Sign in with
Sign up | Sign in
Your question

FTP server was hacked and can no longer get out to interne..

Last response: in Windows 2000/NT
Share
July 20, 2004 1:30:05 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

My ftp server was hacked. I managed to clean it up and get it back online, but now the DNS won't resove any names. Actually it can't even resolve IP addresses either. I checked the hosts file to make sure nothing was listed there. Everything is set like usual in the TCP/IP properties, with correct DNS servers. Where else can I look to see if someone listed my IP address somwhere in my server that blocks outgoing traffic. Incomming traffic is fine. This is hindering my anti-virus updates, pls. help.

A
Anonymous
July 20, 2004 3:46:57 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

"AC" <AC@discussions.microsoft.com> wrote in message
news:377C9290-AC70-45B0-8538-702768F622F7@microsoft.com...
> My ftp server was hacked. I managed to clean it up and get it back online,
but now the DNS won't resove any names. Actually it can't even resolve IP
addresses either. I checked the hosts file to make sure nothing was listed
there. Everything is set like usual in the TCP/IP properties, with correct
DNS servers. Where else can I look to see if someone listed my IP address
somwhere in my server that blocks outgoing traffic. Incomming traffic is
fine. This is hindering my anti-virus updates, pls. help.

Check these:
(If one Internet) Can you ping? www.yahoo.com
(If one Internet) Can you ping? 66.94.230.50
If not, what does tracert show?

What does NSLookup for various locations?
What if you specify a different (than the default) DNS
server?

nslookup www.yahoo.com 161.58.177.171

(that's mine)

--
Herb Martin


>
> A
July 21, 2004 11:22:02 AM

Archived from groups: microsoft.public.win2000.dns (More info?)

Herb,
Thanks for the suggestions. I tried, but with failed results.

I cannot ping by domain name
I cannot ping by IP address
Tracecrt fails with 'request timed out'

nslookup fails with 'dns request timed out' 'can't find server name for address'
I tried other DNS servers from our ISP but still nothing...
The only thing I can ping is the ftp IP address

After I discovered that someone hacked the site, they listed my IP address as a 'blocked user'. No one from this location (physical) was able get to the site until I unblocked the IP address. People were able to upload after this point. I put the ftp server on another network (internal) to test and DNS resolved fine through our internal DNS servers. So the ftp server responds fine (upload/download) but DNS is hosed when it trys any other Name servers (externally). I'm assuming the hacker listed or created a blocking mechanism that won't allow me to resolve outbound names or IP's. Any more suggestions?

AC

"Herb Martin" wrote:

> "AC" <AC@discussions.microsoft.com> wrote in message
> news:377C9290-AC70-45B0-8538-702768F622F7@microsoft.com...
> > My ftp server was hacked. I managed to clean it up and get it back online,
> but now the DNS won't resove any names. Actually it can't even resolve IP
> addresses either. I checked the hosts file to make sure nothing was listed
> there. Everything is set like usual in the TCP/IP properties, with correct
> DNS servers. Where else can I look to see if someone listed my IP address
> somwhere in my server that blocks outgoing traffic. Incomming traffic is
> fine. This is hindering my anti-virus updates, pls. help.
>
> Check these:
> (If one Internet) Can you ping? www.yahoo.com
> (If one Internet) Can you ping? 66.94.230.50
> If not, what does tracert show?
>
> What does NSLookup for various locations?
> What if you specify a different (than the default) DNS
> server?
>
> nslookup www.yahoo.com 161.58.177.171
>
> (that's mine)
>
> --
> Herb Martin
>
>
> >
> > A
>
>
>
Related resources
Can't find your answer ? Ask !
Anonymous
July 22, 2004 4:31:09 AM

Archived from groups: microsoft.public.win2000.dns (More info?)

In news:007EA0B7-CDA5-44D9-8EE5-E0EE756E15A6@microsoft.com,
AC <AC@discussions.microsoft.com> asked for help and I offered my
suggestions below:
> Herb,
> Thanks for the suggestions. I tried, but with failed results.
>
> I cannot ping by domain name
> I cannot ping by IP address
> Tracecrt fails with 'request timed out'
>
> nslookup fails with 'dns request timed out' 'can't find server name
> for address'
> I tried other DNS servers from our ISP but still nothing...
> The only thing I can ping is the ftp IP address
>
> After I discovered that someone hacked the site, they listed my IP
> address as a 'blocked user'. No one from this location (physical) was
> able get to the site until I unblocked the IP address. People were
> able to upload after this point. I put the ftp server on another
> network (internal) to test and DNS resolved fine through our internal
> DNS servers. So the ftp server responds fine (upload/download) but
> DNS is hosed when it trys any other Name servers (externally). I'm
> assuming the hacker listed or created a blocking mechanism that won't
> allow me to resolve outbound names or IP's. Any more suggestions?
>
> AC
>

Do you have some sort of intelligent firewall mechanism that 'learned' of an
attack and squelched it?

