Dell DRAC racadm

Dell DRAC Default Password and How To Change DRAC Password Using RACADM

The default username and password for Dell Remote Access Controllers (DRAC) are “root” and “calvin, ” respectively. As with everything else, for security reasons it is recommended to change either or both.

There are always those cases where you either forget the password or don’t know it to begin with.  Like in the case of purchasing used equipment on eBay or elsewhere.

Resetting the DRAC password can be done using the command line tool, racadm.  RACADM can be downloaded from Dell by searching for “racdm download.” Once installed racdm.exe will be located, by default, in C:Program Files (x86)DellSysMgtrac5 (for DRAC 5 on 64-bit Windows OS) or C:Program FilesDellSysMgtrac5 (for DRAC 5 on 32-bit OS).  Navigate to the appropriate directory to run the following commands.


  • On Windows 2008, Windows 7 or Windows Vista (or higher) you will have to open a command prompt as administrator for sufficient permissions to run the command.  If not you will get the message, “ERROR: Insufficient privilege level – You do not have the required privileges to run this application locally
  • In DRAC 4 the first index slot is “root” by default.
  • In DRAC 5 index 1 is “Administrator” and index 2 is “root”. This is essential to know to correctly reset the password.

Examples using racadm to reset DRAC password from the Windows command line:

  • DRAC 4: racadm config -g cfgUserAdmin -o cfgUserAdminPassword -i 1 <NewPassword>
  • DRAC 5: racadm config -g cfgUserAdmin -o cfgUserAdminPassword -i 2 <NewPassword>

You can also display the info using the racadm command:

  • DRAC 4: racadm getconfig -g cfgUserAdmin -i 1
  • DRAC 5: racadm getconfig -g cfgUserAdmin -i 2
 See, “Using the RACADM Command Line Interface” for more information.  
Audacity FREE Linux SourceForge Utility

Free Audio editor

Audacity is free, open source software for recording and editing sounds. It is available for Mac OS X, Microsoft Windows, GNU/Linux, and other operating systems.


How to grant the Send As permissions to a user account

To explicitly grant another account permission to send as a mailbox owner, open the Active Directory Users and Computers management console and follow these steps:

  1. On the View menu, make sure that the Advanced Features option is selected. If this option is not selected, the Security page will not be visible for User account objects.
  2. Open the properties of the user account that owns the mailbox.
  3. Click the Security tab.
  4. If the account is not already in the list of group or user names, add the account that should have the Send As permission for this user.
  5. In the Permissions box, click the Allow for the “Send As” permission for the appropriate account.
  6. Click OK.
  7. Restart the Microsoft Exchange Information Store service on the affected Exchange server.
Command Line utilities Windows 7

Windows 7 Command Line Utilities and Commands

The following is a (hopefully) comprehensive list of command line commands and utilities for Windows 7. Click the links for further details and examples of each command.


The arp command is used to display or change entries in the ARP cache.


The assoc command is used to display or change the file type associated with a particular file extension.


The at command is used to schedule commands and other programs to run at a specific date and time.


The attrib command is used to change the attributes of a single file or a directory.


The auditpol command is used to display or change audit policies.


The bcdedit command is used to view or make changes to Boot Configuration Data.


The bitsadmin command is used to create, manage, and monitor download and upload jobs.


The bootcfg command is used to build, modify, or view the contents of the boot.ini file, a hidden file that is used to identify in what folder, on which partition, and on which hard drive Windows is located.


The break command sets or clears extended CTRL+C checking on DOS systems.


The cacls command is used to display or change access control lists of files.


The call command is used to run a script or batch program from within another script or batch program.


The certreq command is used to perform various certification authority (CA) certificate functions.


The certutil command is used to dump and display certification authority (CA) configuration information in addition to other CA functions.


The change command changes various terminal server settings like install modes, COM port mappings, and logons.


The chcp command displays or configures the active code page number.


The chdir command is used to display the drive letter and folder that you are currently in. Chdir can also be used to change the drive and/or directory that you want to work in.


The chglogon command enables, disables, or drains terminal server session logins.


The chgport command can be used to display or change COM port mappings for DOS compatibility.


The chgusr command is used to change the install mode for the terminal server.


The chkdsk command, often referred to as check disk, is used to identify and correct certain hard drive errors.


The chkntfs command is used to configure or display the checking of the disk drive during the Windows boot process.


The choice command is used within a script or batch program to provide a list of choices and return of the value of that choice to the program.


The cipher command shows or changes the encryption status of files and folders on NTFS partitions.


The clip command is used to redirect the output from any command to the clipboard in Windows.


The cls command clears the screen of all previously entered commands and other text.


The cmd command starts a new instance of the command interpreter.


The cmdkey command is used to show, create, and remove stored user names and passwords.


The cmstp command installs or uninstalls a Connection Manager service profile.


The color command is used to change the colors of the text and background within the Command Prompt window.


The comp command is used to compare the contents of two files or sets of files.


The compact command is used to show or change the compression state of files and directories on NTFS partitions.


The convert command is used to convert FAT or FAT32 formatted volumes to the NTFS format.


The copy command does simply that – it copies one or more files from one location to another.


The date command is used to show or change the current date.


The debug command starts Debug, a command line application used to test and edit programs.


The defrag command is used to defragment a drive you specify. The defrag command is the command line version of Microsoft’s Disk Defragmenter.


The del command is used to delete one or more files. The del command is the same as the erase command.


The dir command is used to display a list of files and folders contained inside the folder that you are currently working in. The dir command also displays other important information like the hard drive’s serial number, the total number of files listed, their combined size, the total amount of free space left on the drive, and more.


The diskcomp command is used to compare the contents of two floppy disks.


The diskcopy command is used to copy the entire contents of one floppy disk to another.


The diskpart command is used to create, manage, and delete hard drive partitions.


The diskraid command starts the DiskRAID tool which is used to manage and configure RAID arrays.


The dism command starts the Deployment Image Servicing and Management tool (DISM). The DISM tool is used to manage features in Windows images.


The dispdiag command is used to output a log of information about the display system.


The doskey command is used to edit command lines, create macros, and recall previously entered commands.


The driverquery command is used to show a list of all installed drivers.


The echo command is used to show messages, most commonly from within script or batch files. The echo command can also be used to turn the echoing feature on or off.


The edit command starts the MS-DOS Editor tool which is used to create and modify text files.


The edlin command starts the Edlin tool which is used to create and modify text files from the command line.


The endlocal command is used to end the localization of environment changes inside a batch or script file.


The erase command is used to delete one or more files. The erase command is the same as the del command.


The eventcreate command is used to create a custom event in an event log.


The exe2bin command is used to convert a file of the EXE file type (executable file) to a binary file.


The exit command is used to end the Command Prompt session that you’re currently working in.


The expand command is used to extract a single file or a group of files from a compressed file.


The fastopen command is used to add a program’s hard drive location to a special list stored in memory, potentially improving the program’s launch time by removing the need for MS-DOS to locate the application on the drive.


The fc command is used to compare two individual or sets of files and then show the differences between them.


The find command is used to search for a specified text string in one or more files.


The findstr command is used to find text string patterns in one or more files.


The finger command is used to return information about one or more users on a remote computer that’s running the Finger service.


