Last Active: Yesterday
Threads: 0
Posts: 89
Reputation:
0
(Feb 21, 2024, 18:19 pm)Tosa_Puppy Wrote: Today Both my ScreenConnect Servers:
v. 21.10
v. 21.4.2
Would not let any of us login. It kept saying invalid credentials. I thought that someone had hacked our servers but what's the servers are in completely different IP domains and totally unrelated to each other (one in AWS the other in Azure).
I reloaded from Backup and they worked fine. 2 hours later the exact samething happened!?!?!?
I'm thinking ConnectWise has a backend to disable rogue servers? I do have plugins installed.
Do we have any listing of ConnectWise IP's that I can ACL deny to my servers?
Any idea of what might this be? I'm afraid that in a couple of hours it will happen again.
It WILL happen again and probably much quicker. Learn to read the previous posts as they might be useful, especially when the last 20+ are all within the last 14 hours.
Last Active: Feb 22, 2024
Threads: 0
Posts: 13
Reputation:
0
Last Active: Yesterday
Threads: 0
Posts: 89
Reputation:
0
(Feb 21, 2024, 19:03 pm)whitewidow Wrote: @Arlecho
23.9.10.8817 Released just now
https://screenconnect.connectwise.com/download/archive
Mayfield 13 minutes ago
Build: 23.9.10
Issue Type Components Summary
Feature Access Management, Action Center, Host Client, Performance, Session Manager Service, UIUX
Access Management: Unacknowledged events aren't cleared when someone addresses an event from the host client
Feature Installer, Licensing, On-prem
Allow for on-premises server upgrade regardless of license status
Bug Action Center, Host Page, UIUX
Clicking on action center icon does not work if data hasn't yet loaded
Bug Action Center, Performance
Limit the number of items in Action Center
Bug Host Page, UIUX
Adding /Join to the end of a guest URL on Host page no longer launches sessions
Last Active: Mar 13, 2024
Threads: 0
Posts: 3
Reputation:
0
(Feb 21, 2024, 07:31 am)Arlecho Wrote: ***** ALERT ******
The latest version is still being exploited!
Immediately remove SetupWizard.aspx AND block 91.92.255.0/24, 192.210.232.0/24, 144.172.118.0/24, 146.70.86.0/24, 67.22.32.0/24, 91.92.254.0/24, 195.80.148.0/24
IP Ranges will continue to be updated, keep an eye on this and future posts!
Arlecho, can you confirm what you mean here when you say "The latest version is still being exploited"?
Does this mean that the latest version is vulnerable unless you remove SetupWizard.aspx?
Last Active: Yesterday
Threads: 0
Posts: 89
Reputation:
0
Feb 21, 2024, 19:32 pm
(This post was last modified: Feb 21, 2024, 19:36 pm by Sinauth. Edited 2 times in total.)
(Feb 21, 2024, 19:29 pm)Ophiuchus Wrote: (Feb 21, 2024, 07:31 am)Arlecho Wrote: ***** ALERT ******
The latest version is still being exploited!
Immediately remove SetupWizard.aspx AND block 91.92.255.0/24, 192.210.232.0/24, 144.172.118.0/24, 146.70.86.0/24, 67.22.32.0/24, 91.92.254.0/24, 195.80.148.0/24
IP Ranges will continue to be updated, keep an eye on this and future posts!
Arlecho, can you confirm what you mean here when you say "The latest version is still being exploited"?
Does this mean that the latest version is vulnerable unless you remove SetupWizard.aspx?
The last two releases are now fine. Upgrade to the latest one which is ScreenConnect_23.9.10.8817_Release.
I just upgraded again with Arlecho's latest patcher. All working OK.
One final thing, make sure to run an Audit for LoginAttempt and block all IP addresses on your firewall. They keep spam trying to log in otherwise every couple of seconds.
Last Active: Mar 13, 2024
Threads: 0
Posts: 3
Reputation:
0
(Feb 21, 2024, 19:32 pm)Sinauth Wrote: (Feb 21, 2024, 19:29 pm)Ophiuchus Wrote: (Feb 21, 2024, 07:31 am)Arlecho Wrote: ***** ALERT ******
The latest version is still being exploited!
Immediately remove SetupWizard.aspx AND block 91.92.255.0/24, 192.210.232.0/24, 144.172.118.0/24, 146.70.86.0/24, 67.22.32.0/24, 91.92.254.0/24, 195.80.148.0/24
IP Ranges will continue to be updated, keep an eye on this and future posts!
Arlecho, can you confirm what you mean here when you say "The latest version is still being exploited"?
Does this mean that the latest version is vulnerable unless you remove SetupWizard.aspx?
The last two releases are now fine. Upgrade to the latest one which is ScreenConnect_23.9.10.8817_Release.
I just upgraded again with Arlecho's latest patcher. All working OK.
One final thing, make sure to run an Audit for LoginAttempt and block all IP addresses on your firewall. They keep spam trying to log in otherwise every couple of seconds.
Thanks for confirming. My major concern is that I have 4 confirmed login attempts after I was compromised. I locked everything down this morning and doing cleanup now.
Reviewing connection attempts, queued/processed commands, file transfers, etc, I'm not seeing anything, thankfully.
Last Active: Feb 22, 2024
Threads: 0
Posts: 2
Reputation:
0
about 80% of computers are offline any help to get them back online ?
Last Active: Yesterday
Threads: 0
Posts: 89
Reputation:
0
Feb 21, 2024, 19:50 pm
(This post was last modified: Feb 21, 2024, 19:54 pm by Sinauth. Edited 1 time in total.)
(Feb 21, 2024, 19:41 pm)Ophiuchus Wrote: (Feb 21, 2024, 19:32 pm)Sinauth Wrote: (Feb 21, 2024, 19:29 pm)Ophiuchus Wrote: (Feb 21, 2024, 07:31 am)Arlecho Wrote: ***** ALERT ******
The latest version is still being exploited!
Immediately remove SetupWizard.aspx AND block 91.92.255.0/24, 192.210.232.0/24, 144.172.118.0/24, 146.70.86.0/24, 67.22.32.0/24, 91.92.254.0/24, 195.80.148.0/24
IP Ranges will continue to be updated, keep an eye on this and future posts!
Arlecho, can you confirm what you mean here when you say "The latest version is still being exploited"?
Does this mean that the latest version is vulnerable unless you remove SetupWizard.aspx?
The last two releases are now fine. Upgrade to the latest one which is ScreenConnect_23.9.10.8817_Release.
I just upgraded again with Arlecho's latest patcher. All working OK.
One final thing, make sure to run an Audit for LoginAttempt and block all IP addresses on your firewall. They keep spam trying to log in otherwise every couple of seconds.
Thanks for confirming. My major concern is that I have 4 confirmed login attempts after I was compromised. I locked everything down this morning and doing cleanup now.
Reviewing connection attempts, queued/processed commands, file transfers, etc, I'm not seeing anything, thankfully.
After restoring all users, we proceeded to change all passwords for admins and non-admins + reset all 2FA.
For good measure, delete ALL extensions for now.
Also, now removed SetupWizard.aspx based on Arlecho's advice.
Block LoginAttempts. I was having about 14 different IP attackers spam my instance. All blocked, nothing for the last 12 hours.
EDIT: I will shut down my instances whilst I sleep for the next week or so. I can keep an eye on things while I'm awake.
Last Active: Feb 22, 2024
Threads: 0
Posts: 13
Reputation:
0
(Feb 21, 2024, 15:50 pm)whitewidow Wrote: (Feb 21, 2024, 15:29 pm)creatoris1 Wrote: [quote pid="393482" dateline="1708540581"]
Clean installation without patch - all services start. As soon as I apply the patch ScreenConnect Security Manager service wont start at all
Similar issue but was an upgrade from 21.5.3025.7772.
After hack stopped all services and blocked SC in my pfSense firewall. I then restored from yesterdays backup, upgraded to 22.8.10013.8329 with your latest patch. Services started and was able to login. Upgraded to 23.9.8.8811 using latest patch and services are failing to start.
Did you follow upgrade pathway?
If you are running a much older version, you may need to upgrade incrementally due to changes in the architecture of the product. The upgrade path is as follows:
Quote:2.1 → 2.5 → 3.1 → 4.4 → 5.4 →19.2→22.8→23.3→ Latest stable release
additionally in web.config replace SessionDatabase line with following:
<add name="SessionDatabase" providerName="SQLite" connectionString="Data Source=|DataDirectory|/Session.db; DateTimeKind=Utc; Foreign Keys=true; Page Size=4096; Journal Mode=WAL; BaseSchemaName=; Cache Size=1000; Memory Mapped Size=10000000000; DateTimeFormat=Ticks" />
and rename/delete license.xml from App_Data
worked for me like a charm
Went from 21.5.3025.7772 → 22.8.10013.8329 → 23.9.8.8811
Previously I got a warning trying to go from 21.5.3025.7772 → 23.9.8.8811 that I need to go to 22.8 first. 21.5.3025.7772 → 22.8.10013.8329 → 23.9.8.8811 went fine with no warnings.
(Feb 21, 2024, 15:50 pm)whitewidow Wrote: (Feb 21, 2024, 15:29 pm)creatoris1 Wrote: [quote pid="393482" dateline="1708540581"]
Clean installation without patch - all services start. As soon as I apply the patch ScreenConnect Security Manager service wont start at all
Similar issue but was an upgrade from 21.5.3025.7772.
After hack stopped all services and blocked SC in my pfSense firewall. I then restored from yesterdays backup, upgraded to 22.8.10013.8329 with your latest patch. Services started and was able to login. Upgraded to 23.9.8.8811 using latest patch and services are failing to start.
Did you follow upgrade pathway?
If you are running a much older version, you may need to upgrade incrementally due to changes in the architecture of the product. The upgrade path is as follows:
Quote:2.1 → 2.5 → 3.1 → 4.4 → 5.4 →19.2→22.8→23.3→ Latest stable release
additionally in web.config replace SessionDatabase line with following:
<add name="SessionDatabase" providerName="SQLite" connectionString="Data Source=|DataDirectory|/Session.db; DateTimeKind=Utc; Foreign Keys=true; Page Size=4096; Journal Mode=WAL; BaseSchemaName=; Cache Size=1000; Memory Mapped Size=10000000000; DateTimeFormat=Ticks" />
and rename/delete license.xml from App_Data
worked for me like a charm
Went from 21.5.3025.7772 → 22.8.10013.8329 → 23.9.8.8811
Previously I got a warning trying to go from 21.5.3025.7772 → 23.9.8.8811 that I need to go to 22.8 first. 21.5.3025.7772 → 22.8.10013.8329 → 23.9.8.8811 went fine with no warnings.
[/quote]
Just tried to go from 21.5.3025.7772 → 22.8.10013.8329 → 23.3.19.8811. Services started fine and logged in at 22.8.10013.8329. 23.3.19.8811 services failed to start.
![[Image: ABLVV86kubQITeGEcKtZ5xPBs0GllMwFZmYxRNbK...authuser=0]](https://lh3.googleusercontent.com/pw/ABLVV86kubQITeGEcKtZ5xPBs0GllMwFZmYxRNbK_2wvR1TAfCmEDC99Kztb2TIVnG0Fz7mrhmzNGw6EvDwmL4C1XsSBsI-FwGnbaiUX_y51G47A8vu6SVASffrNkQjBCmpADBxfsEVfE31XKrv0yqHkaC9_=w1018-h497-s-no-gm?authuser=0)
[/quote]
I still cant get services started after 21.5.3025.7772 → 22.8.10013.8329 → 23.3.19.8811 upgrade. I disabled all extensions. Tried again same issue. Anyone have anything ideas?
Last Active: Oct 08, 2024
Threads: 8
Posts: 37
Reputation:
0
Feb 21, 2024, 22:24 pm
(This post was last modified: Feb 21, 2024, 22:25 pm by leungda. Edited 2 times in total.)
Thanks for the information - Arlecho.
I followed your advice to delete the file and block those IPs. I checked my PFSense firewall log. The listed IP keeps trying to access the server. Should I change the port instead of using 8040?
Also, I need someone to help me upgrade my SC 22.9.10221.8343 to the latest. I am happy to pay for your time. PM me if you want to take the job.
