Internet Information (IIS) / Log Parser – Queries – String Pattern Matching

Background

Looking for File I/O Exceptions in the Event Viewer.

 

Query

Sample

Sample 001

Code


SELECT TOP 100 

		 TimeGenerated
	   , ComputerName
	   , EventCategoryName
	   , EventTypeName
	   , EventID
	   , SourceName
	   , Message as Mesg
	   , Strings as Strings
	   , EXTRACT_TOKEN(Strings,1,'|') AS AppName
	   , EXTRACT_TOKEN(Strings,2,'|') AS AppVersion
	   , EXTRACT_TOKEN(Strings,3,'|') AS S3
	   , EXTRACT_TOKEN(Strings,4,'|') AS Module
	   , INDEX_OF(Message, 'System.IO.IOException') as indexOf
           , case INDEX_OF(Message, 'System.IO.IOException') 
                when 0 then 'N'
                when NULL then 'N'
                else 'Y'
             end as IOE
	   , 
		 CASE strcnt(Message, 'System.IO.IOException')
		  when 0 then 'No'
		  else 'Yes'    
		end as IOException

from  '[LOGFILEPATH]'

WHERE ( EventType = 1 OR EventType = 2 )

ORDER BY 
         TimeGenerated DESC



Output

 

Explanation

  1. INDEX_OF
    • We use INDEX_OF to find the position of the sought string in the Message column
      • When the column contains System.IO.IOException the query returns the starting position of the found pattern
      • When not found, null is returned
  2. STRCNT
    • We invoke STRCNT to count number of matches
      • When String not found, 0 return
      • When matched, number of matches

 

References

  1. StackOverflow
    • Log Parser Case Statement
      Link

 

Internet Information Server (IIS) – Application Pool – Tracking

Background

We have a website that has been going offline.

TroubleShooting

MS Windows

Event Viewer

We started looking at the Event Viewer.

Windows Logs – System

Events

Here is what we see in the Event Viewer:

 

Source – WAS, Event ID = 5011

General
Image

 

Textual

A process serving application pool ‘DefaultAppPool’ suffered a fatal communication error with the Windows Process Activation Service.
The process id was ‘1720’. The data field contains the error number.

Details
Image

 

References

  1. IIS Windows Process Activation Service (WAS) > IIS Application Pool > IIS Application Pool Availability
    • Event ID 5011 — IIS Application Pool Availability
      Link

Summary

It looks like something is knocking our Application\Application Pool down.

 

 

Abacus Federal Savings in Chinatown, New York : SMALL ENOUGH TO JAIL

 

MarketWatch

The story behind the only bank prosecuted after the 2008 financial crisis

Link

After the 2008 financial crisis took millions of investment dollars from Americans, shell shocked financial advisers and briefly turned the country upside down, only one bank was indicted: Abacus Federal Savings in Chinatown, New York — the 2,531st largest bank in the U.S.

Founded by Chinese-American immigrant Thomas Sung in the 1980s, the bank has six branches in three states and primarily serves the Chinese community. Federal prosecutors indicted it in 2009 for mortgage fraud, securities fraud, and conspiracy after it reported to regulators it had discovered a loan officer was laundering money there.

Rather than plead guilty, the Sungs went to court. A new documentary from Oscar-nominated “Hoop Dreams” director Steve James follows the subsequent legal battle, which plays out in the film as a David and Goliath tale of a small bank taking the fall for the financial crisis over an isolated incident with a corrupt loan officer.

“Too big to fail turns into small enough to jail, and Abacus is small enough to jail,” journalist Matt Taibbi says in the film, calling the bank “as easy a target as you could possibly pick.”

With an intimate view of the fight for innocence from a stoic Thomas Sung, his razor sharp daughters (all lawyers), and his fiery wife, it’s clear the film has a sympathetic eye for Abacus as it goes up against the U.S. government, frequently comparing Thomas Sung to George Bailey in his wife’s favorite film, “It’s a Wonderful Life.”

“It seemed clear to us as filmmakers that this bank was the mirror opposite of the big banks,” director Steve James told MarketWatch in a recent interview, noting that the Sungs reported the fraud discovered at the bank themselves. “Yet they were the ones singled out, and it kind of leads one to the conclusion that this was about planting a flag and getting a trophy to be the one prosecutor, since the feds didn’t prosecute any big banks.”