The for command is used to run a specified command for each file in a set of files. The for command is most often used within a batch or script file.


The forfiles command selects one or more files to execute a specified command on. The forfiles command is most often used within a batch or script file.


The format command is used to format a drive in the file system that you specify.


The fsutil command is used to perform various FAT and NTFS file system tasks like managing reparse points and sparse files, dismounting a volume, and extending a volume.


The ftp command can used to transfer files to and from another computer. The remote computer must be operating as an FTP server.


The ftype command is used to define a default program to open a specified file type.


The getmac command is used to display the media access control (MAC) address of all the network controllers on a system.


The goto command is used in a batch or script file to direct the command process to a labeled line in the script.


The gpresult command is used to display Group Policy settings.


The gpupdate command is used to update Group Policy settings.


The graftabl command is used to enable the ability of Windows to display an extended character set in graphics mode.


The graphics command is used to load a program that can print graphics.


The help command provides more detailed information on any of the other Command Prompt commands.


The hostname command displays the name of the current host.


The icacls command is used to display or change access control lists of files. The icacls command is an updated version of the cacls command.


The if command is used to perform conditional functions in a batch file.


The ipconfig command is used to display detailed IP information for each network adapter utilizing TCP/IP. The ipconfig command can also be used to release and renew IP addresses on systems configured to receive them via a DHCP server.


The irftp command is used to transmit files over an infrared link.


The iscsicli command starts the Microsoft iSCSI Initiator, used to manage iSCSI.


The label command is used to manage the volume label of a disk.


The loadfix command is used to load the specified program in the first 64K of memory and then runs the program.


The lodctr command is used to update registry values related to performance counters.


The logman command is used to create and manage Event Trace Session and Performance logs. The logman command also supports many functions of Performance Monitor.


The logoff command is used to terminate a session.


The mem command shows information about used and free memory areas and programs that are currently loaded into memory in the MS-DOS subsystem.

mkdir (md)

The mkdir command is used to create a new folder.


The mklink command is used to create a symbolic link.


The mmc command can be used to open Microsoft Management Console in author mode or to a specific snap-in console, all from the Command Prompt.


The mode command is used to configure system devices, most often COM and LPT ports.


The more command is used to display the information contained in a text file. The more command can also be used to paginate the results of any other Command Prompt command.


The mountvol command is used to display, create, or remove volume mount points.


The move command is used to move one or files from one folder to another. The move command is also used to rename directories.


The msg command is used to send a message to a user.


The msiexec command is used to start Windows Installer, a tool used to install and configure software.


The mstsc command starts the Remote Desktop Connection tool from the Command Prompt.


The muiunattend command starts the Multilanguage User Interface unattended setup process.


The nbtstat command is used to show TCP/IP information and other statistical information about a remote computer.


The net command is used to display, configure, and correct a wide variety of network settings.


The netcfg command is used to install the Windows Preinstallation Environment (WinPE), a lightweight version of Windows used to deploy workstations.


The netstat command is most commonly used to display all open network connections and listening ports.


The nlsfunc command is used to load information specific to a particular country or region.


The nltest command is used to test secure channels between Windows computers in a domain and between domain controllers that are trusting other domains.


The nslookup is most commonly used to display the hostname of an entered IP address. The nslookup command queries your configured DNS server to discover the IP address.


The ocsetup command starts the Windows Optional Component Setup tool, used to install additional Windows features.


The openfiles command is used to display and disconnect open files and folders on a system.


The path command is used to display or set a specific path available to executable files.


The pathping command functions much like the tracert command but will also report information about network latency and loss at each hop.


The pause command is used within a batch or script file to pause the processing of the file. When the pause command is used, a Press any key to continue… message displays in the command window.


The ping command sends an Internet Control Message Protocol (ICMP) Echo Request message to a specified remote computer to verify IP-level connectivity.


The pkgmgr command is used to start the Windows Package Manager from the Command Prompt. Package Manager installs, uninstalls, configures, and updates features and packages for Windows.


The pnpunattend command is used to automate the installation of hardware device drivers.


The pnputil command is used to start the Microsoft PnP Utility, a tool used to install a Plug and Play device from the command line.


The popd command is used to change the current directory to the one most recently stored by the pushd command. The popd command is most often utilized from within a batch or script file.


The print command is used to print a specified text file to a specified printing device.


The prompt command is used to customize the appearance of the prompt text in Command Prompt.


The Psr command starts Problem Step Recorder, a screen capture and logging program for use in troubleshooting problems.


The pushd command is used to store a directory for use, most commonly from within a batch or script program.


The qappsrv command is used to display all Remote Desktop Session Host servers available on the network.


The qprocess command is used to display information about running processes.


The query command is used to display the status of a specified service.


The quser command is used to display information about users currently logged on to the system.


The qwinsta command is used to display information about open Remote Desktop Sessions.


The rasdial command is used to start or end a network connection for a Microsoft client.


The recover command is used to recover readable data from a bad or defective disk.


The reg command is used to manage the Windows Registry from the command line. The reg command can perform common registry functions like adding registry keys, exporting the registry, etc.


The regsvr32 command is used to register a DLL file as a command component in the Windows Registry.


The relog command is used to create new performance logs from data in existing performance logs.


The rem command is used to record comments or remarks in a batch or script file.

rename (ren)

The rename command is used to change the name of the individual file that you specify.


The replace command is used to replace one or more files with one or more other files.

reset session (rwinsta)

The reset session command is used to reset the session subsystem software and hardware to known initial values.

rmdir (rd)

The rmdir command is used to delete an existing and completely empty folder.


The robocopy command is used to copy files and directories from one location to another. The robocopy command is superior to the more simple copy command because robocopy supports many more options. This command is also called Robust File Copy.


The route command is used to manipulate network routing tables.


The rpcping command is used to ping a server using RPC.


The runas command is used to execute a program using another user’s credentials.


The sc command is used to configure information about services. The sc command communicates with the Service Control Manager.


The schtasks command is used to schedule specified programs or commands to run a certain times. The schtasks command can be used to create, delete, query, change, run, and end scheduled tasks.


The secedit command is used to configure and analyze system security by comparing the current security configuration to a template.


The set command is used to enable or disable certain options in Command Prompt.


The setlocal command is used to start the localization of environment changes inside a batch or script file.


The setver command is used to set the MS-DOS version number that MS-DOS reports to a program.


The setx command is used to create or change environment variables in the user environment or the system environment.


The sfc command is used to verify and replace important Windows system files. The sfc command is also referred to as System File Checker and Windows Resource Checker.


The shadow command Is used to monitor another Remote Desktop Services session.


The share command is used to install file locking and file sharing functions in MS-DOS.


The shift command is used to change the position of replaceable parameters in a batch or script file.


The shutdown command can be used to shut down, restart, or log off the current system or a remote computer.


The sort command is used to read data from a specified input, sort that data, and return the results of that sort to the Command Prompt screen, a file, or another output device.


The start command is used to open a new command line window to run a specified program or command. The start command can also be used to start an application without creating a new window.


The subst command is used to associate a local path with a drive letter. The subst command is a lot like the net use command except a local path is used instead of a shared network path.


The sxstrace command is used to start the WinSxs Tracing Utility, a programming diagnostic tool.


The systeminfo command is used to display basic Windows configuration information for the local or a remote computer.


