Community


Stolen OneClick Installer

Links used in this discussion
BartB, User (Posts: 41)
Dec 10, 2019 1:11:45 pm EST
I think someone has downloaded an old OneClick installer and has been installing it on random machines. I keep getting notification emails about installs, pointing to my self-hosted server and a new Internet-ID generated. I also see the new machines show up in my server.

What should I do to protect myself here? What should I change? Can they abuse my server somehow?
Pauline, Support (Posts: 2886)
Dec 10, 2019 3:12:13 pm EST
Hello Bart,

Thank you for your message.

Could you please clarify if I'm right in assuming that you have created a custom OneClick installer using the MSI Configurator tool and specified the email address where to receive Host access credentials on Step 3 of the configuration process and then the package was made publicly available (for example, the package was uploaded to a website where everyone could download it)?

If this is the case, then there is nothing you need to do as someone installing the Host without your consent poses no threat to your computer or network because the Host is a one-way module which can accept incoming connections, but cannot be used to connect to other remote computers.

Please let us know if you have other questions.
BartB, User (Posts: 41)
Dec 10, 2019 4:12:16 pm EST
You are correct, that's exactly what happened. It was an installer created in Jan 2018 and due to a security issue on a website, it was exposed to the public. The issue has been since fixed, but the cat is out of the proverbial bag.
That's what I thought, that installing the host is useless to anyone that doesn't have access to my server. So why do they keep installing it, I wonder? There have been 15 instances since Dec 3rd. Is there any way to trace where the host was installed at all?
Conrad Sallian, Support (Posts: 3074)
Dec 11, 2019 4:20:06 am EST
Hello Bart,

So why do they keep installing it, I wonder?

This is not necessarily people who do that. It could be bots/spiders and even legitimate bots. For example, when you run a check on a file on VirusTotal the file is run/executed in a virtual environment.

Is there any way to trace where the host was installed at all?

If the Host points at your server, the server should keep information about the Host's IP address.

What should I do to protect myself here?

There is one way to protect your server from these "annoying" Hosts - enabling the PIN code feature that was introduced relatively recently. However, the downside is that if you enable PIN on your server your existing Hosts won't connect to it anymore unless you update their settings with that PIN.

Hope that helps.

* Website time zone: America/New_York (UTC -5)