Skip to content

MiniHOWTO Fix Windows Server 2016 unlicensed self-shutdown every hour

Windows Server just self-shutdowns when all trial periods expired.
You can power it on without any problem but it will shutdowns again after 1 hour.
So , there is a workaround not-a-soution you can make: extend 180 days trial period for 6 times per bare-metal installation + 3 times rearm.. not sure exactly how much days this will works. ūüôā

PowerShell Commands to check and extend your trial and rearm:

slmgr -dli  # Check License State Рuse for after-fix confirmation
slmgr -dli          # Can be done 6 times at all per hardware installation
slmgr -rearm ¬† ¬†# reloads 180 days license .. but I dont know yet what’s happen next ūüôā

That’s all.

Then, after something about 3 to 9 years you will be forced to pay your license if you want your windows server up again :)…


HACKED: find evil code in php files , find StealRat, find hacked php files

Finding StealRat or any other file self-injecting CMS rat:

Step 1: find+grep

Finding Stealrat can be as simple as running the following command on UNIX-like systems:

   find . -print | xargs -d'\n' grep -r 'die(PHP_OS.chr(49).chr(48).chr(43).md5(0987654321'

Other things to try:

   find . -type f -name '*.php' -print | xargs grep -i x29
   find . -type f -name '*.php' -print | xargs grep -E '[0-9a-zA-Z/]{80}'

Both of the above commands find .php files with high-UTF-8 characters or base64 encoding which is usually suspicious.

Here is a perl search script originally provided by , and a mirror link to pelr findbot script on our website can be found here:

Step 2: lsof+grep

You may see a number of lines, such as ( takes the place of your machine’s name):

   lsof -i | grep smtp

The first line, for example, is your sendmail mail software “LISTEN”ing (as userid root) for inbound email connections – this is normal… You may see similar lines with “exim” or “postfix” or “smtpd” or “qmail” instead of sendmail – all depending on what mail server you run – example – the third line is an Exim listener. The important thing that indicates that it’s normal is that the userid is “mail” or “mailman” or something like that – NOT an ordinary user.
¬†The fourth line is a program called “find”, running under userid “foo” making a connection to an AOL server.
And the fourth line you’re looking for – it tells you the userid of the infected user. In this case it also indicates that the infection is masquerading as the program “find”. There will often be more than one of these.

Step 3: file

“ELF 32-bit and “corrupted section header size” from the example below means that you’ve probably found the right file:

   file sshd
   sshd:  ELF 32-bit LSB executable, Intel 80386, version 1 (FreeBSD), statically
   linked, corrupted section header size

The above test can be used in bulk, using either of the following two commands:

   file /path/to/directory/* | grep 'corrupted section'
   find /path1 /path2 -print | xargs -d'\n' file | grep 'corrupted section'

Be Aware!!!!
If you find such a file, you are 100% hacked and trojaned ( a.k.a. OWNED! ).


All Detailed Info for this post  can be found on TrendMicro Blog!
 The Research Paper here:
and the blog Post here:

REMOTE-ADMINS can help removing Rats or Trojans from your server! To contact us, please use the form below:

Thank you.


There is More disinfection Info: Read more…

No Title Post – just found it in drafts.. do not trust this post!

The Problem:

W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: jessie InRelease: The following signatures were invalid: KEYEXPIRED 1487236823 KEYEXPIRED 1487236823 KEYEXPIRED 1487236823

W: Failed to fetch

The Solution:

# apt-key adv --keyserver --recv-keys A4A9406876FCBD3C456770C88C718D3B5072E1F5

Executing: gpg --ignore-time-conflict --no-options --no-default-keyring --homedir /tmp/tmp.dIIJX65rZC --no-auto-check-trustdb --trust-model always --keyring /etc/apt/trusted.gpg --primary-keyring /etc/apt/trusted.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-jessie-automatic.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-jessie-security-automatic.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-jessie-stable.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-stretch-automatic.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-stretch-security-automatic.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-stretch-stable.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-wheezy-automatic.gpg --keyring /etc/apt/trusted.gpg.d/debian-archive-wheezy-stable.gpg --keyserver --recv-keys A4A9406876FCBD3C456770C88C718D3B5072E1F5
gpg: requesting key 5072E1F5 from hkp server
gpg: key 5072E1F5: "MySQL Release Engineering <>" 72 new signatures
gpg: Total number processed: 1
gpg: new signatures: 72


Thats all.