Who exactly listed your IP as a 'blocked user'? Your ISP? How exactly did
you 'unblock' your IP? Do you have some sort of web based admin utility thru
the ISP? Maybe I'm not understanding this part. Is there one IP coming in
and you have NAT and its being port remapped or is your whole IP block
public IPs? If you can elaborate, that would be great.

What I'm seeing so far with the info provided, that if it works internally
and not externally, that IP seems to be blocked, unless the Root zone exists
and its not resolving outside due to that or some services were stopped
(DHCP client service is required).

Curious, how was your FTP server 'hacked'? What exactly did they do, did
they 'pub' your machine? How did you clean it up? If it was 'pubbed', did
you find a copy of ServU or WarFTP on it somewhere? Were there any folders
that you couldn't delete? Were there any services entered or reg entries
created in the Run key to startup at boot time? Did they by chance also kill
your admin shares?

Please do elaborate...

Thanks


--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
--
=================================
July 22, 2004 11:29:02 AM

Archived from groups: microsoft.public.win2000.dns (More info?)

Ace,
I'll try to answer your questions, bare with me...

There isn't any firewall loaded on the box.

I'm not sure who listed the IP as being blocked but it showed up on our FTP servers 'deny access from this IP' list. We have 2 admins in our IT dept. and neither one of us put it there. I thought it was odd so I checked the virus scanner log and also found a detection of Win32.Spybot. It seemed to have dropped some files in our /ftproot location that said "hacked by..." I forgot the name but I ended up having to get the server in safe mode to get rid of those extra folders and files. Safe mode was the only way I could do it (with my limited knowledge).

Our ftp server sits on our DMZ and has a public accessible IP (static, from our ISP).

What does 'pub' my machine mean? I cleaned it up by getting rid of the virus on it. I checked the services and did notice that there is a 'Serv-U- FTP server' service which is set to automatic (startup type). We use BulletProof so this seems odd to me now. I've used Serv-U, but only testing it, and on a different box. There were folders that I couldn't delete (placed under the /ftproot), which led me to removing them through safe mode. I didn't find any Run/RunOnce/ or RunOnceEX keys listed under Local Machine... The admin shares were still intact.

So were I stand now. The server functions fine. Users hitting the public IP can upload/download fine. Users in our internal network can upload/download fine. Before, the internal users were blocked b/c the IP for our SonicWall was listed there, which is different from our Router's IP. When they connect, they were coming in with the Sonicwall's IP address.

Does this help any?
AC

"Ace Fekay [MVP]" wrote:

> In news:007EA0B7-CDA5-44D9-8EE5-E0EE756E15A6@microsoft.com,
> AC <AC@discussions.microsoft.com> asked for help and I offered my
> suggestions below:
> > Herb,
> > Thanks for the suggestions. I tried, but with failed results.
> >
> > I cannot ping by domain name
> > I cannot ping by IP address
> > Tracecrt fails with 'request timed out'
> >
> > nslookup fails with 'dns request timed out' 'can't find server name
> > for address'
> > I tried other DNS servers from our ISP but still nothing...
> > The only thing I can ping is the ftp IP address
> >
> > After I discovered that someone hacked the site, they listed my IP
> > address as a 'blocked user'. No one from this location (physical) was
> > able get to the site until I unblocked the IP address. People were
> > able to upload after this point. I put the ftp server on another
> > network (internal) to test and DNS resolved fine through our internal
> > DNS servers. So the ftp server responds fine (upload/download) but
> > DNS is hosed when it trys any other Name servers (externally). I'm
> > assuming the hacker listed or created a blocking mechanism that won't
> > allow me to resolve outbound names or IP's. Any more suggestions?
> >
> > AC
> >
>
> Do you have some sort of intelligent firewall mechanism that 'learned' of an
> attack and squelched it?
>
> Who exactly listed your IP as a 'blocked user'? Your ISP? How exactly did
> you 'unblock' your IP? Do you have some sort of web based admin utility thru
> the ISP? Maybe I'm not understanding this part. Is there one IP coming in
> and you have NAT and its being port remapped or is your whole IP block
> public IPs? If you can elaborate, that would be great.
>
> What I'm seeing so far with the info provided, that if it works internally
> and not externally, that IP seems to be blocked, unless the Root zone exists
> and its not resolving outside due to that or some services were stopped
> (DHCP client service is required).
>
> Curious, how was your FTP server 'hacked'? What exactly did they do, did
> they 'pub' your machine? How did you clean it up? If it was 'pubbed', did
> you find a copy of ServU or WarFTP on it somewhere? Were there any folders
> that you couldn't delete? Were there any services entered or reg entries
> created in the Run key to startup at boot time? Did they by chance also kill
> your admin shares?
>
> Please do elaborate...
>
> Thanks
>
>
> --
> Regards,
> Ace
>
> Please direct all replies ONLY to the Microsoft public newsgroups
> so all can benefit.
>
> This posting is provided "AS-IS" with no warranties or guarantees
> and confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
> Microsoft Windows MVP - Windows Server - Directory Services
>
> Security Is Like An Onion, It Has Layers
> HAM AND EGGS: A day's work for a chicken;
> A lifetime commitment for a pig.
> --
> =================================
>
>
>
Anonymous
July 23, 2004 12:34:07 AM

