Information Systems Grad School

To find account lockout events on multiple domain controllers, download logparser 2.2 and execute the following command in a domain admin context (e.g. runas user:domain\administrator logparser.exe), where the part below the command is in "lockouts.sql". The account lockout event is 644 -- if you need to find others, read Microsoft's KB174074 Also, this script will access each domain controller's security event log sequentially, so if you're in a hurry, execute several different logparser processes for each domain controller.

logparser.exe file:c:\scripts\logparser\lockouts.sql -i:EVT -o:datagrid

------stick this part in lockouts.sql
SELECT
timegenerated AS LogonTime,
extract_token(strings, 0, '|') AS UserName,
message as Message
FROM \\domaincontroller1\security, \\domaincontroller2\security, \\domaincontrolle2\Security
WHERE EventID = 644
-----end here

If you want the output to go into a database instead of a datagrid (Excel-type) table, make the logparser command look like this:

logparser.exe file:c:\scripts\logparser\lockouts.sql -o:SQL -server:myDBservername driver:"SQL Server" -database:myDBname -createtable:ON

Table name will end up matching your dbname. Set -createtable to off after you run it once.

Props to: Microsoft's Log Parser Toolkit, by Gabriele Giuseppini and Mark Burnett.

If you're going to be doing anything with windows logs, buy the book. It's more useful than several log management software packages I've demo'ed.

Download Log Parser here.

Now that I added user-agent: BDFetch, disallow / to my robots.txt, all the BDFetch bot gets is robots.txt. However, some people Brand Dimensions is now browsing my blog:

72.14.164.134 - - [08/Jun/2009:13:58:26 -0400] "GET /blog HTTP/1.1" 301 314 "-" "Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1)"
72.14.164.133 - - [08/Jun/2009:13:58:26 -0400] "GET /blog/ HTTP/1.1" 200 57901 "-" "Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1)"
72.14.164.196 - - [08/Jun/2009:13:58:42 -0400] "GET /blog/2009/06/comcast-is-collecting-data-on.html HTTP/1.1" 200 16335 "-" "Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1)"

A little research reveals that they have a class C block of IPs:
CustName: Brandimensions Inc.
Address: 5090 Explorer Drive
Address: Suite 203
City: Mississauga
StateProv: ON
PostalCode: L4W-4T9
Country: CA
RegDate: 2008-06-25
Updated: 2008-06-25
NetRange: 72.14.164.0 - 72.14.164.255
CIDR: 72.14.164.0/24

Thus blocking 72.14.164.0/24 at the firewall will prevent them from seeing anything.

The information below is what the FCC has for the Washington DMA. If you ask most television stations what their frequency is, they don't have a clue. The FCC also says I should receive all of these stations at my house. These stations are VHF and UHF, so your standard TV antenna should work fine (see study). I contend there is no such thing as a "high-def" antenna. Radio waves are radio waves. The frequency is the same. If you're experiencing multi-path errors, then try using a directional antenna. (How do you determine if you're reception problems are multi-path errors? Well in the analog days, multi-path was ghosting. Generally, you should be getting good reception because you're close, but you can't lock on.)

If you're wondering why you can't receive a station, here's a study by the FCC on DTV reception in Washington, DC. If you have a hundred thousand dollars in equipment you'll be able to replicate their results: You're less likely to receive DTV signals than you were analog signals. You can improve your chances with a thirty-foot mast.

For the tripod-mounted, indoor-type antennas, SPI was 86% for WUSA and 84% for WRC when the better of either the bowtie antenna or the Silver Sensor directional antenna was used. These SPIs for the combined indoor antenna types exceed the above values for mast-mounted antenna reception computed in the 1998 study.

Station	Network	Analog Channel	Digital Channel Pre Transition	Digital Channel Post Transition	Virtual Channel	Transition Date
WRC	NBC	4	48	48	4-1	6/12/2009
WTTG	FOX	5	36	36	5-1	6/12/2009
WJLA	ABC	7	39	7	7-1	6/12/2009
WUSA	CBS	9	34	9	9-1	6/12/2009
WFDC	UNIVISION	14	15	15	14-1	6/12/2009
WDCA		20	35	35	20-1	6/12/2009
WHAG	NBC	25	55	26	25-1	6/12/2009
WETA	PBS	26	27	27	26-1	6/12/2009
WWPB	PBS	31	44	44	31-1	6/12/2009
WHUT	PBS	32	33	33	32-1	6/12/2009
WVPY	PBS	42	21	21	42-1	6/12/2009
WDCW	CW	50	51	50	50-1	6/12/2009
WWPX	ION	60	12	12	60-1	6/12/2009
WFPT	PBS	62	28	28	62-1	4/16/2009
WPXW	ION	66	43	34	66-1	6/12/2009

I just noticed some interesting entries in my logs from a new bot: BDFetch. Brand Dimensions is a company that collects information from the Internet, looking for bad things people say about Comcast's poor service. Apparently, they're conducting private investigations for U.S. clients from Canada by collecting files on everyone that says something about Comcast online. Personally, I'd rather not be investigated by a Canadian company in a state that requires licensing for such activities.