The takedown command is used to regain access to a file that that an administrator was denied access to when reassigning ownership of the file.


The taskkill command is used to terminate a running task. The taskkill command is the command line equivalent of ending a process in Task Manager in Windows.


“Displays a list of applications, services, and the Process ID (PID) currently running on either a local or a remote computer.


The tcmsetup command is used to setup or disable the Telephony Application Programming Interface (TAPI) client.


The time command is used to show or change the current time.


The timeout command is typically used in a batch or script file to provide a specified timeout value during a procedure. The timeout command can also be used to ignore keypresses.


The title command is used to set the Command Prompt window title.


The tracerpt command is used to process event trace logs or real-time data from instrumented event trace providers.


The tracert command sends Internet Control Message Protocol (ICMP) Echo Request messages to a specified remote computer with increasing Time to Live (TTL) field values and displays the IP address and hostname, if available, of the router interfaces between the source and destination.


The tree command is used to graphically display the folder structure of a specified drive or path.


The tsdiscon command is used to disconnect a Remote Desktop session.


The tskill command is used to end the specified process.


The type command is used to display the information contained in a text file.


The typerperf command displays performance data in the Command Prompt window or writes the data to specified log file.


The tzutil command is used to display or configure the current system’s time zone. The tzutil command can also be used to enable or disable automatic Daylight Saving Time adjustments.


The unlodctr command removes Explain text and Performance counter names for a service or device driver from the Windows Registry.


The ver command is used to display the current Windows version.


The verify command is used to enable or disable the ability of Command Prompt to verify that files are written correctly to a disk.


The vol command shows the volume label and serial number of a specified disk, assuming this information exists.


The vssadmin command starts the Volume Shadow Copy Service administrative command line tool which displays current volume shadow copy backups and all installed shadow copy writers and providers.


The w32tm command is used to diagnose issues with Windows Time.


The waitform command is used to send or wait for a signal on a system.


The wbadmin command is used start and stop backup jobs, display details about a previous backup, list the items within a backup, and report on the status of a currently running backup.


The wevtutil command starts the Windows Events Command Line Utility which is used to manage event logs and publishers.


The where command is used to search for files that match a specified pattern.


The whoami command is used to retrieve user name and group information on a network.


The winrm command is used to start the command line version of Windows Remote Management, used to manage secure communications with local and remote computers using web services.


The winrs command is used to open a secure command window with a remote host.


The winsat command starts the Windows System Assessment Tool, a program that assesses various features, attributes, and capabilities of a computer running Windows.


The wmic command starts the Windows Management Instrumentation Command line (WMIC), a scripting interface that simplifies the use of Windows Management Instrumentation (WMI) and systems managed via WMI.


The xcopy command can copy one or more files or directory trees from one location to another.

Apple Linux SSL

What is FLV

FLV is a “Flash Live Video” file. It is a format that is designed for web playback, offering high rates of compression. Several products output in FLV format, including Sorenson Squeeze (The term “movie” often refers to common Flash source files (.FLA) and deployed files (.SWF) and is not synonymous with “video”).

The Flash Player browser plugin can play an FLV, but that FLV, must be either embedded in or linked to a SWF. That is, you can’t just put the actual FLV on an HTML page. You can however reference the FLV file using action script and SWF

Flash Media server and RTMP Streaming — Its been around for about 9 years now. In this system, a Flash application communicates through the RTMP Server. Usually these applications enable person-to-person communication (one-to-many, or many-to-many). Flash may also be used for machine-human communication, such as real-time data transmission and notification.
Even though the browser can play the file while connected to the server, there is no operating system player for the Flash FLV file format, so the file cannot be played locally. Given the connection to the MX server however, it allows the user to play the movie directly in their chosen browser. Flash MX Media server can also administer time spent and pending usage as previously purchased by the user.

Highlights of the Flash MX Server include the ability to provide your end users with the best possible experience via a seamlessly integrated client that lets you brand your broadcast the way you want to, with any devices containing the Flash Player being capable of delivering movies when connected to the MX Communications server or Media Server
Real Time Collaboration is a powerful programming model that will allow many multiple connected users to share data and user interfaces in real time, coupled with client and server data storage capabilities. Support for off-line usage in addition to on-line usage allows the creation of robust applications that can be used offline, and then synchronized automatically when the user goes back online.

The Flash Communication Server has functions for server-side scripts that may disconnect users, authenticate, and control. Applications can be developed for moderators or administrators to perform custom maintenance and monitoring.

The Macromedia Flash Communication Server works with multiple network adapters on the server machine. This allows the server to be built for maximum network throughput. In addition, “virtual hosts” may be configured on each adapter. Virtual hosts can be used to isolate different server users, allowing each server user to add applications freely while keeping their programs separate from others.

A Fantastic File Format
The file format used in this process is Flash FLV or Flash Live Video, and it plays in a Flash Player. While traditional methods of media delivery include some kind of download to the user’s computer, either in a pre-loader or through temporary Internet files, Flash MX Communications server and a Flash FLV Player connect in a completely different manner. Simply put, it’s a new connection to the file each time the user uses the controls in the player. This means that in the background it’s a “start here” ? “stop here” ? “start again here” style of play, with no downloads or caching.

The Top Ten Reasons to Stream Video Using Flash

  1. FLV format file sizes after conversion are up to 60% smaller, saving server storage costs.
  2. FLV’s start – stop connection style saves on bandwidth (which is as much as 60% less per month).
  3. FLV format has no local player in operating systems, so file sharing is virtually nullified.
  4. FLV format plays directly in more browsers than Windows Media, Real Player or QuickTime.
  5. FLV server can authenticate clients, and control users as you wish.
  6. FLV players can be completely customized for logos, branding and embedded links.
  7. FLV players can play files from a programmable database, and simple administration area.
  8. FLV players can be programmed to integrate with databases for free previews, time, users.
  9. FLV encoding can include user information for content tracking, misuse, or DRM.
  10. Flash Communications servers are easier to maintain than others, and less prone to security hacks.


  • Bandwidth: The total amount of data a network connection is capable of sending through its system per second. This determines the length of time it will take to transmit data.

Example: a file that takes 10 minutes to transmit across a modem with a speed of 28,800 bits per second (bps) might take only one minute to transmit over a DSL line because the DSL line has a larger bandwidth capability, which can pass more bits through per second.

