Today I noticed a new user on my server called SCPortal. (not SCPPortal)
They had acquired Administrator rights to my server, and installed VMWare Horizon Client. (downloaded the installation package to the desktop and ran it)
The remote desktop session was active but disconnected.
I pulled a RDP report and this user logged in from 126.96.36.199. (USA)
My server is in South Africa.
Can anyone explain what this is?
My server is pretty secure, so it would have had to be something internally which created this.
Please note that this is not to be confused with the SCPPortal user.
**Note the double P.
SCPortal is the hacked user account.
The default user (do note this is adjustable per install) is SCPPortal.
Please note that the SolidCP Portal is also harmless, (it’s litterally just the front end, can not execute or pull any data from db without auth).
a portal is therefor known as a “client front end” which should have absolutely no rights. (besides reading portal files).
When it comes to intrusion issues the first thing i tend to ask is this: on C:/ –> security tab, did you remove the “Users” group, aswell as allowed admins and some default system groups with custom permissions? As without it any auth user has full read + execute rights on your entire C drive, this includes any cmd command, etc. (and any user means litteraly any user, even app pools, etc).
I just explained the default (so you got the info).
I do understand you mentioned 2 users one with P and one with PP.
However please read the rest of my answer.
Portal should have absolutely no rights besides reading portal files.
so my first question is if you hardened the default flaw of Windows (users group)
If so i would move on to a group who does got more rights: thats SolidCP Server.
Portal and enterprise have no rights to create anything (or should have no rights if hardened properly) the only group which should have such permissions would be SolidCP Server, and if it’s local to your Portal / Enterprise it should be locked down to 127.0.0.1 (so no external user can triger SolidCP Server, not even if they know ur pass).
- Views136 times
- Answers2 answers