Sunday, September 20, 2009

ISP blocking ports

Unless you are a customer of the Norwegian ISPs Get or Telenor, this post will only be a general guide to what your ISP might or might not do to your connection. It should be a part of your consideration when troubleshooting an internet link that does not seem to do what you think it should.

After transferring from Telenor to Get as my internet service provider, I noticed that some of my mail accounts would not let any mail through anymore. As I discovered, there were no response from any SMTP mailserver but one, namely Gets own SMTP server. Telenor also blocks communication to other servers than their own over TCP port 25 (SMTP), but at least there is a choice to switch this extra filtering off via your user webpages. When contacting Get about the same feature, after a loong wait, they responded that they are blocking all of the following ports to their customers:
21          TCP         FTP         In
25 * TCP SMTP In and out (except Get)
69 UDP TFTP In and out
80 TCP WEB/http In
137-139 TCP/UDP NetBios In and out
161 UDP SNMP Out
548 TCP AFPoverTCP In
12345 ICMP/TCP Netbus In and out
27374 * TCP ASP In and out
ASP above means Address Search Protocol, not Active Server Pages, in this list.

It is an annoying fact that this info is not available on all ISP's webpages (e.g. under FAQ or a technical info section) that runs such a practice - you have to beg for it. If you have higher requirements than mainstream web browsing and mail via your ISP's own servers, it is better to check with your potential new ISP before moving your business there and find out later that you have not gotten the connection you need.

If you need to run your own web, SMTP or FTP service over standard ports (running them on unstandard ports are of course no problem), and you have an internet provider that does not think that your internet conection should be fully open and your own responsibility, you could use services like the free DynDNS to get traffic in and out.

References:
Telenor's info on blocking/opening SMTP port 25 (Norwegian)
Get's only info on the subject - not much (Norwegian)

Tuesday, May 12, 2009

XP Firewall option "My network (subnet) only" blocks traffic from local subnet

Problem: The weirdest problem occurred on a Windows XP Service Pack 3 computer: I changed a firewall rule scope from "Any computer" to "Local subnet only," only to find that the service did not accept traffic from my local subnet anymore. I started investigating, and ended up testing several different services and ports. The same thing happened: Once the port or service had been restrained to the scope "My network only", no traffic from comptuers on the local subnet was allowed through.

Symptoms: I noticed first because I tried to ping the computer. The name was not resolved, because the UDP 137 port (part of the File and Printer sharing entity) for NetBios name resolving blocked when set to "my network only" scope. Same thing happened to the VNC server service - once the 5900 port or the VNC server service was set to "my network only", it was no longer possible to connect to the comptuer from another local host.

Resolution: Sifting through probably a few dozens of webpages left me empty handed. At the end, I decided to rebuild the firewall settings from scratch by clicking the "Restore default settings" button of the advanced tab in Windows Firewall. When I now selected a "Local subnet only" scope, it worked like a charm. My firewall configuration was obviously messed up and needed a reset.

Reason:
Who knows?

Apart from understanding what went wrong, the hardest thing in such a situaiton is to know when you should stop wasting time searching for the reason and resort to a tedious rebuild of firewall rules. Most boring: I still do not know what had went wrong, only what solved it. :(

Tuesday, April 7, 2009

WPF DatePicker: Replace/remove the "Show Calendar" string

Scenario: I am programming in VB.NET using WPF (Windows Presentation Foundation) as the visual platform. The program will among other things also ask the user to select a date. I found and installed the WPF Toolkit from the Microsoft CodePlex website, which includes the DatePicker tool in question.

Problem: This post will probably be obsolete in a few months, but for those of us who needs to use the WPF Toolbox DatePicker tool in its current (April 2009) state in their applications, there's no straightforward way to remove the "Show Calendar" text that shows up on the DatePicker text field when no date is selected. I needed to start out with a blank date - selecting one would be optional for the user.

