• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers

Suspicious connection attempts

New Here ,
Dec 16, 2021 Dec 16, 2021

Copy link to clipboard

Copied

We have recently discovered that several end user devices within our network have been attempting (successfully blocked by firewalls) to establish an outbound connection to an external IP Address (49.236.204.101) based in Malaysia. This is activity that we have not seen before so our cyber security team have investigated as we have deemed this activity as suspicious. Although this IP is considered not malicious on popular IP scanning sites like VirusTotal and AlienVault OTX, we have come to the conclusion that this IP is malicious due to having open ports used for Remote Access Tools on port 32754.

 

All of the devices attempting to establish this outbound communication are performing similar activity:

 

InitiatingProcessCommandLine: 1) "node.exe" "C:\Program Files\Adobe\Adobe Creative Cloud Experience\js\main.js" or 2) "node.exe" "C:\Program Files\Common Files\Adobe\Creative Cloud Libraries\js\server.js"

InitiatingProcessParentFileName: 1) CCXProcess.exe (SHA1: d94828ea51500a104222a54b238bd445b6e3b310) or 2) CCLibrary.exe (SHA1: 8da4fddf04de3501c1a609e43d907f0a15d049a8)

RemoteIP: 49.236.204.101

Adobe CC Versions: 5.4.5.550, 5.5.0.614, 5.5.0.617, 5.6.0.788

 

Please could you advise if this is expected/legitimate behaviour for your software? Do the supplied hashes match the hashes of your software? Has Adobe been contacted by other companies with similar events? If so, when will a patch be released to mitigate this activity?

Views

573

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines

correct answers 1 Correct answer

Adobe Employee , Dec 21, 2022 Dec 21, 2022

This behaviour should no longer be occurring after updating to CCX Process 4.13.1.4, released a few days ago. The update should be automatic.

Likes

Translate

Translate
New Here ,
Jan 11, 2022 Jan 11, 2022

Copy link to clipboard

Copied

I am seeing the same thing. Serveral workstations attempting to establish LDAP sessions with various remote IPs. Would like an explination as well.

 

InitiatingProcessCommandLine: 1) "node.exe" "C:\Program Files\Adobe\Adobe Creative Cloud Experience\js\main.js" or 2) "node.exe" "C:\Program Files\Common Files\Adobe\Creative Cloud Libraries\js\server.js"

InitiatingProcessParentFileName: 1) CCXProcess.exe (SHA1: d94828ea51500a104222a54b238bd445b6e3b310) or 2) CCLibrary.exe (SHA1: 8da4fddf04de3501c1a609e43d907f0a15d049a8)

RemoteIP: 49.236.204.101

Adobe CC Versions: 5.4.5.550, 5.5.0.614, 5.5.0.617, 5.6.0.788

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Dec 21, 2022 Dec 21, 2022

Copy link to clipboard

Copied

LATEST

This behaviour should no longer be occurring after updating to CCX Process 4.13.1.4, released a few days ago. The update should be automatic.

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines