Kaseya Community

hack attempt??

  • This morning, an unknown machine checked into my K-Server from IP 209.235.13.188. An initial audit was run automatically, and I can see that it was a VM with Ethreal and Python25 installed. I attempted to initiate a view only remote session to determine what was going on, but the machine went offline before I could connect.

    It is strange, and a little troublesome.

    Any ideas??

    Legacy Forum Name: hack attempt??,
    Legacy Posted By Username: Alan M
  • i had one machine do the same thing about a week ago. i did not think too much of it at the time.

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: gdoubinin
  • This is a bit odd. Perhaps someone kept a copy of the agent installer and accidentally installed it, wondering what the file was?

    I wouldn't worry too much about it though, an unexpected computer connecting to your network gives you access to them. They get access to your ticketing portal, if that's enabled.

    I think that IP belongs to Shaw Cable, so it could easily be one of your customers taking the agent home by accident.

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: dwujcik
  • dwujcik
    I think that IP belongs to Shaw Cable, so it could easily be one of your customers taking the agent home by accident.


    I hope I don't get in trouble for this:

    209.235.13.188 resolves to
    "188-209.235.13.appsitehosting.com"
    Top Level Domain: "appsitehosting.com"

    I ran the whois too, not much info there... but the registrant POBox is in Drums, PA...

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: thirteentwenty
  • thirteentwenty
    I hope I don't get in trouble for this:

    209.235.13.188 resolves to
    "188-209.235.13.appsitehosting.com"
    Top Level Domain: "appsitehosting.com"

    I ran the whois too, not much info there... but the registrant POBox is in Drums, PA...


    In trouble from who? This is all public information. I ran a WHOIS about 15 seconds after the PC checked in, but "appsitehosting.com" does not explain much. As one can tell from the name, they provide server and application hosting, so I'm sure the hit originated from a client of theirs, and not from appsitehosting itself.

    I posted the actual IP so as to provide a record in the forum in case anyone else should come across a similar event.

    I would be hard pressed to believe that any client of mine acidentally installed my agent into a VM with a sniffer, so I am curious and interested in hearing alternative explanations...

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: Alan M
  • Maybe they downloaded the agent of your website and installed it?

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: Joshua Lehman
  • Joshua Lehman
    Maybe they downloaded the agent of your website and installed it?


    Probably so. I've never had anyone do it randomly though, and it seems odd that a VM with Ethereal installed (and little else) would be the first. People that use a VM to run Ethereal are generally doing something purposeful in my experience.

    Kind of creepy...

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: Alan M
  • Not to hijack this thread, but Josh's post raises an interesting question...

    Are most people using the dl.asp page to store their agent packages for download by their own techs? If so, is there a way to secure this with a login but still give K full rights to make changes?

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: CCDave
  • thirteentwenty
    I hope I don't get in trouble for this:

    209.235.13.188 resolves to
    "188-209.235.13.appsitehosting.com"
    Top Level Domain: "appsitehosting.com"

    I ran the whois too, not much info there... but the registrant POBox is in Drums, PA...


    Yea the lookup is a bit of a blank. I just suggested Shaw because they're using a lot of 209.x.x.x right now and they tend to buy big blocks... They use a different registrar though so probably not them after all. Who knows?

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: dwujcik
  • dwujcik
    Yea the lookup is a bit of a blank. I just suggested Shaw because they're using a lot of 209.x.x.x right now and they tend to buy big blocks... They use a different registrar though so probably not them after all. Who knows?


    In my last business we "bought" (was more of a lease) a partial class C so it could very well be part of the Shaw network.

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: thirteentwenty
  • CCDave
    Not to hijack this thread, but Josh's post raises an interesting question...

    Are most people using the dl.asp page to store their agent packages for download by their own techs? If so, is there a way to secure this with a login but still give K full rights to make changes?


    I thought about this in the past as most of the time you have the credentials binded to the agent and the agent is availble to be downloaded from the dl.asp website. Would someone be able to decompile the agent and obtain the credentials etc?

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: Joshua Lehman