Archived from groups: microsoft.public.win2000.dns (More info?)

In news:13A027B1-1525-4B8C-97A0-5D5CEDFEC00A@microsoft.com,
AC <AC@discussions.microsoft.com> asked for help and I offered my
suggestions below:
> Ace,
> I'll try to answer your questions, bare with me...
>
> There isn't any firewall loaded on the box.
>
> I'm not sure who listed the IP as being blocked but it showed up on
> our FTP servers 'deny access from this IP' list. We have 2 admins in
> our IT dept. and neither one of us put it there. I thought it was odd
> so I checked the virus scanner log and also found a detection of
> Win32.Spybot. It seemed to have dropped some files in our /ftproot
> location that said "hacked by..." I forgot the name but I ended up
> having to get the server in safe mode to get rid of those extra
> folders and files. Safe mode was the only way I could do it (with my
> limited knowledge).
>
> Our ftp server sits on our DMZ and has a public accessible IP
> (static, from our ISP).
>
> What does 'pub' my machine mean? I cleaned it up by getting rid of
> the virus on it. I checked the services and did notice that there is
> a 'Serv-U- FTP server' service which is set to automatic (startup
> type). We use BulletProof so this seems odd to me now. I've used
> Serv-U, but only testing it, and on a different box. There were
> folders that I couldn't delete (placed under the /ftproot), which led
> me to removing them through safe mode. I didn't find any Run/RunOnce/
> or RunOnceEX keys listed under Local Machine... The admin shares were
> still intact.
>
> So were I stand now. The server functions fine. Users hitting the
> public IP can upload/download fine. Users in our internal network can
> upload/download fine. Before, the internal users were blocked b/c the
> IP for our SonicWall was listed there, which is different from our
> Router's IP. When they connect, they were coming in with the
> Sonicwall's IP address.
>
> Does this help any?
> AC
>

Yes, it does help. Your machine was pubbed. Bet there were apps, movies,
games, etc in those folders you couldn't delete. If you can;t see them, then
you need to have a direct link to the subfolder's path to get to them. I
learned a long time ago how to do this, its called folder locking using a
placeholder such as:

/ /. /. folder name saying hacked by some bogus nut

(those are not spaces, they are unprintable ASCII characters so other
pubsters can't delete the files. Software pirates do this to offer their
"warez" to others and they post the hacked FTP server to a 'pub' board for
others to get them and so they have access to get others, its a sharing
method among them, hence the term 'pubbed'. You got pubbed. But glad you
found it. Disable that ServU service, they put it there. Find the path to
the servu exe (in properties of that service) and delete it.

You actually didn't have to go into safe mode to delete the files, but that
may have been the easiest for you. There is another method, but don't worry
about it now.

But glad you got it working ok now. But I am still unclear what this means:

> I'm not sure who listed the IP as being blocked but it showed up on
> our FTP servers 'deny access from this IP' list.

How did it show up? When you connected to it thru an FTP client?

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
--
=================================
July 23, 2004 9:49:02 AM

Archived from groups: microsoft.public.win2000.dns (More info?)

