0
Not a bug

connectwise connects to non authorized computers around the world.

adam 1 year ago updated by Miguel Jose Leeuwe 9 months ago 21

I am an end user of ConnectWise. A software developer uses it to support our company remotely. Essentially I am sent a url to connect to their PC and enter a session code. run the one time application. my side sits and waits. the Support provider that is running the software sees me connect, then when trying to join the session he connects to other computers that are running connectwise. These computers are not even computers he has supported this has happened at least two times. He says he just lands on their desktop.

I am sure you see my concern. How is this happening.


ConnectWise Control Version:
6.5
Server Affected:
Host Client Affected:
Guest Client Affected:

Answer

Answer
Not a bug

In the case of unknown guests on Access sessions, see this article: https://docs.connectwise.com/ConnectWise_Control_Documentation/Technical_support_bulletins/Unknown_machines_appearing_in_list_of_access_sessions_on_Host_page

Support sessions links can also be intercepted (by email scanners, for example), which can result in an unknown machine appearing as a guest. This is not an issue with Control, but rather with the security of the Guest.

PS. These are not even in my network.

Waiting for information

I can't say that I've heard other reports of this happening but it's probably best to contact our Support team so someone can take a direct look.  Ideally we would want to see some of the links he's clicking and connecting to other sessions.

This morning, under "Access" I've found several connections which have not been created by myself:

These are the funny entries:

Name:WIN-U9ELNVPPAD0
Organization:
Hosts Connected:
Guests Connected:
Guest Last Connected:2h 48m
Logged On User: WIN-U9ELNVPPAD0
Idle Time:2h 54m
Machine:WORKGROUP\WIN-U9ELNVPPAD0
Operating System:Windows 7 Professional (6.1.7601)
Processor(s):Intel(R) Xeon(R) CPU X5550 @ 2.67GHz (1 virtual)
Available Memory:1635 MB / 2047 MB
Network Address:80.130.94.223
Client Version:6.6.18120.6697
Now
12-12 08:07:19
12-12 05:24:43
12-12 05:21:22
12-12 05:21:22
Guest

Name:ODOMTDWGTKC
Organization:
Hosts Connected:
Guests Connected:
Guest Last Connected:2h 52m
Logged On User:ODOMTDWGTKC\Administrator
Idle Time:2h 54m
Machine:WORKGROUP\ODOMTDWGTKC
Operating System:Windows 7 Professional (6.1.7601)
Processor(s):Intel(R) Xeon(R) CPU E5-2690 0 @ 2.90GHz (2 virtual)
Available Memory:1035 MB / 2047 MB
Network Address:80.130.94.223
Client Version:6.6.18120.6697
Now
12-12 08:07:28
12-12 05:24:09
12-12 05:21:40
12-12 05:21:40
Guest

Name:
Organization:
Hosts Connected:
Guests Connected:
Guest Last Connected:4h 4m
Logged On User:
Idle Time:
Machine:
Operating System:
Processor(s):
Available Memory:
Network Address:71.138.129.33
Client Version:6.6.18120.6697
Now
12-12 08:07:10
12-12 04:11:36
12-12 04:08:22
Guest

I'll report it as a bug

Answer
Not a bug

In the case of unknown guests on Access sessions, see this article: https://docs.connectwise.com/ConnectWise_Control_Documentation/Technical_support_bulletins/Unknown_machines_appearing_in_list_of_access_sessions_on_Host_page

Support sessions links can also be intercepted (by email scanners, for example), which can result in an unknown machine appearing as a guest. This is not an issue with Control, but rather with the security of the Guest.

I don't know that go-to article is a safe assumption anymore.

The third example Miguel provided above is clearly coming from an end-user location, not a sandboxing service.  And if the sandboxing is - unusually - happening on the guest itself, Miguel should be able to confirm that by looking at its IP and finding legitimate guests there.

Our install hasn't experienced this, but someone I know has, and the guests that connected to their instance had every sign of being real machines, not sandboxed anything.  They were a mixture of operating systems from XP up, and the screen snapshots showed what looked like production computers, with icons for programs that their enterprise doesn't use.  As in... someone else's computers connected to his instance.  Unfortunately, they ended those sessions before we discussed matters, so we couldn't do any tracing to confirm... they just found the above article and accepted its wisdom, which I'm starting to doubt due to the details of some of these newer reports.

