logo

The ConnectWise Control forum has moved to ConnectWise University! This forum has been locked and is in read-only mode. Click here for instructions on how to access the new forum.

Welcome Guest! You can not login or register.

Notification

Icon
Error

Options
Go to last post Go to first unread
slyman  
#1 Posted : Tuesday, July 10, 2018 5:13:37 PM(UTC)
slyman


Rank: Guest

Joined: 7/10/2018(UTC)
Posts: 2
Canada

This started happening yesterday where I have random computers appearing in my "Access" window where my client appears to have been added to some remote PC somewhere. I've examined the last 12 months of auth logs and can confirm that my IP address and username is the only one that appears on logins. There doesn't appear to be any breach of the server running Screenconnect. All SSH access has been from my own IP address and fail2ban bans invalid logins for 1 week after 3 failed attempts. I've disallowed root access to the server. I've setup alerts to warn me when a new client is added and I've had 2FA enabled for months. Currently running v6.2.12963.6312 on Ubuntu 16.04. Installation is serving up secure connections using LetsEncrypt certs. It happened just a few minutes ago and I immediately ended the session and uninstalled the client via the panel. I've temporarily shutdown the server's internet access until I get this resolved. I can't find any evidence of unauthorized access to either the OS or Screenconnect so the only thing I can think of is that my access installer got into the wild somehow and is getting installed.

How do I disassociate the installer program from my server? Should I just permanently shut down this server and stand up a new one? I realize that setting up a new server is probably the most immediate solution but since I don't see any evidence of a breach, I'd rather disassociate the installer if that's possible.

The server is currently installed on Azure.

SoCo_Systems  
#2 Posted : Tuesday, July 10, 2018 7:33:54 PM(UTC)
SoCo_Systems


Rank: Advanced Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 1/29/2014(UTC)
Posts: 130
Man
United States
Location: Indianapolis, IN

Thanks: 2 times
Was thanked: 21 time(s) in 21 post(s)
I've had this happen a few times, and I can usually track it down to one of my installers somehow getting submitted to an antivirus company. They run a dozen or so installs over a couple of days, all of which end up disconnecting after a minute or two and never reconnecting. Then it stops as fast as it started.

I'm not sure how to ban an old installer, but I'd like to have that option.
slyman  
#3 Posted : Tuesday, July 10, 2018 8:10:18 PM(UTC)
slyman


Rank: Guest

Joined: 7/10/2018(UTC)
Posts: 2
Canada

Thanks, that helps. These looked like legit installs with IP addresses all over the world. I upgraded my install to the most current and revoked all host and session privileges and so far, no new installs. I'll keep an eye out and see what happens.
shawnkhall  
#4 Posted : Wednesday, July 11, 2018 5:38:23 AM(UTC)
shawnkhall


Rank: Advanced Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 2/6/2014(UTC)
Posts: 316
Man
United States

Thanks: 6 times
Was thanked: 33 time(s) in 29 post(s)
i would suggest further research into the specific IP addresses. you'll find they're most likely related to antivirus companies that are testing applications discovered on their customer computers and on one or more of them your installer was found so it was uploaded from those machines, or the download URL was captured in their browser extension. you'll see that they only connect the once, usually for just under 12 minutes while they test for malicious behavior. even if you were to change the server, installer, and certificates, it would only be a very short matter of time once you reinstalled on one of these client devices before you went through the process again.
Scott  
#5 Posted : Thursday, July 12, 2018 12:51:37 PM(UTC)
Scott


Rank: Administration

Medals: Level 4: Wise Old Owl! Received 100 Thanks!

Joined: 3/28/2014(UTC)
Posts: 2,862
United States

Thanks: 3 times
Was thanked: 351 time(s) in 303 post(s)
Incase anyone else comes across this thread, we've had additional discussion on the top here and here.

Edited by user Thursday, July 12, 2018 1:35:33 PM(UTC)  | Reason: used correct links

ScreenConnect Team
SoCo_Systems  
#6 Posted : Thursday, July 12, 2018 1:24:19 PM(UTC)
SoCo_Systems


Rank: Advanced Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 1/29/2014(UTC)
Posts: 130
Man
United States
Location: Indianapolis, IN

Thanks: 2 times
Was thanked: 21 time(s) in 21 post(s)
Scott, I think you might have the wrong link. That thread discusses user consent for connection and disabling SC connections from the client side.
Scott  
#7 Posted : Thursday, July 12, 2018 1:35:51 PM(UTC)
Scott


Rank: Administration

Medals: Level 4: Wise Old Owl! Received 100 Thanks!

Joined: 3/28/2014(UTC)
Posts: 2,862
United States

Thanks: 3 times
Was thanked: 351 time(s) in 303 post(s)
@SoCo_Systems thanks for the catch, I've updated the post.
ScreenConnect Team
Users browsing this topic
Guest
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.