Solved – WordPress / Gravity Forms and Office 365 Not Receiving Emails

We had a customer move their email to Office 365. They realized they weren’t getting emails from the website anymore. Three people in the company with the same domain name in their email ( ie: @somecompany.com ) were included in the contact us form weren’t getting the emails anymore.

The site was WordPress and they were using Gravity Forms for the contact us form. I added my personal email and I could get the email, but the customer didn’t.  I eventually discovered the email was going into the “Junk” box of their Office 365 account. I needed to “whitelist” the email that was used in the Gravity Form form. That was “recruiting@somecompany.com”.

What eventually solved everything was “whitelisting” their domain in Office 365. I had to go into their Office 365 account as the Admin. Go to the Exchange area.

office_365_admin_center

Select Spam Filter in the Protection menu.

office_365_exchange_center

Edit the default spam filter.

office_365_filter

Lastly, add the domain to the allow lists.

allow_screen_domain_only

 

I hope this helps someone else out there…

 

Phoca PDF now showing content

I installed the plug-in into a Joomla 3.5.1 site. The plug-in wouldn’t run at all at first till I found a fix for that. I will try to list that one as well later.

The header and header line would print but nothing else. I found the following article that fixed this for me.

http://www.phoca.cz/forum/viewtopic.php?f=37&t=12662

It was this code I needed:

      $document = &JFactory::getDocument();
$document->setHeader($this->getHeaderText($item, $params));

$item->article_text = $item->introtext;
$item->article_text .= $item->fulltext;

echo $item->text;
$document->setArticleText($item->article_text);

I hope this helps someone else out there…

 

Joomla 3.5 site attack – PayPal.zip, pl, php, vu.txt files found in Images directory.

I had to upload a file to a customers Godaddy hosted account and discovered a bunch of unusual files.

Below is an example of  a directory in the images folder. On the right there was a folder called “login”. In that folder was a complete site for accepting credit cards. I have spent any time figuring out exactly is going on.

joomla_3_5_attack

The files were also right in the root directory of the site.

When I navigate to the login folder within WAMP it is a fake PayPal login page.

joomla_attack_paypal

In site the “vu.txt” file was the following.

178.153.89.221  –  2016-4-01 @ 23:20:04
178.153.89.221  –  2016-4-01 @ 23:25:50

I hope this helps someone else out there….

 

Unable to open PDF – Acrobat won’t reinstall or uninstall.

Had a customer call in because she was unable to open PDF’s since a Windows 10 Roll Back.

Here are the steps I tried but I would always get the same error around 90% of the reinstall.

  • Uninstalling and Reinstalling Acrobat
  • Running CCleaner to clean up registry and rebooting

acrobat

The link below is how I got this fixed.

https://support.microsoft.com/en-us/kb/971187

I hope this helps someone else out there…

 

False Positive – Vipre threat ID 5230363

We have a fair amount of clients running Vipre anti-virus and we received a bunch of warnings this morning that over 6 of our clients were infected with a “Trojan Downloader”. Vipre found it and quarantined it, but we wanted to make sure.

It shows up as “Trojan-Downloader.JS.Nemucod.dc (v)”. We contacted Vipre and they confirmed it was a false positive. They said a new definition will be out later today (3.22.2016).

vipre_threat_5230363

Microsoft says their software can handle this attack. Here is their write-up on this issue.

https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=TrojanDownloader:JS/Nemucod.J

I hope this helps someone else out there….

 

Locky Virus – Blew Past Vipre – Malwarebytes Ransomware Detected it.

One of our clients got hit with the locky tojan virus. It came in an email with a .zip file attached. A couple of employees opened the zip and within an hour their systems were unresponsive. Below is what the email looked like.

locky_virus_screenshotsuspicious_email_2

^ – This was a .zip                                                      ^- This was a .rtf

There is Vipre premium antivirus on all the machines, but it didn’t detect anything. We submitted the .zip file to Vipre to improve their definitions. Vipre’s Website to submit virus’s

http://www.vipreantivirus.com/support/submissions/missed-threat.aspx

The virus encrypted the files and left a ransom text file with instructions on who to pay to unlock the files. The following page has good info on what to look for.

http://howtoremove.guide/locky-virus-file-encryption-removal/

We found Malwarebytes Ransomware was able to detect it, but not stop it. Here are some things we learned.

  1. When a user opened the .zip file and the virus started, any file or directory that user had permission to got it’s contents encrypted.
  2. They had an intranet and the root directory’s permissions were set to “Everyone” so the applications worked, and that root directory got all of its contents infected/encryped.
  3. One Drive for Business – The files infected the shared local folder, jumped to the cloud storage and encrypted those file. Plus went to the person’s home machine that also synced with that one drive and infected their home machine.
  4. Malwarebytes Ransomware detected but did not stop it.

What saved them was a few things

  1. In Active Directory put user’s into groups and give those groups permissions to the directory.
  2. Back ups that ran twice a day. When the virus hit a 12:05pm we were able to recover the files from 7:00am.

I hope this helps someone else out there…