We've been hacked, PDF's have a new modified date and asking to save after opened when no changes have been made

Melden · Jun 26, 2018

Hi, I'm looking to figure out if the subject is a persistent problem that we should worry about. New PDF's created do not ask us to after opening. Only PDFs that were in the file storage that were attacked ask us to save when we close without making changes. Also, on newly created PDFs when you run a report it shows two plug ins. When you run a report on the hacked PDFs it shows no plug ins.

Thanks in advance for your help!

Rob

Melden · Jun 26, 2018

Second things first. Simply modifying a PDF file's modification date by itself would not cause Acrobat to attempt to repair a PDF file. Whatever hacking tool modified the file's modification date must have also modified some internal aspect of the PDF file. If such files were previously known to open without any issues (i.e., attempting repair and then prompting to save when closing), then regrettably, you much assume that the hacking tool may have compromised your PDF file in some manner that might not be immediately obvious. Did you try running any virus scan against the compromised file server volume? In any case, I would do whatever I could to restore the server's volume from a backup. What you/we don't know about whatever changes were made to your files could really come back to haunt you later. There could be time bombs in there.

In terms of the report generated by Generate System Report, that is effectively a system configuration report, nothing more and nothing less. Depending upon when it is run, the list of plug-ins could range from a few to many. Acrobat doesn't load all its plug-ins at start-up; some are only loaded on demand. It is somewhat suspicious that no plug-ins show when the hacked PDFs are opened. That having been said, what shows in the dialog box isn't the entire report. Have the report sent to your own e-mail address and examine the results. If you want, we can take a look at it if you post the file somewhere.

- Dov

- Dov Isaacs, former Adobe Principal Scientist (April 30, 1990 - May 30, 2021)

Lösung in ursprünglichem Beitrag anzeigen

Melden · Jun 26, 2018

Acrobat prompts for saving if it detects a problem in a PDF file that it has opened and has silently corrected what was minimally necessary to display the content. The fact that files that previously didn't exhibit this issue now do is indicative that some process modified the internal structure or contents of the PDF file in some manner.

You mention that you “run a report” that “shows two plug-ins.” Exactly what “report” are you referring to? That would help us respond to that aspect of your question.

And when you indicate that you've “been hacked” exactly what do you mean? Unauthorized access to your system? Changes to files? Exactly what? Depending on what this “hacking” consisted of, it might be prudent to restore your files (or maybe your entire disk partition) from a previous system backup.

- Dov

- Dov Isaacs, former Adobe Principal Scientist (April 30, 1990 - May 30, 2021)

Melden · Jun 26, 2018

Thanks Dov.

The report I'm running is under "help" then "Generate System Report".

When I say we've been hacked, exactly what happened was that an unknown person gained access to our file server. He or she converted many of our files to BIP files, but left accessible copies on the server for pretty much everything. For the accessible PDFs only, the modified date is changed to the date of the hack, other files such as .csv or .pub or .indd have the original modified date.

Thank You!

Melden · Jun 26, 2018

Second things first. Simply modifying a PDF file's modification date by itself would not cause Acrobat to attempt to repair a PDF file. Whatever hacking tool modified the file's modification date must have also modified some internal aspect of the PDF file. If such files were previously known to open without any issues (i.e., attempting repair and then prompting to save when closing), then regrettably, you much assume that the hacking tool may have compromised your PDF file in some manner that might not be immediately obvious. Did you try running any virus scan against the compromised file server volume? In any case, I would do whatever I could to restore the server's volume from a backup. What you/we don't know about whatever changes were made to your files could really come back to haunt you later. There could be time bombs in there.

In terms of the report generated by Generate System Report, that is effectively a system configuration report, nothing more and nothing less. Depending upon when it is run, the list of plug-ins could range from a few to many. Acrobat doesn't load all its plug-ins at start-up; some are only loaded on demand. It is somewhat suspicious that no plug-ins show when the hacked PDFs are opened. That having been said, what shows in the dialog box isn't the entire report. Have the report sent to your own e-mail address and examine the results. If you want, we can take a look at it if you post the file somewhere.

- Dov

- Dov Isaacs, former Adobe Principal Scientist (April 30, 1990 - May 30, 2021)

Melden · Jun 26, 2018

Thanks a lot Dov. Points taken.

Melden · Jun 26, 2018

I would get back one of these files from an old backup and compare the length. If the lengths are different you know it has changed. If the lengths are the same, get an MD5 hash for each and compare that.

Melden · Jun 26, 2018

It might be faster to simply restore the files!

- Dov Isaacs, former Adobe Principal Scientist (April 30, 1990 - May 30, 2021)