 Rank: Guest Joined: 7/10/2018(UTC) Posts: 2 
|
This started happening yesterday where I have random computers appearing in my "Access" window where my client appears to have been added to some remote PC somewhere. I've examined the last 12 months of auth logs and can confirm that my IP address and username is the only one that appears on logins. There doesn't appear to be any breach of the server running Screenconnect. All SSH access has been from my own IP address and fail2ban bans invalid logins for 1 week after 3 failed attempts. I've disallowed root access to the server. I've setup alerts to warn me when a new client is added and I've had 2FA enabled for months. Currently running v6.2.12963.6312 on Ubuntu 16.04. Installation is serving up secure connections using LetsEncrypt certs. It happened just a few minutes ago and I immediately ended the session and uninstalled the client via the panel. I've temporarily shutdown the server's internet access until I get this resolved. I can't find any evidence of unauthorized access to either the OS or Screenconnect so the only thing I can think of is that my access installer got into the wild somehow and is getting installed.
How do I disassociate the installer program from my server? Should I just permanently shut down this server and stand up a new one? I realize that setting up a new server is probably the most immediate solution but since I don't see any evidence of a breach, I'd rather disassociate the installer if that's possible.
The server is currently installed on Azure.
|
|
|
|
|
|
 Rank: Advanced Member Medals:  Joined: 1/29/2014(UTC) Posts: 130   Location: Indianapolis, IN Thanks: 2 times
Was thanked: 21 time(s) in 21 post(s)
|
I've had this happen a few times, and I can usually track it down to one of my installers somehow getting submitted to an antivirus company. They run a dozen or so installs over a couple of days, all of which end up disconnecting after a minute or two and never reconnecting. Then it stops as fast as it started.
I'm not sure how to ban an old installer, but I'd like to have that option.
|
|
|
|
|
|
Rank: Guest Joined: 7/10/2018(UTC) Posts: 2
|
Thanks, that helps. These looked like legit installs with IP addresses all over the world. I upgraded my install to the most current and revoked all host and session privileges and so far, no new installs. I'll keep an eye out and see what happens.
|
|
|
|
|
|
Rank: Advanced Member Medals: Joined: 2/6/2014(UTC) Posts: 316 Thanks: 6 times
Was thanked: 33 time(s) in 29 post(s)
|
i would suggest further research into the specific IP addresses. you'll find they're most likely related to antivirus companies that are testing applications discovered on their customer computers and on one or more of them your installer was found so it was uploaded from those machines, or the download URL was captured in their browser extension. you'll see that they only connect the once, usually for just under 12 minutes while they test for malicious behavior. even if you were to change the server, installer, and certificates, it would only be a very short matter of time once you reinstalled on one of these client devices before you went through the process again.
|
|
|
|
|
|
 Rank: Administration Medals:  Joined: 3/28/2014(UTC) Posts: 2,862 Thanks: 3 times
Was thanked: 351 time(s) in 303 post(s)
|
Incase anyone else comes across this thread, we've had additional discussion on the top here and here.Edited by user Thursday, July 12, 2018 1:35:33 PM(UTC)
| Reason: used correct links |
ScreenConnect Team |
|
|
|
|
|
Rank: Advanced Member Medals: Joined: 1/29/2014(UTC) Posts: 130 Location: Indianapolis, IN Thanks: 2 times
Was thanked: 21 time(s) in 21 post(s)
|
Scott, I think you might have the wrong link. That thread discusses user consent for connection and disabling SC connections from the client side.
|
|
|
|
|
|
Rank: Administration Medals: Joined: 3/28/2014(UTC) Posts: 2,862 Thanks: 3 times
Was thanked: 351 time(s) in 303 post(s)
|
@SoCo_Systems thanks for the catch, I've updated the post. |
ScreenConnect Team |
|
|
|
|
|
Forum Jump
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.