  • Buffering: Media players assimilate the incoming data and present it to the viewer, as audio and/or video. During network congestion, this data is not sufficient for the media player to continue playback and therefore, the player must pause to receive more data before resuming playback. This process is called “rebuffering”. To help avoid “rebuffering,” the media players buffer a certain amount of data on reserve in the beginning before playing the clip. Flash Communication (Media 2) Server eliminates this “buffer” time.
  • Caching / Cache: Data that is frequently accessed is often stored in the computer’s memory so that it may be re-accessed at a quicker rate than if this data was stored on the computer’s hard disk drive. The process of storing this data is called caching. The type of memory that stores this data is called the cache.
  • Digital Rights Management: Refers to qualifying the end-user prior to allowing the end-user to view or listen to the media file. It is a term usually referring to the software that enables Internet ‘Pay-Per-View’.
  • Digitizing and Encoding: Digitizing refers to the process of capturing original media (film, video, sound recordings, etc.) into a digital format onto your computer. Encoding refers to the process of converting this digitized file into a streaming format.
  • ISP: Internet Service Provider. Companies that offer access to the Internet to subscribers.
  • Latency: This is the delay of transmission of data. Refers to the time it takes for a router, upon receiving the data, to determine which router to forward the data to next.
  • Load-Balanced: A single computer is only able to transmit a fixed amount of data. If the server receives too many requests for data at the same time, a bottleneck forms causing a delay in transmission of data. Load balancing refers to the process of grouping multiple servers together to act as one single system This will minimize the risk of this type of delay.
  • MP3: Digital format specifically designed for music.
  • Network Congestion: Situation that occurs when the amount of data being transmitted exceeds the capacity of the network. This results in data transmission delays and possibly lost data. If a router becomes overloaded, it will discard data as a last resort to manage the volume of data transmission.
  • Peering: An agreement between Internet backbone carriers to exchange equal amounts of data at specified points along the Internet. Peering agreements enable competing companies to utilize cable laid by one another, thus reducing costs and duplication of cable routes. As the data is exchanged freely between the carriers, there is no economic incentive for one carrier to manage the incoming data of another carrier. Should one carrier submit data in excess of the “peering” agreement, the other carrier will usually discard the excess data. Peering connections on the Internet have often been associated with bottlenecks of Internet data transmission.
  • QuickTime: Digital media software created by Apple Computers.
  • RealPlayer: Streaming media software created by RealNetworks for the Internet.
  • Redundancy: Systematic approach to eliminating single points-of-failure in a network or data storage system.
  • Router: A Router is a hardware device used throughout a network that receives incoming data and determines the route for that data to travel in order to reach its intended destination. A router is a switch with built-in capabilities than enhance its functions and performance.
  • Scalability: The ability to expand capacity of an existing data storage system or network without requiring replacement.
  • Streaming Media: Like television and radio for the computer, streaming media technology converts other mediums (audio and video) to digital formats that can be played back instantly by computers. It is comparable to the process that enables one to turn on a TV set and instantly see a program, or turn on a radio and instantly receive sound. The general term Streaming Media incorporates all the formats created specifically for transmitting audio, video and multimedia over the Internet.
  • Webcast: media file distributed over the Internet using streaming media technology. A webcast may either be distributed live or on demand.
  • Windows Media: Streaming media software created by Microsoft. We do not offer Windows server space at the current time.
  • Macromedia Flash Websites: Video support in Macromedia Flash has continued to evolve since its introduction in Flash MX and Flash Player 6. Flash Player 7 greatly improves video quality, supports higher frame rates, and provides additional opportunities for loading dynamic media at runtime.

At the core of Flash video is the Flash for Video (FLV) file format. FLV files contain encoded audio and video data that is highly optimized (through the use of Sorenson’s Spark codec) for delivery through the Flash Player. This keeps the Flash Player footprint as small as possible by using a single video rendering format.

Edited video content is encoded into the FLV format as it is imported into the Flash authoring environment (or encoded into FLV format from third party applications via the Flash Video Exporter plugin). Once imported into the Flash authoring environment, FLV files can be converted to movie clips and can benefit from all of the programmatic manipulations ActionScript has to offer, or exported back out as standalone FLV files that can be invoked and streamed by the Flash player.

On the delivery side, developers can choose from a variety of options for embedding video into Flash movies or options for streaming external video files at runtime, or options for exporting Flash video to other formats. Developers need to carefully consider the types of video content, bandwidth, length, and the level of user interaction needed before choosing a suitable delivery mechanism.

Video capabilities in Flash MX With the introduction of the Flash MX? platform, support for video has improved with the addition of many new capabilities to the authoring and runtime environment, giving developers more options for delivering embedded video and progressive and streaming files. In short, developers have many new choices to tailor the delivery method to best match the nature of differing video content and ultimately to deliver the best possible user experience.

  • Video Import Wizard
    The wizard adds many new choices for encoding imported audio and video as well as providing basic clip scaling, cropping functions and contrast and brightness controls.
  • Media Components
    a set of authoring components that enable connections to external video files and connections to Macromedia’s Flash Communication Server (available separately), and a new set of Behavior actions that work with Slides to accelerate and simplify the creation of advanced interactive video presentations.
  • Flash Video Exporter
    a new plug-in for use with third party applications that enables users to export Flash encoded audio and video directly from a third party authoring environment.

Flash Websites There are several alternative approaches to using video with a Macromedia Flash-based website. The overriding factor in choosing the optimum method for delivery is performance, which developers can best address by matching the appropriate delivery mechanism with the actual content. For example, approaches that work for short video clips embedded into a Flash movie will not work with large video files that require external streaming. Likewise it is not efficient to architect, code, deploy, and maintain an elaborate client-server delivery mechanism when presenting short, highly-compressed and optimized clips.

Embedded SWF Embedded SWF video is a straightforward method of delivering short video clips and has been around since Flash Player 6. It is an easy to use, timeline based technique and gives quick results. Video clips can be imported and encoded into the Flash authoring environment. Playback is limited to simple play and stop commands, and the video framerate must match that of the host movie, an important consideration that will require authoring for the lowest-common-denominator download speed.

For web delivery, content must be completely downloaded and must fit into available memory on the user’s machine before playback can begin. The biggest limitations to embedded video are movies having a maximum of 16,000 frames and audio sync cannot be maintained beyond about two minutes. The entire video clip must be published each time the movie is tested or previewed, which can lead to lengthy authoring sessions.

Progressive FLV Flash Player 7 introduced progressive download, a technique where external FLV files are cached on the user’s local hard drive and played through the host SWF at runtime with no limitation to the file’s size or duration. Audio and video stays in sync and the frame rate is completely independent from that of the movie host, enabling developers to create several versions of content optimized for different download speeds. Since an external FLV is published separately from the host FLA , authoring time is more efficient. For lengthy audio/video content that requires fairly straightforward delivery, external progressive FLVs can be a good choice.
The Flash MX Professional 2004 authoring environment contains Media Components that can be used to quickly add FLV or audio MP3 playback control to a Flash project. Media Components provide support for both progressive and streaming FLV files.

Streaming FLV Streaming FLV files have many of the same properties of Progressive FLV files but are remotely served from Macromedia’s Flash Communication Server (available as a separate product). This approach provides the most efficient delivery of FLV and audio MP3 files by streaming data to the host SWF file and requires the least hard disk and memory resources on the client end. Since data is not cached locally on a user’s hard disk, this technique also provides the most secure method of delivering media.

Macromedia’s Flash Communication (Media 2) Server has the ability to deliver multiple simultaneous real-time communications, provides smarter delivery of content by adjusting to the client’s connection speed, and has advanced monitoring of traffic and throughput. For media projects that require the greatest flexibility in efficiently handling the most complex data streams, this is the best choice for delivery.

Exported FLV & QuickTime Flash Tracks Flash can export movies to other formats such as Apple’s QuickTime or Microsoft AVI. Flash can also export image sequences to a variety of formats, such as GIF, PNG, JPG, AI and EPS.

Note: AVI export is only available in Flash for Windows.

QuickTime video can be imported into Flash where Flash tracks can be added and exported back out as QuickTime and played with the QuickTime player or plugin. This provides much of the Flash feature set, especially navigational overlays and sprites, directly into a separate track within a QuickTime movie. Another use is to use Flash to ?translate? graphics formats not supported by QuickTime into QuickTime movies.

