June 2009 Archives

To find account lockout events on multiple domain controllers, download logparser 2.2 and execute the following command in a domain admin context (e.g. runas user:domain\administrator logparser.exe), where the part below the command is in "lockouts.sql". The account lockout event is 644 -- if you need to find others, read Microsoft's KB174074 Also, this script will access each domain controller's security event log sequentially, so if you're in a hurry, execute several different logparser processes for each domain controller.

logparser.exe file:c:\scripts\logparser\lockouts.sql -i:EVT -o:datagrid

------stick this part in lockouts.sql
SELECT
timegenerated AS LogonTime,
extract_token(strings, 0, '|') AS UserName,
message as Message
FROM \\domaincontroller1\security, \\domaincontroller2\security, \\domaincontrolle2\Security
WHERE EventID = 644
-----end here

If you want the output to go into a database instead of a datagrid (Excel-type) table, make the logparser command look like this:

logparser.exe file:c:\scripts\logparser\lockouts.sql -o:SQL -server:myDBservername driver:"SQL Server" -database:myDBname -createtable:ON

Table name will end up matching your dbname. Set -createtable to off after you run it once.

Props to: Microsoft's Log Parser Toolkit, by Gabriele Giuseppini and Mark Burnett.

If you're going to be doing anything with windows logs, buy the book. It's more useful than several log management software packages I've demo'ed.

Download Log Parser here.

Now that I added user-agent: BDFetch, disallow / to my robots.txt, all the BDFetch bot gets is robots.txt. However, some people Brand Dimensions is now browsing my blog:

72.14.164.134 - - [08/Jun/2009:13:58:26 -0400] "GET /blog HTTP/1.1" 301 314 "-" "Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1)"
72.14.164.133 - - [08/Jun/2009:13:58:26 -0400] "GET /blog/ HTTP/1.1" 200 57901 "-" "Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1)"
72.14.164.196 - - [08/Jun/2009:13:58:42 -0400] "GET /blog/2009/06/comcast-is-collecting-data-on.html HTTP/1.1" 200 16335 "-" "Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1)"

A little research reveals that they have a class C block of IPs:
CustName: Brandimensions Inc.
Address: 5090 Explorer Drive
Address: Suite 203
City: Mississauga
StateProv: ON
PostalCode: L4W-4T9
Country: CA
RegDate: 2008-06-25
Updated: 2008-06-25
NetRange: 72.14.164.0 - 72.14.164.255
CIDR: 72.14.164.0/24

Thus blocking 72.14.164.0/24 at the firewall will prevent them from seeing anything.

The information below is what the FCC has for the Washington DMA. If you ask most television stations what their frequency is, they don't have a clue. The FCC also says I should receive all of these stations at my house. These stations are VHF and UHF, so your standard TV antenna should work fine (see study). I contend there is no such thing as a "high-def" antenna. Radio waves are radio waves. The frequency is the same. If you're experiencing multi-path errors, then try using a directional antenna. (How do you determine if you're reception problems are multi-path errors? Well in the analog days, multi-path was ghosting. Generally, you should be getting good reception because you're close, but you can't lock on.)

If you're wondering why you can't receive a station, here's a study by the FCC on DTV reception in Washington, DC. If you have a hundred thousand dollars in equipment you'll be able to replicate their results: You're less likely to receive DTV signals than you were analog signals. You can improve your chances with a thirty-foot mast.

I just noticed some interesting entries in my logs from a new bot: BDFetch. Brand Dimensions is a company that collects information from the Internet, looking for bad things people say about Comcast's poor service. Apparently, they're conducting private investigations for U.S. clients from Canada by collecting files on everyone that says something about Comcast online. Personally, I'd rather not be investigated by a Canadian company in a state that requires licensing for such activities.

Here are the entries from my web server's access log. Clearly, they're looking only at content that mentions Comcast. I mention other brand names, but they're not interested in them.

72.14.164.176 - - [05/Jun/2009:16:49:17 -0400] "GET /robots.txt HTTP/1.1" 200 289 "www.brandimensions.com" "BDFetch"
72.14.164.150 - - [05/Jun/2009:16:49:39 -0400] "GET /blog/2008/11/comcast-strikes-back.html HTTP/1.1" 200 17006 "www.brandimensions.com" "BDFetch"

Since then, I have two new lines in my robots.txt file:

User-agent: BDFetch

Disallow: /

If that doesn't work, I'm going to cut off the 72.14.164.0/24 network at my firewall.

Wondering if Brand Dimension is watching you? Here's the grep command to find them:
grep BDFetch access_log
You'll need access to your web log. Also, remember that grep and unix are case-sensitive.