Today I noticed a new user on my server called SCPortal. (not SCPPortal)
They had acquired Administrator rights to my server, and installed VMWare Horizon Client. (downloaded the installation package to the desktop and ran it)
The remote desktop session was active but disconnected.
I pulled a RDP report and this user logged in from 22.214.171.124. (USA)
My server is in South Africa.
Can anyone explain what this is?
My server is pretty secure, so it would have had to be something internally which created this.
Please note that this is not to be confused with the SCPPortal user.
**Note the double P.
SCPortal is the hacked user account.
The default user (do note this is adjustable per install) is SCPPortal.
Please note that the SolidCP Portal is also harmless, (it’s litterally just the front end, can not execute or pull any data from db without auth).
a portal is therefor known as a “client front end” which should have absolutely no rights. (besides reading portal files).
When it comes to intrusion issues the first thing i tend to ask is this: on C:/ –> security tab, did you remove the “Users” group, aswell as allowed admins and some default system groups with custom permissions? As without it any auth user has full read + execute rights on your entire C drive, this includes any cmd command, etc. (and any user means litteraly any user, even app pools, etc).
- Views135 times
- Answers2 answers