Note: QuickTime support for Flash is usually based on the next-to-latest version of Flash. The current version of the QuickTime Player? supports playback of Flash Player 5 SWF files. This is because Apple’s development of QuickTime is not synchronous with Macromedia’s latest Flash Player development. Also, it is up to the software developer to decide how much of the Flash player feature set to include in its own players, so it is likely that not all of the Flash player functionality will be present in all software titles. This can limit the scope of ActionScript that can be carried out on these titles. For details see Apple’s Developer Center article on QuickTime 6 support for Flash.

The Flash Media Handler inside the QuickTime player supports an optimized case for the alpha channel graphics mode, allowing a Flash track to be cleanly composited over other tracks. QuickTime allows the SWF file format to execute any of the standard Flash movieclip actions.


Passwords Are Like Underwear. . .

. . . you shouldn’t leave them out where people can see them.  You should change them regularly.  And you shouldn’t loan them out to strangers.


Install Backtrack 3 in OSX Paralels

Create a new virtual machine

Select an operating system installation mode: Typical > Next
OS Type: Linux
OS Version: Other Linux kernel 2.6 > Next
Specify a name for the virtual machine: BackTrack 3 > Next
Optimize for better performance of: Virtual machine > Next
More Options > ISO image > Choose > bt3-final.iso > Open > Finish
Machine will start to boot.
BT3 Graphics mode (VESA KDE) > enter

Create partitions

bt ~ # fdisk /dev/hda

Command (m for help): n [enter]
Command action
e extended
p primary partition (1-4)
p [enter]
Partition number (1-4): 1 [enter]
First cylinder (1-4079, default 1): [enter]
Using default value 1
Last cylinder or +size or +sizeM or +sizeK (1-4079, default 4079): +50M [enter]

Command (m for help): n [enter]
Command action
e extended
p primary partition (1-4)
p [enter]
Partition number (1-4): 2 [enter]
First cylinder (8-4079, default 8): [enter]
Using default value 8
Last cylinder or +size or +sizeM or +sizeK (8-4079, default 4079): +256M [enter]

Command (m for help): n [enter]
Command action
e extended
p primary partition (1-4)
p [enter]
Partition number (1-4): 3 [enter]
First cylinder (40-4079, default 40): [enter]
Using default value 40
Last cylinder or +size or +sizeM or +sizeK (40-4079, default 4079): [enter]
Using default value 4079

Command (m for help): a [enter]
Partition number (1-4): 1 [enter]
Command (m for help): t [enter]
Partition number (1-4): 2 [enter]
Hex code (type L to list codes): 82 [enter]
Changed system type of partition 2 to 82 (Linux swap)

Command (m for help): p [enter]
Disk /dev/hda: 33.5 GB, 33554497536 bytes
255 heads, 63 sectors/track, 4079 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

Device Boot Start End Blocks Id System
/dev/hda1 * 1 7 56196 83 Linux
/dev/hda2 8 39 257040 82 Linux swap
/dev/hda3 40 4079 32451300 83 Linux

Command (m for help): w [enter]
The partition table has been altered!

Calling ioctl() to re-read partition table.
Syncing disks.

Format partitions

bt ~ # mkfs.ext3 /dev/hda1
bt ~ # mkfs.ext3 /dev/hda3
bt ~ # mkswap /dev/hda2
bt ~ # swapon /dev/hda2

Copy files

bt ~ # mkdir /mnt/backtrack
bt ~ # mount /dev/hda3 /mnt/backtrack/
bt ~ # mkdir /mnt/backtrack/boot/
bt ~ # mount /dev/hda1 /mnt/backtrack/boot/
bt ~ # cp --preserve -R /{bin,dev,home,pentest,root,usr,etc,lib,opt,sbin,var} /mnt/backtrack/
bt ~ # mkdir /mnt/backtrack/{mnt,proc,sys,tmp}
bt ~ # mount --bind /dev/ /mnt/backtrack/dev/
bt ~ # mount -t proc proc /mnt/backtrack/proc/
bt ~ # cp /boot/vmlinuz /mnt/backtrack/boot/


bt ~ # chroot /mnt/backtrack/ /bin/bash
bt ~ # nano /etc/lilo.conf
boot = /dev/hda
timeout = 60
vga = 791
image = /boot/vmlinuz
root = /dev/hda3
label = BackTrack
Press ctrl+x to exit.
Press y to save.
Press to overwrite the file.
bt ~ # lilo -v
bt / ~ exit


K menu > Log Out > Turn Off Computer
When you see "Please reboot your computer with Ctrl+Alt+Delete" > Stop > Yes
Edit > Virtual Machine
CD/DVD-ROM > Emulation: Use CD/DVD-ROM

That’s it.  Enjoy.


Forensic Log Parsing with Microsoft’s LogParser

Investigating a web-based intrusion can be a daunting task, especially when you have no information other than knowing it was web-based. It is easy to waste precious time digging through megabytes, perhaps even gigabytes, of log files trying to locate suspicious activity. Often this search turns up little useful evidence.

Consider this scenario: an e-commerce site receives several reports from customers about unauthorized orders on their accounts. They suspect that someone has compromised their web-based ordering system so they gather the log files from several different IIS web servers. They have the dates and times of the orders, but the corresponding IP addresses in the log files turn out to be anonymous proxies used by the suspect. Searching for activity from those IP addresses in the log files turns up nothing. Browsing through the raw log files for those dates also turns up nothing. Somehow, someone found a flaw in the ordering system but he or she could have discovered the flaw months before exploiting it. Tracking down the flaw and IP addresses used by the suspect seems impossible. But there are techniques that can facilitate log file forensics. The purpose of this article is to demonstrate log file forensics of IIS logs using SQL queries with Microsoft’s LogParser tool.

IIS Log Fields
The first step is to prepare for security incidents by logging as much information as possible. IIS can log a significant amount of information about each web request, but many of the available log fields are not enabled by default. To enable full logging, open the Internet Services Manager and edit the Extended Logging Properties to include all available log fields. Much of this information has some forensics value as shown in Table 1.