Manhattan District Attorney Cyrus R. Vance Jr. argued that there was fraud widespread enough to warrant an investigation. In May 2012, he announced charges against the bank, two supervisors, and nine former employees — 184 counts including residential mortgage fraud, security fraud, conspiracy, and falsification of business records.

As the film expresses, the indictment put on trial not just the bank itself, but the reputation of Chinese immigrants and the cash culture of Chinatown. As Jill Sung, one of the daughters, notes at one point in the film, many of their members had never used a bank before. Now, with the movie’s premiere in New York on May 19 and the trial two years behind them, her focus has turned back on the bank.

“That is the hardest part, and what I focus on most, to ensure the bank can regain itself and be profitable,” Jill Sung told MarketWatch. “We are a community bank, a minority depository institution, which means we are mission-based to help our community. Any capital we get back we put back into the bank to help our community, so profitability to us is not just about dividends and shareholders — it’s about continuing to be able to do our mission and start being profitable again.”

The film is a celebration of the American dream — as well as a kind of eulogy for the community bank. Since the financial crisis, Jill Sung said not much has changed, though big banks continue to get bigger and community banks are consolidating. With scenes from George Bailey’s ‘Bailey Building and Loan’ woven among modern-day lines of neighbors and family outside Abacus throughout, the film shows something she says is central to their practice and is being lost: community.

“There are a lot of new banks that are creating digital communities, and I think it’s great — you can have a George Bailey of digital banks,” she said. “What’s more concerning is when you have big banks where there is no community, there’s no access, there is no feeling you can talk to anybody if you have a problem. The consumer suffers in the end because they get taken advantage of and have no other choices.”

Abacus was found “not guilty” on all 240 counts after months of deliberation and a hung jury.

 

Videos

Videos – Movies

  1. Abacus: Small Enough to Jail Trailer #1 (2017) | Movieclips Indie
    Link
  2. SinoVision English Channel Archives
    • Abacus: small enough to jail
      Abacus Federal Savings Bank is a family-run bank that has served New York’s Chinatown for over three decades. Its services include helping Chinese immigrants obtain loans for homes and small businesses and despite steady its growth, the bank was still only the 2651st largest bank in the country. When the bank became the only U.S. bank indicted for mortgage fraud related to the 2008 financial crisis, most of the big banks were deemed too big to jail and bailed out by the government.Facing charges brought by Manhattan District attorney Cyrus Vance Jr, Abacus federal savings bank founder Thomas Sung and his four daughters decided to fight for justice. The legal battle was drawn out over five years and recorded by acclaimed filmmaker Steve James and made into the documentary “Abacus:small enough to jail”During the film’s press conference at MOCA, Director Steve James and the Sung family shared more details on how the Sung family defended themselves and their bank during the five year legal battle.
      Published On :- 2017-May-18th
      Link
  3. Director Steve James on ABACUS: SMALL ENOUGH TO JAIL (2017) – Celluloid Dreams
    Link

 

Videos – Law Case

  1. Bloomberg Law
    • Abacus Bank’s Lawyer: Fannie Mae Earned $120M Profit From Us
      Link

 

 

Scott Galloway

Introduction

Scott Galloway, a clinical professor of Business and Marketing,  discusses brand building, computer algorithm, and new interfaces such as Voice.

 

Wikipedia

Link
Scott Galloway is a clinical professor of marketing at the New York University Stern School of Business, public speaker, and entrepreneur.

He’s the founder of digital intelligence firm L2 and Firebrand Partners (founded in 2005), an activist hedge fund that has invested over $1 billion in U.S. consumer and media companies.
In 1992, Galloway founded Prophet, a brand and marketing consultancy firm that employs over 350 professionals in the United States, Europe, and Asia.
He has served on the board of directors of Eddie Bauer, The New York Times Company, Gateway Computer and Berkeley’s Haas School of Business. Galloway is also known for his public presentations and TED-style talks, in which he presents L2’s Digital IQ Index results, ranking over 700 global brands across dimensions including e-commerce, social media, and digital marketing.

