Last Active: Jan 10, 2025
Threads: 2
Posts: 293
Reputation:
11
Feb 21, 2024, 07:31 am
(This post was last modified: Feb 21, 2024, 09:34 am by Arlecho. Edited 6 times in total.)
***** ALERT ******
The latest version is still being exploited!
Immediately remove SetupWizard.aspx AND block 91.92.255.0/24, 192.210.232.0/24, 144.172.118.0/24, 146.70.86.0/24, 67.22.32.0/24, 91.92.254.0/24, 195.80.148.0/24
IP Ranges will continue to be updated, keep an eye on this and future posts!
Last Active: Feb 26, 2024
Threads: 0
Posts: 1
Reputation:
0
(Feb 21, 2024, 05:28 am)Sinauth Wrote: (Feb 21, 2024, 04:28 am)Arlecho Wrote: Everyone running an internet accessible installation is highly recommended to stay up to date, they have had some other bad CVE's in the past.
Just take a good backup (with the services stopped) and try to upgrade whenever an upgrade is available.
Also keep the plugins up to date if you are running any.
I'm having a problem this morning where I'm getting "Invalid credentials. Please try again." we have 2fa on all accounts.
Is anyone else having this issue? Can't log in whatsoever.
I had this problem.
Stopped the services.
Replaced the file C:\Program Files (x86)\ScreenConnect\App_Data\User.xml from the backup.
Started services.
Last Active: Jan 10, 2025
Threads: 2
Posts: 293
Reputation:
11
If you cannot log in anymore you have been hacked, restore a backup and follow the above instructions.
Last Active: Jan 04, 2025
Threads: 0
Posts: 89
Reputation:
0
Feb 21, 2024, 07:43 am
(This post was last modified: Feb 21, 2024, 07:48 am by Sinauth. Edited 2 times in total.)
Yes, did this. After restoring all users, we proceeded to change all passwords and reset all 2FA.
For good measure, deleted ALL extensions for now.
Also, now removed SetupWizard.aspx based on Arlecho's advice.
Not sure how best to block 91.92.255.0/24.
The username in my User.xml after the hack is 'CoHIH2rVxt' with email 'CoHIH2rVxt@poc.com' everyone else the same?
Edit: A bit of additional info, we were running ScreenConnect_23.9.7.8804_Release now updated to ScreenConnect_23.9.8.8811_Release.
Last Active: Jan 10, 2025
Threads: 2
Posts: 293
Reputation:
11
If you need help blocking stuff google iptables or nftables (nftables would be prefered) or use the windows firewall if you are windows based (also enough tutorials available).
Have added some more IP ranges in the previous post.
Last Active: Jan 04, 2025
Threads: 0
Posts: 89
Reputation:
0
Feb 21, 2024, 08:00 am
(This post was last modified: Feb 21, 2024, 08:00 am by Sinauth.)
Windows users I used the guide below to block the IP ranges in Arlecho's post above.
https://www.thesagenext.com/support/bloc...s-firewall
Last Active: Jan 10, 2025
Threads: 2
Posts: 293
Reputation:
11
(Feb 21, 2024, 07:43 am)Sinauth Wrote: The username in my User.xml after the hack is 'CoHIH2rVxt' with email 'CoHIH2rVxt@poc.com' everyone else the same?
Simply restored my instance with a backup of yesterday, are all old users removed?
Last Active: Jun 11, 2024
Threads: 0
Posts: 1
Reputation:
0
today my server got hacked twice. they removed all users. I just shutdown server and maybe stop public server to internet, just use in local & over vpn.
Last Active: Jan 04, 2025
Threads: 0
Posts: 89
Reputation:
0
(Feb 21, 2024, 08:08 am)Arlecho Wrote: (Feb 21, 2024, 07:43 am)Sinauth Wrote: The username in my User.xml after the hack is 'CoHIH2rVxt' with email 'CoHIH2rVxt@poc.com' everyone else the same?
Simply restored my instance with a backup of yesterday, are all old users removed?
I'm up and running. CoHIH2rVxt was the hackers admin account.
Last Active: Mar 25, 2024
Threads: 0
Posts: 11
Reputation:
0
Use cloudflare, restrict access to your IP's and block all countries other than your home country
|
