Integrate "ScriptTask" plugin into MeshCentral core

[theoneandonly-vector]

"This is a full computer management web site."

to make this statement true, I think this plugin should be integrated / supported in the main software: https://github.com/ryanblenis/MeshCentral-ScriptTask

[PathfinderNetworks]

That would certainly be a nice feature. Me, I don't run any plugins as I don't want to have to troubleshoot any issues they may cause (especially seeing as how I keep my MeshCentral install always updated with the most current version).

[Ylianst]

Fixed poor (low quality) title. I am certainly not going to be doing anything because a statement is true or not.

I have done some early work to integrate that plugin into MeshCentral, but I need to do a lot more work before releasing it.

[silversword411]

If you want scripting maybe you should look at an rmm?

https://github.com/wh1te909/tacticalrmm

[theoneandonly-vector]

If you want scripting maybe you should look at an rmm?

https://github.com/wh1te909/tacticalrmm

this look svery nice, but I would like to keep a central setup for all types of clients. also SSO is needed.

[cgb]

Just a heads up about tacticalrmm. I'd been monitoring it for a while but this event put me off: https://www.reddit.com/r/sysadmin/comments/rq5g9h/a_few_concerns_with_tacticalrmm_am_i_being/

There is an explanation here: https://www.reddit.com/r/msp/comments/rqm0go/a_statement_from_the_founder_of_tacticalrmm/

But it's a major red flag. They have the rmmagent on github but are only making binary releases while the last published code is from Apr 2021.

Tread carefully.

[Ylianst]

Oh wow! I have not been following TacticalRMM much, apart from knowing they use MeshCentral. This is all news to me.

Getting a crypto minor in a release is really bad (!!!). Also, I am not sure how you can make releases without having the source on GitHub first unless your doing it on purpose. MeshCentral, MeshAgent and all related projects are always checked into GitHub before release. We have only one repo and it's the public one, everything we do, typo's and all are public.

MeshCentral is sponsored by Intel. Both Bryan and I both work there and would get in big trouble for doing anything like this.

[silversword411]

There was never a crypto miner in any Tactical RMM release.

[silversword411]

@Ylianst

TLDR

• main dev had a ftp site at tacticalrmm.io (was an old personal ftp server that got renamed for tacticalrmm use) for downloading python install files for windows agent installs as a backup if github was down at time of agent installation (because that seems to be a sporadic bi-monthly occurrence).
• On that same ftp site there were other personal agent installers that he used himself. Found (I think it was) golangs ability to bundle other apps and was playing with it for his own use and putting a personal monero miner in his personal custom agent builds/installers.
• Because it was at tacticalrmm.io everyone assumed TRMM was installing those agents. Never did.
• People that didn't read his reddit looong response and didn't pay attention to details see monero and trmm and #HairOnFire

There was NEVER a monero miner in any part of Tactical RMM's official repo, any of it's linked resources, or install processes.

[petervanv]

He says it self in the statemetn, there was an miner !!

[silversword411]

He says it self in the statemetn, there was an miner !!

OMG. Read....the...ACTUAL...words...of...the...statement...in....it's...entirety. You just screenshot it and posted it for gods sake! Details really do matter.

The monero miner was in the file winagent-v1.98.61.exe

That file, it's contents, AND it's naming format as NOTHING, ZERO, ZIP, NADDA to do with the installation/updating of TacticalRMM, it's sources, update process or ANY part of the installation and distribution used by all Tactical RMM users.

---

That file and it's naming format is only created by an already installed Tactical RMM server and personally creating an agent installation .exe for your personal workstation deployment process. It is not part of any source used by anyone installing Tactical RMM.

1) He installed Tactical on his own private server. 2) He then used the agent source, and built a custom agent installer on his own machine in vscode and put his personal monero agent into an agent installer that will only connect to HIS TRMM server and will not even run unless he approves that monero miner to activate itself.

His mistake...was taking that personal and private agent installer...and uploaded it to the ftp server located at files.tacticalrmm.io....where noone would ever have found it unless you:

• Looked at github source for the agent
• saw the backup url for downloading the py38-x32.zip and py38-x64.zip
• Opened https://files.tacticalrmm.io/ and started looking at what OTHER files might be there.
• Found his personal agent installer
• Manually downloaded it and ran that .exe not knowing what it was.

---

A meshcentral issue chain is not the place to be rehashing this discussion. Look me up on the Tactical discord if you still can't understand something.

[PathfinderNetworks]

For me at least, having something like this (a mining app, etc) even remotely related to/near something like an RMM tool is enough for me to steer clear of it. Just no. The integrity of my company and my customers security is FAR too important to even take a tiny, remote chance of something like this finding its way on to my server/their systems.

[silversword411]

@PathfinderNetworks That's perfectly fine, and I can understand not liking the optics of what happened. I didn't like it either, but stuff happens in the early lifecycle of things.

Just don't spread lies about a crypto miner being embedded in Tactical RMM because there never was. I stick to my original statement:

There was never a crypto miner in any Tactical RMM release.

Ylianst was confused. I clarified as succinctly as possible

[cgb]

Hey @Ylianst apologies for bringing the tacticalrmm controversy into this issue, I intentionally didn't pass judgement in my earlier comment and just linked to the public discourse to let others form a view. I just got concerned when there is a recommendation for a related "open source" RMM and your users weren't aware of the incident..