Table 1: IIS Log Fields
Field Name Description Uses
Date (date) The date of the request. Event correlation.
Time (time) The UTC time of the request. Event correlation, determine time zone, identify scanning scripts.
Client IP Address (c-ip) The IP address of the client or proxy that sent the request. Identify user or proxy server.
User Name (cs-username) The user name used to authenticate to the resource. Identify compromised user passwords.
Service Name (s-sitename) The W3SVC instance number of the site accessed. Can verify the site accessed if the log files are later moved from the system.
Server Name (s-computername) The Windows host name assigned to the system that generated the log entry. Can verify the server accessed if the log files are later moved from the system.
Server IP Address (s-ip) The IP address that received the request. Can verify the IP address accessed if the log files are later moved from the system or if the server is moved to a new location.
Server Port (s-port) The TCP port that received the request. To verify the port when correlating with other types of log files.
Method (cs-method) The HTTP method used by the client. Can help track down abuse of scripts or executables.
URI Stem (cs-uri-stem) The resource accessed on the server. Can identify attack vectors.
URI Query (cs-uri-query) The contents of the query string portion of the URI. Can identify injection of malicious data.
Protocol Status (sc-status) The result code sent to the client. Can identify CGI scans, SQL injection and other intrusions.
Win32 Status (sc-win32-status) The Win32 error code produced by the request. Can help identify script abuse.
Bytes Sent (sc-bytes) The number of bytes sent to the client. Can help identify unusual traffic from a single script.
Bytes Received (cs-bytes) The number of bytes received from the client. Can help identify unusual traffic to a single script.
Time Taken (time-taken) The amount of server time, in milliseconds, taken to process the request. Can identify unusual activity from a single script.
Protocol Version (cs-version) The HTTP protocol version supplied by the client. Can help identify older scripts or browsers.
Host (cs-host) The contents of the HTTP Host header sent by the client. Can determine if the user browsed to the site by IP address or host name.
User Agent (cs(User-Agent)) The contents of the HTTP User-Agent header sent by the client. Can help uniquely identify users or attack scripts.
Cookie (cs(Cookie)) The contents of the HTTP Cookie header sent by the client. Can help uniquely identify users.
Referer (cs(Referer)) The contents of the HTTP Referer header sent by the client. Can help identify the source of an attack or see if an attacker is using search engines to find vulnerable sites.
While I normally recommend logging all fields, the actual fields you choose to log should be based on a balance between forensics capabilities and disk space.

Custom Logging
IIS does provide many log fields, but there may be other fields you wish to record. For example, if the request comes from a proxy server, you may want to see if the proxy server sends the client’s real IP address through other HTTP headers. For example, some proxy servers add the “X-Forwarded-For” header containing the client’s real IP address.
IIS has a limited capability to log custom fields through the Response.AppendToLog method. The limitation, however, is that a new field is not created in the log files, but this data is appended to the URI Query field. To distinguish the two values, you can separate them with a character such as the pipe (“|”). Below is example ASP code to log additional proxy headers:

Note that other common proxy headers are Forwarded, Client_IP, Remote_Addr, Remote_Host, Forwarded, VIA, HTTP_From, Remote_Host_Wp, Xonnection, Xroxy_Connection, and X_Locking.

Microsoft’s LogParser Tool
Digging through logs requires that you have some common interface to perform queries across hundreds of individual log files. One method is to dump all the logs into an SQL database. Another solution is Microsoft’s LogParser tool. This robust tool provides an SQL interface to a variety of log file formats and is fast enough for log file analysis of most web sites. I won’t go into detail here about how to use LogParser, but the document included with the package is very helpful to get started. Because LogParser is a command-line tool, I have found it useful to either to copy the file to the C:Windows directory or to add the LogParser directory to your PATH variable.

You can download Microsoft’s LogParser 2.0 here, but the IIS 6 Resource Kit includes LogParser 2.1, which has some new features. Although LogParser 2.1 runs fine on a Win2k system, you cannot install the IIS 6 resource kit on Win2k. However, you can manually extract the resource kit files using the command: iis60rkt.exe /V/a.
It is important to note that when doing any log file processing, be sure to work on copies of the logs to help preserve the integrity of the original files (see Maintaining Credible Logfiles). I also find it helpful to only copy those logs for the time period I want to analyze to reduce the size of the query results.

This article will demonstrate many of the forensic capabilities of LogParser. Keep in mind that I wrote each of these example queries for a typical configuration, therefore you may need to adjust them for your particular site. Not all queries listed here will be effective for you, depending on your site configuration and traffic level.

Finding the Intrusion
If you do not know anything about the intruder or the nature of the intrusion, you must first do some high-level queries to know where to start your hunt. Most attacks leave some kind of trail or have some side-effect on your server. The trick is finding them.

Trojan Files
Before we dig in to the actual log files, it may be useful to do a quick check of the newest files on the web site. If the intruder was able to create or modify files within the web content directories, he or she may have uploaded Trojan ASP scripts or executables. You might just get lucky and find these files. The following query lists the 20 newest files on the web site:

C:>logparser -i:FS "SELECT TOP 20 Path, CreationTime from c:inetpubwwwroot*.* ORDER BY CreationTime DESC" -rtp:-1

Path CreationTime
----------------------------------------------------------- ------------------
c:inetpubwwwrootDefault.asp 6/22/2007 6:00:01
c:inetpubwwwrootAbout.asp 6/22/2007 6:00:00
c:inetpubwwwrootglobal.asa 6/22/2007 6:00:00
c:inetpubwwwrootProducts.asp 6/22/2007 6:00:00

And this query lists the 20 most recently modified files:

C:>logparser -i:FS "SELECT TOP 20 Path, LastWriteTime from c:inetpubwwwroot*.* ORDER BY LastWriteTime DESC" -rtp:-1

Path LastWriteTime
----------------------------------------------------------- ------------------
c:inetpubwwwrootDefault.asp 6/22/2007 14:00:01
c:inetpubwwwrootAbout.asp 6/22/2007 14:00:00
c:inetpubwwwrootglobal.asa 6/22/2007 6:00:00
c:inetpubwwwrootProducts.asp 6/22/2007 6:00:00

But suppose the attacker was careful and deleted all Trojan files when finished. In that case, the files will not be exist but there will be log entries showing successful requests for those files. To identify these log entries you must make a list of all files on your site that have resulted in 200 HTTP status codes. From your log files directory, execute the following query:

C:WindowsSystem32LogFilesW3SVC1>logparser "SELECT DISTINCT TO_LOWERCASE(cs-uri-stem) AS URL, Count(*) AS Hits FROM ex*.log WHERE sc-status=200 GROUP BY URL ORDER BY URL" -rtp:-1

URL Hits
---------------------------------------- -----
/About.asp 122
/Default.asp 9823
/downloads/setup.exe 701
/ 1
/Products.asp 8341
/robots.txt 2830

Carefully review this list and make sure that each item listed is part of your web application. In particular, watch for files such as nc.exe, tini.exe, root.exe, cmd.exe, upload.asp, aspexec.asp, etc.

Script Abuse
If searching for new or modified files turns up nothing, it is time to check out your scripts and executables. Any script or executable that accepts user input is a potential attack vector. Before starting, you should identify which executable file extensions you use in your web content areas. The following query will give you a report of all file extensions that exist within your web content (adjust the path names as necessary):

C:>logparser -i:fs "SELECT TO_LOWERCASE(SUBSTR(Name, LAST_INDEX_OF(Name,'.'), STRLEN(Name))) AS Extension, Count(*) as Files from c:inetpubwwwroot*.*, c:inetpubscripts*.* WHERE Attributes NOT LIKE 'D%' GROUP BY Extension ORDER BY Files DESC" -rtp:-1

Extension Files
--------- -----
.gif 704
.asp 180
.jpg 44
.css 43
.htm 28
.txt 21
.html 6
.dll 5
.zip 4

According to this list, the site contains several file extensions that may be of concern to us: .asp and .dll. Therefore, all the example queries from this point on will specifically look for ASP and DLL files. You will likely need to adjust this depending on which executable extensions you use on your web site.