If you're absolutely certain that any "mystery guests" you might have can't be explained by another machine intercepting the session link, join code or installer, please follow Scott's advice above and contact support so we can look into it.

(I'm 99% sure that these reports are addressed by the linked article, but just in case...)

Hi "On site services" and Eric Davis.

Unfortunately, I've also "ended" all of these weird session, but tonight I'll login and let the webpage open for a few hours. Then tomorrow I'll post the information. The IP's were definitely did not seem related to anything and some would show the desktop of those connections with few icons and 2GB machine configurations.


Thanks for your input.

I am glad someone else has noticed this issue as well. To the developers if you send me a PM I will ask the developer who experienced this issue to share with you if he agrees. Until further notice we cannot feel comfortable using this product.

Miguel I will keep an eye on this thread as well. As a side note our mail system does not send links etc to a cloud service to be scanned.

I was going to prove my point by leaving my ConnectWise account simply logged in tonight, not even connecting remotely to any computer. That's what filled my account with unknown clients yesterday. The problem is that yesterday a new longer list (with computer names with Polish names and other non-sandbox like machines) showed up. You could even see their desktop on the right side of the screen. It gave me such an insecure feeling, that I immediately ended them and changed my URL and I changed my password to a longer more complex one. Now I don't seem to have this problem at all any more.

I will post back here if the problem re-occurs, but too be honest, I've worked like 3 months without any problem, so it could take a while. I'm using the free client but I convinced the company I work for to buy a licence, so I'll be checking that one too.

I'm running a paid version of malwarebytes which seems to do quite a good job, but I did get to do some cleaning up after having downloaded "Lightscribe" which is not very recommendable (had to off Malwarebytes to be able to try and install it, thinking I would use it once, re-activate Malwarebytes and no problemo...). Lightscribe used to be a good product, but the only available versions now, are full of malware. Who knows, that's what compromised my PC. It kinda coincedes with the time my problems have started on ConnectWise.

So my advice is to do a thorough scan with AdwCleaner, then Malwarebytes and ending by running HitManPro. There's a free version of Hitmanpro which does a very good job. It won't clean your pc but will tell you which files you should delete manually.

Cheers,

Miguel

Okay, I promised to be back, but it's sooner as I would have expected.

There a new non-sandbox connection, a certain user "John Doe".

(I haven't even logged in lately with my account, but still it has happened again.

What do I have to do to get this investigated?

My own connection is the "WIN8DEV"", John Doe is the intruder.

Name:BEA-CHI-T-7PR01
Organization:
Hosts Connected:
Guests Connected:
Guest Last Connected:12h 36m
Logged On User:bea-chi-t-7pr01\John Doe
Idle Time:12h 40m
Machine:WORKGROUP\BEA-CHI-T-7PR01
Operating System:Windows 7 Professional (6.1.7601)
Processor(s):Intel(R) Xeon(R) CPU E5-2680 v2 @ 2.80GHz (1 virtual)
Available Memory:1497 MB / 2047 MB
Network Address:67.137.36.66
Client Version:6.6.18120.6697

This time I have NOT ended the connection so it's available for investigation.

Hi Miguel,

What you are seeing is a sandbox machine running the client installer file to see what it does. This is typical behavior of AV scanners, both at the software and hardware levels, and can happen both with the Support and Access clients. If you use any kind of advanced network equipment that does HTTPS scanning, it is possible for the file to be picked up and sent out for analysis, in addition to the possibility of software AV or threat detection programs doing this.

You'd see the same behavior occur if you took the installer file and uploaded it to a site like virustotal.com - you'd have a bunch of random machines appear with generic names for the machine name, logged in username, and even a desktop on the right, that come online just for a short time (typically a minute or two, but sometimes longer) before they go offline and never return.

What I would recommend that could help with this scenario is to upvote this feature request here which is asking for a configurable expiration be added to the installer file:

https://control.product.connectwise.com/communities/1/topics/305-add-configurable-automatic-expiration-for-unattended-installer

It may also be a good idea for you to add a request to add a password onto the unattended installer file, which would prevent AV scanners from running the file since they don't have the pre-shared code/password.

Hi Michael,

I've done what you suggested: when connecting to ConnectWise, I once again was prompted to install the client. I did and then uploaded the file to virustotal.com, while still being connected.

No funny entries at all and I've added the report as a PDF. There are 4 "positives", should I be worried?

kind regards,

Miguel

virustotal.com report

Hi Michael, then why haven't I seen this happening during the first 3 months of using ConnectWise? 

My AV is exactly the same. Also the name of the machine is not Sandbox as I've seen in an example. John Doe? Anyway, I won't worry about it if you assure me it's a normal thing.

Hi Miguel,

Yes, it is something that we see occasionally, and more often happens after we have a version update (AV tends to pay more attention to updated versions of software, so at least you know it is doing its job). It's definitely a nuisance to see machines populate the list, but the client itself cannot compromise the private data from within the server - it only allows you to connect to the remote machine when it's online.


'John Doe' is a fictitious name that gets commonly used whenever someone doesn't know the identity of the person they're discussing - for example, police might use John Doe as a placeholder name for an unidentified crime victim until they can find out the actual name of the person.

Also, when I say it's a sandbox machine, I mean that it's most likely a virtual machine running on a server somewhere for the express purpose of running/analyzing files that the scanners pick up. When it's done running the file, the machine is likely reset to a prior snapshot so it can work on running/analyzing other files, so it would go offline and not come back online again.

67.137.36.66 belongs to Integra Telecom, and (potentially unreliable) geolocation puts that machine in Portland, Oregon.


It is interesting that these have all reported as 6.6.18120.6697, which does support the idea that there's an installer being tested.

A question in this case would be, Miguel, do you have remotes that should be anywhere in that subnet?  Just something to think about.


My concern is that the associate I mentioned who reported this to me, he indicated the screen snapshots were reflective of production machines (not his).  As in, they had desktop icons for productivity software, with KeePass jumping out at him as surprising.  I wouldn't expect AV sandboxing to be testing executables on VMs with actual software, but it's not impossible.

Hi, 

Thanks for your reaction: No I don't have remote services in that area or any of the other IP's I previously found.

I do use "TunnelBear" VPN to be able to watch Spanish television from the UK. Could that maybe explain these IP's?

The thing is, that I specify a Geo location in Spain, when I use Tunnelbear, so that still doesn't make a lot of sense. 

I've done some digging and somehow the IP's seem to be related with ISP or IP Management companies, but also sometimes related to SSH brute force attacks.

80.130.94.223
-> Jonathan Gist _ Virgin Media - IPManager?
http://ip-www.net/80.130.94.223
https://twitter.com/JonathanGist
http://ip-www.net/86.7.85.249

Banned brute force attack:
http://banned.biker.ie/2018/12/fail2ban-ssh-banned-1881167165-from_15.html -> 82.211.44.200
-> Again: "Jonathan Gist"

http://www.whatmyip.co/view/ip_owners/80466/Virgin_Media_Limited.html

79.253.230.180
-> Rome - Telecom Italy - BBBEASYIP STAFF
https://www.facebook.com/pages/Telecom-Italia-Val-Cannuta-186/123806444339196
http://bruteforcers.net/582109, leads to http://ip-www.net/87.5.0.244 -> BBBEasyIP Staff
Searching for their telephone number: +39 06 36881 -> brute force attack from:
http://banned.biker.ie/2018/12/fail2ban-ssh-banned-1881167165-from_15.html -> 82.211.44.200
-> Again: "Jonathan Gist"

71.138.129.33
-> Embarq Corporation, Address: 500 N New York Ave
City: Winter Park
StateProv: FL
PostalCode: 32789
Country: US

A part from running Tunnelbear, I also do a daily backup from the office that I work for to a hard disk connected to my MX-9 tv-box (previously used for Kodi). 

I'm using SSH-Droid to set that up at home and "psftp" (putty) from my work computer, pointing to a dynamic ddns hosted by no-ip.com

I use a quite long password (more than 20 characters), but maybe it's time to change it.

My pc is daily scanned by Malwarebytes Premium and doesn't find anything.

About what you say on "It is interesting that these have all reported as 6.6.18120.6697":

Lately I've noticed that sometimes, even if I have the latest version installed, when connecting with connectwise, I'm still being prompted to download the installer. I normally don't and blame it on some network problem and then get right in.

well, I've deleted my instance on my free account. I was using this one, alongside with a paid one to connect to the office. Today I was working at the office, my home laptop was off, I was not logged in and still now and then I saw ConnectWise notifications of connections happening. When loggin in, there was nothing abnormal, but I can't take any risks with my work. I only hope I'll never have these problems with our paid account of connectwise. We're about to expand the licence to have 25 accesses available, so no more need anyway to use my flaky free account :)

Thanks all, I hope I never have to come back.

Miguel