Here are the entries from my web server's access log. Clearly, they're looking only at content that mentions Comcast. I mention other brand names, but they're not interested in them.

72.14.164.176 - - [05/Jun/2009:16:49:17 -0400] "GET /robots.txt HTTP/1.1" 200 289 "www.brandimensions.com" "BDFetch"
72.14.164.150 - - [05/Jun/2009:16:49:39 -0400] "GET /blog/2008/11/comcast-strikes-back.html HTTP/1.1" 200 17006 "www.brandimensions.com" "BDFetch"

Since then, I have two new lines in my robots.txt file:

User-agent: BDFetch

Disallow: /

If that doesn't work, I'm going to cut off the 72.14.164.0/24 network at my firewall.

Wondering if Brand Dimension is watching you? Here's the grep command to find them:
grep BDFetch access_log
You'll need access to your web log. Also, remember that grep and unix are case-sensitive.

Many cable companies have a government-mandated monopoly. In exchange, they offer "basic cable" which was supposed to be a modestly priced service that includes little more than you could receive over the air. With the advent of DTV, does basic cable grow to include high-definition television? Of course not! Cable companies now charge more for you to receive lower-quality signals than you can receive over the airwaves. They also require you to rent an HD set-top box. If you have an HDTV manufactured in recent years, you can get it free over the air. Also, most of the local stations in DC offer more than one programming feed over the air. Cable companies charge extra for those same free signals.

WUSA and WRC are changing their frequencies on June 12, so be sure to scan through on your HDTV/receiver. Others may be changing, but information is not easy to find on their sites.

Station/Affiliation	Old Analog Number	Digital Channel	Programming, Format	Online Listings	Reponse to questions?
WRC/NBC	4	48 (674-680 MHz UHF)	4.1 HD 1080i 16:9 4.2 Weather 480i 4:3 4.3 Sports 480i 4:3 (mostly skiing this winter)	No	no response
WTTG/FOX	5	36 (602-608 MHz UHF)	Single DTV channel 720p 16:9	No	Fullest, fastest response to email inquiry.
WJLA/ABC	7	39 (620-626 MHz UHF)	7.1 HD 720p 16:9 7.2 Weather 480i 4:3 7.3 Classic TV 480i 4:3	No	no response
WUSA/CBS	9	34 (590-596 MHz UHF)	9.1 HD 1080i 16:9 9.2 Weather 480i 4:3 Transitioning back to VHF channel 9 on June 12th.	No	no response
WFDC	14		14.1 480i 4:3	?
WDCA	20	35 (596-602 MHz)	20.1 HD 720p 16:9	Yes
WETA/PBS	26 Analog goodnight 6/12/2009	27 (548-554 MHz)	26.1 HD 26.2 Create 26.3 Kids 26.4 WETA	Yes	Reponded, but without frequency information.
WHUT	32	33 (584-590 MHz)	32.1 480i 4:3	Yes
WDCW	50	51	?		unreceivable

June 16, 2009 update: Fox News has a story on the auto-warranty Scammers.

With the implementation of the National Do-Not-Call registry, you'd think that telemarketing activity would decrease. Instead, telemarketing activity is increasing. Of course, it's impossible to measure, because there are no reliable statistics for illegitimate telemarketing activity. By illegitimate, I mean not just that they're not supposed to call you, but they're trying to scam you with a bogus auto warranty, fake sweepstakes winnings, or fake identity-theft protection services.

The cost of calling has dropped dramatically. With SIP trunking and the g729 codec, I can squeeze a hundred calls across a T1. The SIP trunk will cost me $.01 per call-minute. An open-source PBX will cost a few hundred dollars for server hardware. Robocalling and autodialing scripts are free. Add in a kilobuck hardware codec card, and I can start calling every number there is. A thousand sixty second robocalls cost me $10.00 and take only ten minutes to complete at a hundred concurrent calls a minute. My caller ID is whatever I enter into the caller id field. Faking caller id is trivial and legal. Even if only one in a thousand calls hooks me up to a sucker, I'm making money.

