Unexpected ScreenConnect Installation Detected
Unexpected ScreenConnect Installation Detected
I noticed that an instance of ScreenConnect was installed without any action on my part. Example from the logs:
Jul 23 01:58:11 hostname pkexec[3837851]: root: Executing command [USER=root] [TTY=unknown] [CWD=/] [COMMAND=/usr/bin/dpkg -i /tmp/screenconnectInstallerPackage.deb]
This resulted in the following files being installed:
!w /opt/connectwisecontrol-e1... ……………………………… 14s 09:17:18
ll
total 3.1M
-rw-r–r– 1 root root 581 Jul 23 09:17 ClientLaunchParameters.txt
-rw-r–r– 1 root root 440K Jul 23 01:57 libscnative_libwebp_x64.so
-rw-r–r– 1 root root 428K Jul 23 01:57 libscnative_libwebp_x86.so
-rw-r–r– 1 root root 696K Jul 23 01:57 libscnative_libzstd_x64.so
-rw-r–r– 1 root root 562K Jul 23 01:57 libscnative_libzstd_x86.so
-rw-r–r– 1 root root 8.0K Jul 23 01:57 libscnative_x64.so
-rw-r–r– 1 root root 6.8K Jul 23 01:57 libscnative_x86.so
-rw-r–r– 1 root root 472K Jul 23 09:15 ScreenConnect.Client.jar
-rw-r–r– 1 root root 464K Jul 23 01:57 ScreenConnect.Core.jar
-rw—–– 1 root root 57 Jul 23 09:16 .Xauthority
I cannot find any reference to the file screenconnectInstallerPackage.deb. Is this some sort of automatic update? The official ScreenConnect installation files do not use this name. Has anyone else observed similar activity in /var/log/auth*?
"screenconnectInstallerPackage.deb" is a file name used by the .sh agent installer, which is also used for updating agents, so if you already had an agent installed on that machine, it could very well be an automatic update.
You can check the timeline of that session on the Host page to see if there's a RanAutoReinstall event… or I guess if it was a couple months ago, you'll probably need to query the audit log instead. (That also has the advantage of being able to filter to just RanAutoReinstall events.)
You can also look at the contents of that ClientLaunchParameters.txt file; there should be an "h=" followed by a hostname, which is the relay server that it'll call back to. If it's a cloud instance, that should be "instance-[instance ID]-relay.screenconnect.com"; you can see the Instance ID of your cloud instances in the cloud account portal at cloud.screenconnect.com.