Original bug at:

MiniHOWTO: Windows Server 2016 Networking in VM running in Nested Virtualization a.k.a. VM in Hyper-V(VM) in Hyper-V

So, if you run a hyper-v in hyper-v hypervisor, and then run a VM into the virtualized Hyper-V, you have to do something about the networking, it’s not like in usual scenario.

On the First Hyper-V, not the virtualized one, you have to make MAC Address spoof=on so the virtualized Hyper-v will be able to spoof it. Put this in PowerShell terminal window:

This is when you want to config vSwitch as a bridge with the external network.

Get-VMNetworkAdapter -VMName <VMName> | Set-VMNetworkAdapter -MacAddressSpoofing On

On the original Microsoft’s documentation page you can see how-to config the other types of vSwitch networking.


That’s all.

Original Document is here: ttps://

miniHOWTO: Howto to create Windows Server 2016 Recovery Disk on USB ( Installation Disk )

  1. After successfull installation of the server, put the ISO file on it.
  2. Mount the ISO file and open Terminal (cmd) and goto your mounted ISO’s letter ( example g:\ )
  3. Put your USB Flash Drive and take attention on the dedicated device letter that windows selects for the USB Flash Drive.
  4. Now , inside the mounted ISO folder do the next commands:
    list disk # see the listing of all disk drives windows can see
    select disk # here select the letter of your usb flash drive
    clean # clean the selected disk on previous step
    create partition primary #create primary partition for booting
    select partition=1  # select first partition of the usb drive
    active # activate your selected partition , means choose it
    format fs=ntfs quick label="YOUR_DISK_LABEL" # formats disk partition
    exit   # exits diskpart


Now your USB Flash Drive is ready to be populated with Windows Server boot code and the windows server installation disk files.

5. Create the Boot sector and fill it with info: ( assumes you are still in the mounted ISO folder)

cd boot  # enter into boot directory of the mounted ISO structure
bootsect.exe /nt60 e:/ ( assuming your USB FLASH DRIVE windows letter is e:/ )

That’s enough for BOOTMGR to copy the bootcode to be able to boot your windows server 2016

6. Now you copy all the rest files from the mounted ISO into the Usb Flash Drive, now we assuming that the USB Flash Driver windows letter is still e:\ , and the ISO Mounted drive is g:\

xcopy  G:\*.*  E:\ /E /H /F  # this will use xcopy command to copy all the files from g:\ to e:\ ( the mounted iso files to usb flash drive )

This is long process and ones its over, you are ready with your windows server 2016 recovery and installation usb flash drive.


That’s all.


HOWTO: Linux iproute2 vlan configuration a.k.a. Using ip command for managing vlans on linux

  • Create new VLAN with id 100 and interface name eth0.100 ,¬†configure it over eth0 physical link and add INET settings on it:
# ip link add link eth0 name eth0.100 type vlan id 100
# ip link set dev eth0.100 up
# ip addr add a.b.c.1/24 brd 1.b.c.255 dev eth0.100
  • Bringing Down the vlan interface (device) and permanently remove vlan tag (vlan interface)
# ip link set dev eth0.100 down
# ip link delete eth0.100


  • Some Informational commands:
# ip -d link show eth0.100
# ip -d addr show




QUICK HowTo: Linux Policy Routing by ip-src

Show and/or Listing the routing tables:

 # ip rule show
 # ip rule list
 # ip route list table local
 # cat /etc/iproute2/rt_tables

Add (append) route table with index number 100 to match before table: main and table: default

# echo 100 AS207172 >> /etc/iproute2/rt_tables
 # cat /etc/iproute2/rt_tables
 # ip rule add from A.B.C.0/25 table AS207172
 # ip rule list
 # ip route add default via A.B.C.2 dev eth1.100 table AS207172
 # ip rooute flush cache
 # ip route flush cache

Ping with src IP thru the new default gateway to confirm the ip-src routing:

# ping -I A.B.C.7


Use parameters:

  • Our new source network: A.B.C.0/25
  • Our new routing table name: AS207172