Videos

  1. Business Insider
    Published On : -2017-April-23rd
    Link
  2. Scott Galloway – How Amazon is Dismantling Retail
    Scott Galloway speaks at L2’s Amazon Clinic about how Amazon is disrupting retail. Not only has Amazon changed consumer shopping habits, it has changed the relationship between shareholders and investors. Investors are no longer satisfied with steadily growing profits; instead they seek fast growth and strong vision – even at the expense of profitability. See video for insights on the future of brand, Alexa’s effect on households.
    Published On : -2017-April-17th
    Link

WannaCry  – RansomWare – Patching MS Windows 2003 / Windows XP

Background

I have for some Windows XP and Windows 2003 boxes in my Lab.

And, since they are very vulnerable to SMB vulnerability exploited by Wanna Cry, let us go patch them.

 

KB4012598

The fix for Windows XP and Windows 2003 is packaged as KB4012598.

 

Download URL

The patch is available @

  1. Windows 2003
    • Security Update for Windows Server 2003 ( KB 4012598)
      Link

Download Patch

Browser Choice

Internet Explorer

On Windows 2003 box, launched IE and tried downloading patch for Windows 2003.

Agin, here is the URL attempted.

Chrome

Chrome show contents, avails download button, and was able to successfully download.

 

Apply Patch

Outline

  1. Access Saved Folder
  2. Launch downloaded file
    • As this is a downloaded file, prompted as to whether it is OK to run file
    • On the Welcome screen, click the Next button
    • On the “License Agreement” screen, choose the “I Agree” button
    • Keep an eye on the “Updating Your System” screen

Images

Images – Open File – Security Warning

Images – Welcome

Images – License Agreement

Images – Updating Your System

 

Review Applied Patches

Let us review Applied patches.

Outline

  1. Launch Control Panel
  2. Access the Add and Remove Programs applet
  3. Stay and choose the “Change or remove Programs” group box
    • Choose to “Show updates”
    • In the “Sort By” drop-down, choose Name
    • Review entries listed under “Windows Server 2003 – Software Updates
    • Before applying patch
      • The last update was in Sept 7th, 2015
    • Post applying patch
      • Last applied Patch KB 40122598
      • Patch applied on May 19th, 2017

Images

Image – Before

Image – Before – Top

Image – Before – Bottom

 

 

Image – After

 

Additional Reading

As always there is an awful lot of commentary out there:

  1. Talos
    • Martin Lee, Warren Mercer, Paul Rascagneres, and Craig Williams
      • Player 3 Has Entered the Game: Say Hello to ‘WannaCry’
        Link
  2. Lawrence Abrams
    • Bleeping.com
      • How to remove the WannaCry & Wana Decryptor Ransomware
        Link
  3.  Comae.io
    • Matt Suiche, Hacker, Microsoft MVP, Founder of @comaeio — Co-Founder of @CloudVolumes (now @VMWare)
      • WannaCry — The largest ransom-ware infection in History
        Link
  4. United States Computer Emergency Readiness Team ( US-CERT )
    • Indicators Associated With WannaCry Ransomware – Alert (TA17-132A)
      Link

 

SQL Server – Analysis Services – Cannot Connect ( Microsoft.AnalysisServices.AdomdClient )

Background

Users are having problems connecting to the Analysis Services Server.

 

Error Message

Image

Text


TITLE: Connect to Server
------------------------------

Cannot connect to ....sql01.

------------------------------
ADDITIONAL INFORMATION:

A connection cannot be made. Ensure that the server is running. (Microsoft.AnalysisServices.AdomdClient)

------------------------------

A connection attempt failed because the connected party did not properly respond after a period of time, 
or established connection failed because connected host has failed to respond z.y.76.188:2383 (System)


Text


===================================

Cannot connect to d-isql01.