If I'm a telescammer, I'm not really concerned with the do not call list. If I'm faking my ID, what are you going to do -- report a number? A company that doesn't exist? I'm practically untraceable. If you *69 me, all you get is the faked caller ID number. You'd need a trap-and-trace from your phone company, and you can't do that without a threat. Even if you do get one, I've already called. I'm not going to call again, and if I do, it'll be from a different number. In Canada, the do-not-call list is a service for scammers to get Canadian phone numbers.

The economics make it almost as cheap as spam, and spam is a LOT easier to block than roboscammers. Blacklisting phone numbers, or even faked caller-id numbers is not easy. There are several free web services tracking this type of information, like whocalled.us and 800notes.com. However, there's no update service to add this to phone blocklists, which don't exist. Vonage won't let you blacklist numbers unless you get their Wifi hardware phone. Even Verizon's anonymous call blocking permits obviously bad 000-000-0000 numbers through.

Freepbx has a great blacklist, but it blacklists only known bad numbers. What we really need is a shared database of bad originating numbers.

Here's another simple script that will simply write out your AD group memberships to a csv file with the name of a group. Input is a simple text file with one group name per line. This script is adapted from the original at WiseSoft.

' VBScript source code
' takes a list of groups in a text file and dumps out a text file with each group's membership.
Set objFSO = CreateObject("Scripting.FileSystemObject")
'change this line to wherever you want to read the input from.
Set objTextFile = objFSO.OpenTextFile("c:\scripts\groups\groups.txt",1)

Do Until objTextFile.AtEndOfStream

groupName = objTextFile.Readline
'Debug.WriteLine groupname
If groupName = "" Then
wscript.quit
End if

groupPath = getgrouppath(groupName)
'Debug.WriteLine groupPath
If groupPath = "" then
wscript.echo "Unable to find the specified group in the domain"
wscript.quit
End if

Set objGroup = getobject(grouppath)
Set objFSO2 = createobject("scripting.filesystemobject")
'change the path to where you want the output files to go.
Set objFile = objFSO2.createtextfile("c:\scripts\groups\" & groupname & ".csv")
q = """"

objFile.WriteLine(q & "sAMAccountName" & q & "," & q & "Surname" & q & "," & q & "FirstName" & q)
For each objMember in objGroup.Members
objFile.WriteLine(q & objmember.samaccountname & q & "," & q & objmember.sn & _
q & "," & q & objmember.givenName & q)
Next

Loop
Set objFile=nothing
'***** Users who's primary group is set to the given group need to be enumerated seperatly.*****
getPrimaryGroupMembers groupName

wscript.echo "Completed"

Function getGroupPath(byval GroupName)
Set cmd=createobject("ADODB.Command")
set cn=createobject("ADODB.Connection")
set rs=createobject("ADODB.Recordset")

cn.open "Provider=ADsDSOObject;"

cmd.commandtext = "SELECT adspath from 'LDAP://" & getnc & _
"' WHERE objectCategory = 'Group' and sAMAccountName = '" & groupname & "'"
cmd.activeconnection = cn

set rs = cmd.execute

if rs.bof <> true and rs.eof<>true then
getgrouppath=rs(0)
else
getgrouppath = ""
end if
cn.close

End function

Function getNC
set objRoot=getobject("LDAP://RootDSE")
getNC=objRoot.get("defaultNamingContext")
End function

Function getPrimaryGroupMembers(byval GroupName)
set cn = createobject("ADODB.Connection")
set cmd = createobject("ADODB.Command")
set rs = createobject("ADODB.Recordset")

cn.open "Provider=ADsDSOObject;"
cmd.activeconnection=cn

'***** Change the Page Size to overcome the 1000 record limitation *****
cmd.properties("page size")=1
cmd.commandtext = "SELECT PrimaryGroupToken FROM 'LDAP://" & getnc & _
"' WHERE sAMAccountName = '" & GroupName & "'"
Set rs = cmd.execute

If rs.eof<>true and rs.bof<>true Then
PrimaryGroupID = rs(0)
Else
Err.Raise 5000, "getPrimaryGroupMembers", "Unable to find PrimaryGroupToken property"
end If

cmd.commandtext = "SELECT samaccountname, sn, givenName, distinguishedName FROM 'LDAP://" & getNC & _
"' WHERE PrimaryGroupID = '" & PrimaryGroupID & "'"

set rs = cmd.execute

while rs.eof<>true and rs.bof<>true
objFile.WriteLine(q & rs("samaccountname") & q & "," & q & rs("sn") & q & _
"," & q & rs("givenName") & q & "," & q & rs("distinguishedName"))
rs.movenext
Wend
cn.close

End Function