Solution: On the CodePlex website, they will tell you how to modify the xaml template to achieve just that, but I came up with an (imho) ingenious - or should we say quick and dirty - solution to avoid fiddling with all that. Basically this method consists of two steps:
  1. Put a blank Textbox on top of the DatePicker control so that only the date icon shows
  2. Add a a couple of code lines to control the transfer of the date between the text box and the date picker.
To acheive no. 1, I had a grid control on my xaml where both the DatePicker and the TextBox are aligned in the same position, e.g. Margins 0 of the grid cell in question.

I found 85 to be just the right length to cover the DatePicker's text field, without hiding its icon. I removed tabstop from the DatePicker to avoid ever landing at the DatePicker's text field that is hidden behind the TextBox, when using the keyboard to navigate in the app. The xaml looks like this:

<my:datepicker height="24" verticalalignment="Top" istabstop="False" textbox="" row="0" column="1" margin="0" name="DatePicker1" horizontalalignment="Left" width="85">

<TextBox Grid.Row="0" Grid.Column="1" Margin="0" Name="TextBox1" HorizontalAlignment="Left" Width="85" />

Now, the only thing needed is a couple of event handlers to transfer the dates back and forth:


Private Sub TextBox1_TextChanged(ByVal sender As System.Object, ByVal e As System.Windows.Controls.TextChangedEventArgs) Handles TextBox1.TextChanged
DatePicker1.Text = NormalizeDateString(TextBox1.Text)
End Sub

Private Sub TextBox1_LostFocus(ByVal sender As System.Object, ByVal e As System.Windows.RoutedEventArgs) Handles TextBox1.LostFocus
TextBox1.Text = DatePicker1.Text
End Sub

Private Sub DatePicker1_SelectedDateChanged(ByVal sender As System.Object, ByVal e As System.Windows.Controls.SelectionChangedEventArgs) Handles DatePicker1.SelectedDateChanged
TextBox1.Focus()
End Sub

Oh, and finally, the NormalizeDateString function referenced above:

Protected Function NormalizeDateString(ByVal DateIn As String) As String
Dim ReturnDato As String
Try
If DateIn.Substring(DateIn.Length - 1) = "." Then DateIn = DateIn.Substring(0, DateIn.Length - 1)
Dim ConvertedDato As DateTime = Convert.ToDateTime(DateIn)
ReturnDato = ConvertedDato.ToShortDateString
Catch ex As Exception
Return ""
End Try

Return ReturnDato
End Function

And voilla! You have a WPF DatePicker that does not display any text if the date is left blank, and that at any time will hold the date the user selected, regardless if he types the date (in the overlaying TextBox) or he selects the date by clicking the DatePicker calendar icon visible to the right of the textbox.

Tuesday, March 10, 2009

Conficker/Downadup removal - safe mode gives bluescreen

This is the most useless way to make money that I know of: Fighting viruses. As if there aren't enogh real technical challenges to play with.

A customer was hard hit by the Conficker/Downadup virus the other day. The B variant didn't take too long to figure out how to remove, but a couple of the affected computers would not boot to safe mode, yielding the bluescreen of death (BSOD). No virus removal software I tried was able to detect the junk process causing this, so I had to research a little on my own.

Update 14.3.09:
BitDefender now has a removal tool that they claim will also remove the .C variant. I haven't tested it though.

The Downadup.B and .C variants are well described at Symantec's and others' websites, so I won't repeat that. I'll just give a practical short work list that worked for me and left my customer's computers virus free:

Determining if you are infected by Downadup.B:
There's a couple of simple steps to give you a good indication of whether you are affected by the Downadup.B. One or more of these bullets indicate that you are infected:
  • You are not able to browse to sites like www.symantec.com or www.microsoft.com. Other non-antivirus websites, like your local newspaper webpage works fine.
  • You have several entries in Scheduled Tasks - like "at", possibly with a number behind
  • The obvious one: Check your antivirus software logs to see if the virus has been identified
Quick cleaning of Downadup and securing from reinfection
Here's how I cleaned each computer and managed to keep it from being reinfected by other infected computers on the network (although they should all have been physically disconnected from the network):
  • Physically disconnect each computer on your LAN
  • Boot to safe mode without network support (if you get a bluescreen - see below)
  • Change passwords of all local users that have "guessable" passwords - see list on Symantecs virus description page. Gotcha: The virus also guesses existing usernames on the system, even backwards or repeated two times, as possible passwords.
  • Make sure Windows Firewall (or equivalent) is on
  • Make sure you do not allow autorun from USB sticks etc. (see below)
  • Run the removal tool from Symantec (or other tool of your choice)
If you want to remove manually, I found this description from Microsoft to be one of the most helpful if you want to manually remove or check that all traces are gone.

