading “LaTeX formatting”

Configuring a Palm Vx for WAP access


I have a Palm Vx, and a Nokia 6310i mobile phone on an Orange account. A while back, I set up my account for WAP access and GPRS, and I was then able to view WAP pages on the mobile phone. I then wanted to be able to view these pages on my Palm Vx, using an infra-red connection between the two, and this proved to be quite a challenge.

I am documenting the process here, for anyone else who wants to achieve the same thing. If you are using different equipment, then this may still be of some use to you, but it probably won’t work in exactly the same way. In particular, I haven’t used BlueTooth, but I’d imagine that the configuration is quite similar.

Continue reading “Configuring a Palm Vx for WAP access”

70-165: Microsoft Visual Basic 5.0 Programming


I recently decided to become a Microsoft Certified Professional (MCP), starting with the VB 5 exam. I passed it with a score of 898/1000, which I’m pleased about. I can tell you what I did to prepare for this exam, although I can’t guarantee that the same thing will work for you. I should mention that I’ve been using VB since August 1994 (I taught myself version 3 by reading the supplied manuals), so I wasn’t starting from scratch here. Essentially, I already knew how to use VB (it’s what I do for a living), so I just wanted to know how to pass the exam.

Continue reading “70-165: Microsoft Visual Basic 5.0 Programming”