Feb 21 18:00:34 WAN 91.92.255.137:40926 192.168.1.8:8040 TCP:S
Feb 21 18:00:34 WAN 91.92.255.119:47554 192.168.1.8:8040 TCP:S
Feb 21 18:00:35 WAN 91.92.255.137:40926 192.168.1.8:8040 TCP:S
Feb 21 18:00:36 WAN 91.92.255.164:47594 192.168.1.8:8040 TCP:S
Feb 21 18:00:37 WAN 91.92.255.137:40926 192.168.1.8:8040 TCP:S
Feb 21 18:00:41 WAN 91.92.255.137:40926 192.168.1.8:8040 TCP:S
Feb 21 18:00:45 WAN 91.92.255.164:47594 192.168.1.8:8040 TCP:S
Feb 21 18:00:48 WAN 91.92.255.116:55794 192.168.1.8:8040 TCP:S
Feb 21 18:00:49 WAN 91.92.255.137:40926 192.168.1.8:8040 TCP:S
Feb 21 18:00:54 WAN 91.92.255.135:43476 192.168.1.8:8040 TCP:S
Feb 21 18:01:02 WAN 91.92.255.164:47594 192.168.1.8:8040 TCP:S
Feb 21 18:01:03 WAN 91.92.255.117:37888 192.168.1.8:8040 TCP:S
Feb 21 18:01:04 WAN 91.92.255.117:37888 192.168.1.8:8040 TCP:S
Feb 21 18:01:06 WAN 91.92.255.117:37888 192.168.1.8:8040 TCP:S
Feb 21 18:01:06 WAN 91.92.255.164:42770 192.168.1.8:8040 TCP:S
Feb 21 18:01:06 WAN 91.92.255.137:40926 192.168.1.8:8040 TCP:S
Feb 21 18:02:50 WAN 91.92.255.157:55724 192.168.1.8:8040 TCP:S
Feb 21 18:02:51 WAN 91.92.254.205:51826 192.168.1.8:8040 TCP:S
Feb 21 18:02:53 WAN 91.92.254.205:51826 192.168.1.8:8040 TCP:S
Feb 21 18:02:55 WAN 91.92.255.163:34558 192.168.1.8:8040 TCP:S
Feb 21 18:02:57 WAN 91.92.254.205:51826 192.168.1.8:8040 TCP:S
Feb 21 18:02:58 WAN 91.92.255.163:56724 192.168.1.8:8040 TCP:S
Feb 21 18:03:05 WAN 91.92.254.205:51826 192.168.1.8:8040 TCP:S
Feb 21 18:03:21 WAN 91.92.254.205:51826 192.168.1.8:8040 TCP:S
Feb 21 18:03:22 WAN 91.92.254.205:56924 192.168.1.8:8040 TCP:S
Feb 21 18:03:23 WAN 91.92.254.205:56924 192.168.1.8:8040 TCP:S
Feb 21 18:03:25 WAN 91.92.254.205:56924 192.168.1.8:8040 TCP:S
Feb 21 18:03:29 WAN 91.92.254.205:56924 192.168.1.8:8040 TCP:S
Feb 21 18:03:30 WAN 91.92.255.163:56724 192.168.1.8:8040 TCP:S
Feb 21 18:03:37 WAN 91.92.254.205:56924 192.168.1.8:8040 TCP:S
Feb 21 18:03:52 WAN 91.92.255.153:46442 192.168.1.8:8040 TCP:S
Feb 21 18:03:53 WAN 91.92.255.153:46442 192.168.1.8:8040 TCP:S
Feb 21 18:03:54 WAN 91.92.254.205:56924 192.168.1.8:8040 TCP:S
Feb 21 18:03:54 WAN 91.92.254.205:51826 192.168.1.8:8040 TCP:S
Feb 21 18:03:55 WAN 91.92.255.153:46442 192.168.1.8:8040 TCP:S
Feb 21 18:03:59 WAN 91.92.255.153:46442 192.168.1.8:8040 TCP:S
Feb 21 18:04:07 WAN 91.92.255.119:59474 192.168.1.8:8040 TCP:S
|