"Ace Fekay [MVP]" wrote:

> In news:13A027B1-1525-4B8C-97A0-5D5CEDFEC00A@microsoft.com,
> AC <AC@discussions.microsoft.com> asked for help and I offered my
> suggestions below:
> > Ace,
> > I'll try to answer your questions, bare with me...
> >
> > There isn't any firewall loaded on the box.
> >
> > I'm not sure who listed the IP as being blocked but it showed up on
> > our FTP servers 'deny access from this IP' list. We have 2 admins in
> > our IT dept. and neither one of us put it there. I thought it was odd
> > so I checked the virus scanner log and also found a detection of
> > Win32.Spybot. It seemed to have dropped some files in our /ftproot
> > location that said "hacked by..." I forgot the name but I ended up
> > having to get the server in safe mode to get rid of those extra
> > folders and files. Safe mode was the only way I could do it (with my
> > limited knowledge).
> >
> > Our ftp server sits on our DMZ and has a public accessible IP
> > (static, from our ISP).
> >
> > What does 'pub' my machine mean? I cleaned it up by getting rid of
> > the virus on it. I checked the services and did notice that there is
> > a 'Serv-U- FTP server' service which is set to automatic (startup
> > type). We use BulletProof so this seems odd to me now. I've used
> > Serv-U, but only testing it, and on a different box. There were
> > folders that I couldn't delete (placed under the /ftproot), which led
> > me to removing them through safe mode. I didn't find any Run/RunOnce/
> > or RunOnceEX keys listed under Local Machine... The admin shares were
> > still intact.
> >
> > So were I stand now. The server functions fine. Users hitting the
> > public IP can upload/download fine. Users in our internal network can
> > upload/download fine. Before, the internal users were blocked b/c the
> > IP for our SonicWall was listed there, which is different from our
> > Router's IP. When they connect, they were coming in with the
> > Sonicwall's IP address.
> >
> > Does this help any?
> > AC
> >
>
> Yes, it does help. Your machine was pubbed. Bet there were apps, movies,
> games, etc in those folders you couldn't delete. If you can;t see them, then
> you need to have a direct link to the subfolder's path to get to them. I
> learned a long time ago how to do this, its called folder locking using a
> placeholder such as:
>
> / /. /. folder name saying hacked by some bogus nut
>
> (those are not spaces, they are unprintable ASCII characters so other
> pubsters can't delete the files. Software pirates do this to offer their
> "warez" to others and they post the hacked FTP server to a 'pub' board for
> others to get them and so they have access to get others, its a sharing
> method among them, hence the term 'pubbed'. You got pubbed. But glad you
> found it. Disable that ServU service, they put it there. Find the path to
> the servu exe (in properties of that service) and delete it.
>
> You actually didn't have to go into safe mode to delete the files, but that
> may have been the easiest for you. There is another method, but don't worry
> about it now.
>
> But glad you got it working ok now. But I am still unclear what this means:
>
> > I'm not sure who listed the IP as being blocked but it showed up on
> > our FTP servers 'deny access from this IP' list.
>
> How did it show up? When you connected to it thru an FTP client?
>
> --
> Regards,
> Ace
>
> Please direct all replies ONLY to the Microsoft public newsgroups
> so all can benefit.
>
> This posting is provided "AS-IS" with no warranties or guarantees
> and confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
> Microsoft Windows MVP - Windows Server - Directory Services
>
> Security Is Like An Onion, It Has Layers
> HAM AND EGGS: A day's work for a chicken;
> A lifetime commitment for a pig.
> --
> =================================
>
It's a learning experience...
My "I'm not sure who listed the IP as being blocked but it showed up on
our FTP servers 'deny access from this IP' list" meant that when someone in our office tried to connect to the ftp site, they were denied access. They leave then internal network and come back in through the router. A few people complained they couldn't get into the site. When I checked the running log it said that the IP address (of my router) was blocked. Sure enough, Bulletproof had it listed as a blocked IP address. So I just unblocked it.
So I'm still not sure on the DNS issue though. Ever heard of this when a site gets pubbed?

AC
>
Anonymous
July 24, 2004 4:41:35 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

In news:E675C35A-39E2-4F50-950A-3E7BC1E5A648@microsoft.com,
AC <AC@discussions.microsoft.com> asked for help and I offered my
suggestions below:
> It's a learning experience...
> My "I'm not sure who listed the IP as being blocked but it showed up
> on
> our FTP servers 'deny access from this IP' list" meant that when
> someone in our office tried to connect to the ftp site, they were
> denied access. They leave then internal network and come back in
> through the router. A few people complained they couldn't get into
> the site. When I checked the running log it said that the IP address
> (of my router) was blocked. Sure enough, Bulletproof had it listed as
> a blocked IP address. So I just unblocked it. So I'm still not sure
> on the DNS issue though. Ever heard of this when a site gets pubbed?
>
> AC

Yes it is a learning experience!