One way to detect script abuse is to see if any one script has an unusually high number of hits. Since web-based attacks often require some trial and error, you should expect to see noticeable statistical variances, unless of course your web site gets millions of hits a day. Nevertheless, it is sometimes useful to see if any single day produced unusually high traffic.
The following query will show the number of hits for each day for each ASP and DLL file. From your log files directory, type the following:

C:WindowsSystem32LogFilesW3SVC1>LogParser "SELECT TO_STRING(TO_TIMESTAMP(date, time), 'yyyy-MM-dd') AS Day, cs-uri-stem, COUNT(*) AS Total FROM ex*.log WHERE (sc-status<400 or sc-status>=500) AND (TO_LOWERCASE(cs-uri-stem) LIKE '%.asp%' OR TO_LOWERCASE(cs-uri-stem) LIKE '%.exe%') GROUP BY Day, cs-uri-stem ORDER BY cs-uri-stem, Day" -rtp:-1

Day cs-uri-stem Total
---------- ------------------- -----
2007-04-01 /Default.asp 127
2007-04-02 /Default.asp 121
2007-04-03 /Default.asp 132
2007-04-04 /Default.asp 116
2007-04-05 /Default.asp 107
2007-04-06 /Default.asp 144
2007-04-07 /Default.asp 466
2007-04-08 /Default.asp 174
2007-04-09 /Default.asp 118

In the sample results above the number of hits on 2008-04-07 is suspiciously high and should be investigated further.

Another good attack indicator is the number of errors per hour. The following script returns the dates and hours that had more than 25 error codes returned. This value will likely need adjusting depending on how much traffic your site receives:

C:WindowsSystem32LogFilesW3SVC1>logparser "SELECT date, QUANTIZE(time, 3600) AS hour, sc-status, Count(*) AS Errors FROM ex03*.log WHERE sc-status>=400 GROUP BY date, hour, sc-status HAVING Errors>25 ORDER BY Errors DESC" -rtp:-1

date hour sc-status Errors
---------- -------- --------- ------
2007-06-22 22:00:00 404 110
2007-04-21 13:00:00 404 36
2007-04-19 23:00:00 404 36
2007-04-19 13:00:00 404 27

Further investigation of the dates listed above may show that the high number of 404 errors are CGI scans looking for vulnerable scripts on your site. The 404 errors themselves are not as much as a concern as are the 200 results during that same time that may indicate a successful attack. This query will return all valid requests from any IP address that also had a 404 error on 2007-06-22:

C:WindowsSystem32LogFilesW3SVC1>logparser "SELECT c-ip, cs-uri-stem, Count(*) as Hits FROM ex*.log WHERE TO_LOWERCASE(cs-uri-stem) NOT LIKE '%.gif' AND TO_LOWERCASE(cs-uri-stem) NOT LIKE '%.jpg%' AND c-ip IN (SELECT c-ip FROM ex030622.log WHERE sc-status=404) AND sc-status=200 GROUP BY c-ip, cs-uri-stem" -rtp:-1

c-ip cs-uri-stem Hits
--------------- ------------------- ---------------- /Default.asp 3 /main.css 3 /Products.asp 7 /About.asp 1 /Products.asp 18 /main.css 1 /Default.asp 1

Looking at these results, you can see two IP addresses that had an unusual number of hits on Products.asp. It could be that these were two different attackers or the same attacker who used two different proxies to conceal his or her IP address. One way to find out if they are likely the same person is to check the User-Agent header for the two different IP addresses:

C:WindowsSystem32LogFilesW3SVC1>logparser "SELECT DISTINCT c-ip, cs(User-Agent) FROM ex030622.log WHERE c-ip='' or c-ip=''" -rtp:-1

c-ip cs(User-Agent)
---------------- ------------------------------------------------------------- Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+Q312461;+.NET+CLR+1.0.3705 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+Q312461;+.NET+CLR+1.0.3705)
This proves that those two IP addresses are either the same user or two different users with the exact same OS, browser, service pack level, installed hotfixes, and .NET installation. It is not a perfect indicator but it is significant. To support this evidence, you could go through your logs and discover when each of the IP addresses first hit your web site. When a user visits a web site for the first time, the browser downloads the page and any graphics and stores it all in the browser’s temporary cache. This is so that subsequent visits to the page will not require downloading all the graphics again. However, the browser does check to see if the graphics have been modified before using the cached versions. If the graphic has not been modified, the server will return a 304 HTTP status code. Therefore, if you create a query for a specific IP address with a status code of 200 for any particular graphic, that log entry will be the user’s first visit, providing they have not cleared their cache. So if a user switches to a different proxy server, the file will still be cached and therefore there will never be a first visit from one of the IP addresses. If one of the two IP addresses mentioned above turns up not having a first visit, chances are that they first visited the site from the other IP address. If neither IP address shows a 200 result, then there are more IP addresses left to discover.

SQL Injection
If you read this paper (PDF) from NGSSoftware you will see that attacks such as SQL injection are based on sending faulty requests to a server and interpreting the error messages. Some of the indicators of this type of attack are:
  • Numerous sequential hits from the same IP address to the same URL;
  • High numbers of 500 HTTP status codes or other errors;
  • GET requests to ASP pages that normally only receive POST requests; and
  • Other clusters of anomalous web site activity.
It may also be useful to see an unusually high number of hits on a single page from a single IP address. The following query shows any IP address that hit the same page more than 50 times in a single day:

C:WindowsSystem32LogFilesW3SVC1>logparser "SELECT DISTINCT date, cs-uri-stem, c-ip, Count(*) AS Hits FROM ex*.log GROUP BY date, c-ip, cs-uri-stem HAVING Hits>50 ORDER BY Hits Desc" -rtp:-1

date cs-uri-stem c-ip Hits
---------- ----------------------------------- --------------- ----
2007-05-19 /Products.asp 281
2007-06-22 /Products.asp 98
2007-06-05 /Products.asp 91
2007-05-07 /Default.asp 74

Looking at these results, it is immediately obvious that one IP address hit the same page 281 times one day and 91 times another day, which is obviously suspicious.

Another useful technique is to view exactly what ASP errors IIS encountered while serving requests. Most attempts at breaking into a web site will inevitably result in some kind of error. The following query will return a list of every ASP error recorded in the log files:

C:WindowsSystem32LogFilesW3SVC1>logparser "SELECT cs-uri-query, Count(*) AS Total FROM ex*.log WHERE sc-status>=500 GROUP BY cs-uri-query ORDER BY Total DESC " -rtp:-1

cs-uri-query Total
------------------------------------------------------------------------- ----------
Out-of-process+ISAPI+extension+request+failed. 18
|55|8000ffff|Catastrophic_failure__ 8
|49|8000ffff|Catastrophic_failure__ 6
|74|800a01c2|Wrong_number_of_arguments_or_invalid_property_assignment 1

If you find any errors that are interesting, you could write another query to drill down to the specific error. In particular, you want to watch for ODBC and ADO errors, indicating a possible attempt at SQL injection.
Another way to identify errors is to look at the status codes returned by the server. If you want to see a detail of what status codes IIS returned for each page, try the following query:

C:WindowsSystem32LogFilesW3SVC1>logparser "SELECT cs-uri-stem, sc-status, Count(*) AS Total FROM ex*.log WHERE TO_LOWERCASE(cs-uri-stem) LIKE '%.asp%' or TO_LOWERCASE(cs-uri-stem) LIKE '%.exe%' GROUP BY cs-uri-stem, sc-status ORDER BY cs-uri-stem, sc-status" -rtp:-1

cs-uri-stem sc-status Total
--------------------------------------------- --------- -----
/Default.asp 200 9258
/Default.asp 500 3
/MSOffice/cltreq.asp 404 12
/MailResult.asp 404 1
/asp/aspmail.asp 302 86
/asp/aspmail.asp 500 28
/autocomplete.asp 404 2
/awards.asp 404 4

Also of interest are the Win32 Status codes, which may be attack indicators:

C:WindowsSystem32LogFilesW3SVC1>logparser "SELECT cs-uri-stem, WIN32_ERROR_DESCRIPTION(sc-win32-status) as Error, Count(*) AS Total FROM ex*.log WHERE sc-win32-status>0 and (TO_LOWERCASE(cs-uri-stem) LIKE '%.asp%' or TO_LOWERCASE(cs-uri-stem) LIKE '%.exe%') GROUP BY cs-uri-stem, Error ORDER BY cs-uri-stem, Error" -rtp:-1

cs-uri-stem Error Total
------------------------ ------------------------------------ -----
/Default.asp The RPC server is unavailable. 2
/Default.asp The remote procedure call failed 1
/asp/aspmail.asp The RPC server is unavailable. 12
/download/Default.asp The RPC server is unavailable. 3

Some ASP pages should only accept form input from previous pages. If, for example, you may have a page such as checkout1.asp that sends a POST request to checkout2.asp, then anything other than a POST request to checkout2.asp may be suspicious. This query will show what HTTP methods were sent to each page:

C:WindowsSystem32LogFilesW3SVC1>logparser "SELECT cs-uri-stem, cs-method, Count(*) AS Total FROM ex*.log WHERE (sc-status<400 or sc-status>=500) AND (TO_LOWERCASE(cs-uri-stem) LIKE '%.asp%' or TO_LOWERCASE(cs-uri-stem) LIKE '%.exe%') GROUP BY cs-uri-stem, cs-method ORDER BY cs-uri-stem, cs-method" -rtp:-1

cs-uri-stem cs-method Total
------------------------------------ --------- -----
/Default.asp GET 9136
/Default.asp HEAD 125
/asp/aspmail.asp GET 3
/asp/aspmail.asp POST 111
/awards/Default.asp GET 269
/compare/Default.asp GET 437
/compare/Default.asp HEAD 3
/download/Default.asp GET 5018
/download/Default.asp HEAD 436
/download/default.asp GET 727
/download/default.asp HEAD 1
/orders/Default.asp GET 1420
/orders/Default.asp POST 3

You may also want to write a query that checks the HTTP referer header to make sure the traffic is coming from where you expect it to be coming from.

Digging Deeper
At this point, you should begin to see patterns emerge. You should be able to narrow down the attack to specific dates and URL’s. If you still have not found any apparent patterns, you may need to dig deeper. Sometimes an attack will involve sending a large amount of information back to the attacker. The following query will report some statistics for the number of bytes sent to the client

C:WindowsSystem32LogFilesW3SVC1>logparser "SELECT cs-uri-stem, Count(*) as Hits, AVG(sc-bytes) AS Avg, Max(sc-bytes) AS Max, Min(sc-bytes) AS Min, Sum(sc-bytes) AS Total FROM ex*.log WHERE TO_LOWERCASE(cs-uri-stem) LIKE '%.asp%' or TO_LOWERCASE(cs-uri-stem) LIKE '%.exe%' GROUP BY cs-uri-stem ORDER BY cs-uri-stem" -rtp:-1

cs-uri-stem Hits Avg Max Min Total
------------------------ ----- ------ ------- ---- --------
/Default.asp 9261 18321 19920 145 16967359
/MSOffice/cltreq.asp 12 227 269 221 2724
/MailResult.asp 1 221 221 221 221
/asp/aspmail.asp 114 545 704 218 62232
/complete.asp 2 230 240 221 461
/orders/Default.asp 269 6998 7625 6692 1882463

And this one will report on bytes sent from the client:

C:WindowsSystem32LogFilesW3SVC1>logparser "SELECT cs-uri-stem, Count(*) as Hits, AVG(cs-bytes) AS Avg, Max(cs-bytes) AS Max, Min(cs-bytes) AS Min, Sum(cs-bytes) AS Total FROM ex*.log WHERE TO_LOWERCASE(cs-uri-stem) LIKE '%.asp%' or TO_LOWERCASE(cs-uri-stem) LIKE '%.exe%' GROUP BY cs-uri-stem ORDER BY cs-uri-stem" -rtp:-1

cs-uri-stem Hits Avg Max Min Total
--------------------------- ----- ---- ---- --- -------
/Default.asp 9261 435 1544 49 4037788
/MSOffice/cltreq.asp 12 369 482 276 4430
/MailResult.asp 1 313 313 313 313
/asp/aspmail.asp 114 1418 2383 153 161685
/complete.asp 2 172 191 154 345
/orders/Default.asp 269 441 1062 118 118766

Another indicator may be how much time the server spent processing the request. It is not uncommon for exploits to take an unusually large amount of time or even timeout completely. The following query reports on time taken:

C:WindowsSystem32LogFilesW3SVC1>logparser "SELECT cs-uri-stem, Count(*) as Hits, AVG(time-taken) AS Avg, Max(time-taken) AS Max, Min(time-taken) AS Min, Sum(time-taken) AS Total FROM ex*.log WHERE TO_LOWERCASE(cs-uri-stem) LIKE '%.asp%' or TO_LOWERCASE(cs-uri-stem) LIKE '%.exe%' GROUP BY cs-uri-stem ORDER BY cs-uri-stem" -rtp:-1

cs-uri-stem Hits Avg Max Min Total
------------------------- ----- ------ ------- --- ---------
/Default.asp 9261 8 312 0 75228
/MSOffice/cltreq.asp 12 4 16 0 48
/MailResult.asp 1 0 0 0 0
/asp/aspmail.asp 114 699 31719 0 79765
/complete.asp 2 7 15 0 15
/orders/Default.asp 269 4 32 0 1206

User Logins
If your site is mostly unauthenticated anonymous access, then any user login may be suspicious. To see what users have authenticated to the site, try the following query:

C:WindowsSystem32LogFilesW3SVC1>logparser "SELECT cs-username, Count(*) AS Hits from ex*.log WHERE cs-username IS NOT NULL GROUP BY cs-username ORDER BY Hits Desc" -rtp:-1

Sometimes it is possible to identify an attack script by looking at the HTTP User-Agent header sent by the client. You can get a list of non-standard User-Agent strings with this query:

C:WindowsSystem32LogFilesW3SVC1>logparser "SELECT DISTINCT cs(User-Agent) FROM ex*.log WHERE TO_LOWERCASE(cs(User-Agent)) NOT LIKE '%mozilla%' AND TO_LOWERCASE(cs(User-Agent)) NOT LIKE '%opera%' ORDER BY cs(User-Agent)" -rtp:-1

Closing In

Following these same patterns, you will eventually close in on the source of the intrusion or identify unknown intrusions. With each query, try to add more criteria and more detail to identify the specific log evidence to identify the attacker or type of attack. LogParser is a very powerful tool, but the real power comes when you learn how to use these and other queries to quickly bring information to your fingertips.