My server was hacked!

I run my SimpleHelp server on a local subnet and just bring it up when a client calls in for help. I have a link on my website for the client download. Occasionally I may leave the server up by mistake for a day or two. Currently when the client downloads and runs the client from my site an Internet Explorer window opens on his machine and displays a message saying my call is a hoax and scam and to call their 1-888 number for help. (I would post a screenie here but I don’t see the option). I’m trying to figure out how this breach was done and how to recover. I’m a bit horrified by this…

Just a user of SH here, but my first thought is the client OS has the issue. Example being host file or DNS manipulation or more simply an IE home page takeover even.

Do you have another client or test system to prove this is installation-wide? What version of SH are you running?

If you can convey more of the details the Community may be able to help, but I would be sure to contact SH support if you feel the server is truly hacked.

1 Like

My SimpleHelp version is several years old (can’t remember where to look for version number.) Good point, let me go try it on another machine as this is a clients machine going from Win8 to Win10 with unknown history.

@add - Thanks for the sanity check. All appears good when accessing my server from other machines. It appears this client had let an un-reputable remote service access their computer that have left something behind to spy on remote activities. Time to nuke and pave that machine…

Thanks for the help - if an admin comes along please change the title so it’s not so alarmist please.

1 Like

Just a comment here - I may have to stop using Simple Help for my main client as they are undertaking a security review and “unknown” (sorry!) remote control systems are really worrying the auditors :frowning:

Not helped by my SH server running on my home server in the cellar, not using SSL and no MFA.

I could fix the home server by hosting it but to be honest, I suspect the risk of hacking of a cloud based service is higher than somebody bothering my home server… but the ports are open…

SSL I know I can fix and keep meaning to but always put off by the complexity of configuration on SSL with SH. So that needs to be easier IMO.

MFA - what does SH do here?

This is serious stuff guys - BTW, the reason remote access is top of minds is that two known companies were held to ransom by RDP vulnerabilities…

@Rob_Nicholson supply chain security it important and getting strong (warranted in most cases) scrutiny.

SSL is actually pretty simple as long as the customer(s) accepts Let’s Encrypt - see https://simple-help.com/configuring-ssl-in-simplehelp

For MFA, look at the Multi-tier authentication for the Technician Groups here https://simple-help.com/authentication-guide - you can use Google-style OTP application codes.

I am 99% sure these are in all licensing levels.

Everyone should upgrade to the latest SH version (and keep “everything” updated). No one writes patches for “fun” and it is the best defense for exploits. Being hit with a zero-day vulnerability is defensible in the court of public opinion and agressive patching shows diligence in real courts. Being exploited by an old known vulnerability with a published fix is NOT.

2 Likes

Thanks for the reply. Yes, I keep looking at SSL on SH and keep getting distracted :wink: I’m building a new server so perfect time.

Great re MFA via Google OTP - that’s perfect.

1 Like

@Diggs_Ut Would it be possible for you to email support@simple-help.com so we can begin to look into this please? If you could include all server logs and any other information you have that would be greatly appreciated. The more information, screenshots and other details the better!

I panicked and the issue was not with SimpleHelp. I discussed with my customer and they had allowed a remote connection from an unknown PC support company and ended up buying anti-virus at 10 times the market rate from them (scammed). That unreputable support scam had placed a script or app on her computer watching for other remote support sessions and to run an Internet Explorer pop-up when ever another remote connection was detected. I nuked and paved the machine and left my SimpleHelp calling card on it (and other computers since then) with no further problems.

1 Like

Finally got around to hardening my SimpleHelp - works a treat using Microsoft authenticator. Thx!

Hey @Diggs_Ut - glad to hear that the server wasn’t at issue. If you get a chance (and if it’s possible) you may want to change the title of this post, as it’s the first post listed, and may be quite scary looking for someone investigating the product.