Not sure about DNS, unless those ports or the server's IP was blocked as
well somehow? Did you have a port remap?



--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
--
=================================
July 28, 2004 2:51:01 PM

Archived from groups: microsoft.public.win2000.dns (More info?)

Nope, no port remapping. I'm assuming I should probably look at alternative methods into securing the FTP system now... Any suggestions? It's been running for over 2 years without any major attacks like this.

AC

"Ace Fekay [MVP]" wrote:

> In news:E675C35A-39E2-4F50-950A-3E7BC1E5A648@microsoft.com,
> AC <AC@discussions.microsoft.com> asked for help and I offered my
> suggestions below:
> > It's a learning experience...
> > My "I'm not sure who listed the IP as being blocked but it showed up
> > on
> > our FTP servers 'deny access from this IP' list" meant that when
> > someone in our office tried to connect to the ftp site, they were
> > denied access. They leave then internal network and come back in
> > through the router. A few people complained they couldn't get into
> > the site. When I checked the running log it said that the IP address
> > (of my router) was blocked. Sure enough, Bulletproof had it listed as
> > a blocked IP address. So I just unblocked it. So I'm still not sure
> > on the DNS issue though. Ever heard of this when a site gets pubbed?
> >
> > AC
>
> Yes it is a learning experience!
>
> Not sure about DNS, unless those ports or the server's IP was blocked as
> well somehow? Did you have a port remap?
>
>
>
> --
> Regards,
> Ace
>
> Please direct all replies ONLY to the Microsoft public newsgroups
> so all can benefit.
>
> This posting is provided "AS-IS" with no warranties or guarantees
> and confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
> Microsoft Windows MVP - Windows Server - Directory Services
>
> Security Is Like An Onion, It Has Layers
> HAM AND EGGS: A day's work for a chicken;
> A lifetime commitment for a pig.
> --
> =================================
>
>
>
Anonymous
July 29, 2004 2:43:48 AM

Archived from groups: microsoft.public.win2000.dns (More info?)

In news:A9545FCA-D1D9-41C5-BCCF-530900B7636A@microsoft.com,
AC <AC@discussions.microsoft.com> asked for help and I offered my
suggestions below:
> Nope, no port remapping. I'm assuming I should probably look at
> alternative methods into securing the FTP system now... Any
> suggestions? It's been running for over 2 years without any major
> attacks like this.
>
> AC
>

If you have a public FTP, that;s a tough one. But if the users do not need
upload capability, then you can deny write to the folder. If they need
uploading, then suggest to give user/pwd. If it is private only, then you
can use SSH2 with an SSH2 capable client with user/pass. See www.vandyke.com
for their VShell server.

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
--
=================================
July 29, 2004 10:10:41 AM

Archived from groups: microsoft.public.win2000.dns (More info?)

Thanks for all the help, much appreciated!!! :-)

"Ace Fekay [MVP]" wrote:

> In news:A9545FCA-D1D9-41C5-BCCF-530900B7636A@microsoft.com,
> AC <AC@discussions.microsoft.com> asked for help and I offered my
> suggestions below:
> > Nope, no port remapping. I'm assuming I should probably look at
> > alternative methods into securing the FTP system now... Any
> > suggestions? It's been running for over 2 years without any major
> > attacks like this.
> >
> > AC
> >
>
> If you have a public FTP, that;s a tough one. But if the users do not need
> upload capability, then you can deny write to the folder. If they need
> uploading, then suggest to give user/pwd. If it is private only, then you
> can use SSH2 with an SSH2 capable client with user/pass. See www.vandyke.com
> for their VShell server.
>
> --
> Regards,
> Ace
>
> Please direct all replies ONLY to the Microsoft public newsgroups
> so all can benefit.
>
> This posting is provided "AS-IS" with no warranties or guarantees
> and confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
> Microsoft Windows MVP - Windows Server - Directory Services
>
> Security Is Like An Onion, It Has Layers
> HAM AND EGGS: A day's work for a chicken;
> A lifetime commitment for a pig.
> --
> =================================
>
>
>
Anonymous
July 30, 2004 1:17:51 AM

Archived from groups: microsoft.public.win2000.dns (More info?)

In news:C90EC1B7-E75D-4831-995E-4080339BB810@microsoft.com,
AC <AC@discussions.microsoft.com> asked for help and I offered my
suggestions below:
> Thanks for all the help, much appreciated!!! :-)
>


No prob! Just remember, important not to allow anonymous writes (uploads),
which is why it probably happened!!
:-)

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
--
=================================
!