With all the above steps done, you are ready to connect to the LAN again and try to reboot into normal mode.

Booting to safe mode results in bluescreen
This means that things get a little tougher. Symantec did not have a removal tool for the Downadup.C virus when I needed it (Update: BitDefender has - see note above). In addition, the Downadup.B removal tool was killed the same instance you try to start it. Same goes for many antivirus packages etc..

To solve this, you need to find a clean donor computer with the same OS and probably as identical hardware as possible. Export the following regkey to a memory stick (that you have verified is clean before plugging it into your clean donor computer) or similar and run it on the infected computer:

HKLM\System\CurrentControlSet\Control\SafeBoot

Then quickly reboot into safe mode (F8 upon reboot), in the hope that the virus will not redelete the key before you manage to take down your system for reboot.

Removing the Downadup.C
You have now managed to boot into safe mode (F8 during boot). The virus is still there, you will need to look for it manually, unless there's a removal tool by the time you read this. On my two infected computers where I got bluescreen upon safe mode boot, I opened Windows Explorer in c:\windows\system32, sorted the files on date and looked for the most recent DLLs or EXE files I could find. There was only one DLL file created within the last week, and in both cases it was named a random set of characters. Going to properties, I verified that there was no Microsoft version information - hence, this file would most probably not be to my benefit. Just to make sure, I renamed the file extension to VIRUSSUSPECT and rebooted. The virus was gone, and I had the proof I needed to delete the file I first renamed.

Beware that the Downadup.C also weakens security that you do NOT get restored only by removing the virus DLL. Again, review the Symantec (or other) descriptions of the virus and take action accordingly.

Good luck, and good hunting!

Sunday, February 1, 2009

ICS (Internet Connection Sharing) disturbed by VPN client software

Setup: [Computer]---[ICS Computer]---[Internet router]---Internet
The ICS Computer runs Vista, Computer runs Windows XP, Windows Server 2000 or any other.
The ICS Computer also has one or more VPN client software packets installed. In my case, the Checkpoint SecuRemote VPN client and AnchorFree HotSpot Shield were installed, but not running at the time where this problem occurred.

Problem: Computer can not browse websites, Skype will not log on, FTP to internet FTP servers will not work. Computer can however ping all destinations, local as well as internet addresses using DNS names or IP addresses.

Obviously, some (ICMP/ping and DNS requests), but not all of the network traffic is correctly passed through the ICS Computer. After having played around with disabling any firewall on Computer and ICS Computer without any improvement, i tried the following:

Solution: I removed the two software pieces known to create virtual network interfaces on the ICS Computer, hence the CheckPoint SecuRemote and AnchorFree HotSpot Shield had to go. Reboot, and voilla, it worked!

Prime suspect: Since the AnchorFree HotSpot Shield was still wanted on the system, I reinstalled it. ICS still works, bringing me to the strong assumption that the CheckPoint SecuRemote was the one that messed things up.

The Nerd's little blowout: I have been working with a variety of VPN software client solutions, like Cisco, CheckPoint, RSA etc.. In my experience, they all have in common that they in various forms deprive you of an unrestricted simultaneous access to other network segments that are normally accessible from your computer. Try connecting a VPN client and at the same time access your local LAN server. You have luck if it works. Try reaching two different remote sites over two different VPN clients at the same time, and you may even see the good old bluescreen of death. Try running ICS to let another computer connect to the internet on a computer where VPN client software is installed - you get ping and DNS and nothing else. Now THAT's why I'd rather have any VPN link over site-to-site VPN on dedicated VPN routers.