===================================

A connection cannot be made. Ensure that the server is running. (Microsoft.AnalysisServices.AdomdClient)

------------------------------
Program Location:

at Microsoft.AnalysisServices.AdomdClient.XmlaClient.GetTcpClient(ConnectionInfo connectionInfo)
at Microsoft.AnalysisServices.AdomdClient.XmlaClient.OpenTcpConnection(ConnectionInfo connectionInfo)
at Microsoft.AnalysisServices.AdomdClient.XmlaClient.OpenConnection(ConnectionInfo connectionInfo, Boolean& isSessionTokenNeeded)
at Microsoft.AnalysisServices.AdomdClient.XmlaClient.Connect(ConnectionInfo connectionInfo, Boolean beginSession)
at Microsoft.AnalysisServices.AdomdClient.AdomdConnection.XmlaClientProvider.Connect(Boolean toIXMLA)
at Microsoft.AnalysisServices.AdomdClient.AdomdConnection.XmlaClientProvider.Microsoft.AnalysisServices.AdomdClient.AdomdConnection.IXmlaClientProviderEx.ConnectXmla()
at Microsoft.AnalysisServices.AdomdClient.AdomdConnection.ConnectToXMLA(Boolean createSession, Boolean isHTTP)
at Microsoft.AnalysisServices.AdomdClient.AdomdConnection.Open()
at Microsoft.SqlServer.Management.SqlStudio.Explorer.ObjectExplorerService.ValidateConnection(UIConnectionInfo ci, IServerType server)
at Microsoft.SqlServer.Management.UI.ConnectionDlg.Connector.ConnectionThreadUser()

===================================

A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond xx.xx.xx.xx:2383 (System)

------------------------------
Program Location:

at System.Net.Sockets.TcpClient..ctor(String hostname, Int32 port)
at Microsoft.AnalysisServices.AdomdClient.XmlaClient.GetTcpClient(ConnectionInfo connectionInfo)


TroubleShooting

Server

Resource Monitor

If the server has Microsoft’s Resource Monitor built-in let us use to it to review Network Ports.

Image

Explanation

  1. Listening Ports
    • Image :-
      • msmdsrv.exe
    • Address :-
      • IPV4 unspecified
      • IPV6 unspecified
    • Port :-
      • 2383
    • Protocol
      • TCP
    • Firewall Status
      • Allowed, not restricted

 

Client

netstat

Script


netstat -an | find "SYN_SENT"

Sample Output

Explanation

  1. Request was sent to port 2383
  2. Status is SYN_SENT
    • SYN_SENT means waiting on a reply

Remediation

Open up TCP Port 2383.

 

Review

Once the Network Port, 2383, is opened up retry access with SSMS.

 

Network Flow

Also, it makes sense to review the Network Traffic to get a full list of ports to be opened.

WireShark

Output

 

Explanation

Seems Analysis Services exclusively relies on port 2383.

Windows – Event Viewer Parsing Through Log Parser Studio

Background

Need to parse MS Windows Event Logs.

One of the ways to do so is to use Log Parser Studio.

 

Event Viewer

Let us save the events unto the File System.

Outline

  1. Launch Event Viewer
  2. Select the Logs you want ( Application / System / Security )
  3. Right click on the Logs and from the drop down menu, choose “Save All Events As …
  4. Choose Folder And Filename
  5. The file is saved with an extension of “Event Files (*.evtx )

 

Images

Launch Save Event As

Choose Filename

 

Log Parser Studio

Outline

  1. Launch Log Parser Studio
  2. Choose Log Type: EVTLOG
  3. Enter Query
  4. Execute Query

 

Choose Log Type : EVTLOG

Sample Queries


/*  Find top 1000 warnings and errors in the Application Log 
    Levels: 1=Error, 2=Warning                                
*/
SELECT TOP 1000 
             TimeGenerated
           , ComputerName
           , EventCategoryName
           , EventTypeName
           , EventID
           , SourceName
           , Message
FROM 'C:\Temp\04_WindowsLogs_Applications_20170518_0403PM.evtx'
WHERE ( EventType = 1 OR EventType = 2 )
AND   (
               (SourceName like 'ASP%' )
            or (SourceName = '.NET Runtime' )
            or (SourceName = 'Application Error' )
      )
ORDER BY TimeGenerated DESC


Click Execute Button

Click on the Execute Button – The Read icon with the exclamation mark!

 

Sample Output

 

Export

Outline

  1. In Log Parser Studio, use menu File \ Export \ Output as .CSV
  2. In the “Choose Location to save CSV File” window, please specify folder and file name

 

Images

File \ Export \ “Output as .CSV”

 

Choose Location to save CSV File

Excel File