Jump to content

Unexpected user found - computerguyiptv


pleaseremove

Recommended Posts

pleaseremove

A bit like this topic https://emby.media/community/index.php?/topic/73224-emby-shows-unknown-users/ and this topic https://emby.media/community/index.php?/topic/71982-server-security-compromised/ I have also found my emby setup to have been compromised.

 

In my case like some of these users I found a user called "computerguyiptv" on my system (showing as a cloud user).

 

Having just spent the better part of a couple of hours digging in to this I am pretty happy to say that while you guys are clearly working on the security, it sounds like long standing defaults are making a right mess of this. In my case I did not have an admin password set and remote access was turned on. As far as I can tell those two were both defaults when I installed Emby as a package on my Synology NAS a couple of years ago.

 

I actually wasn't aware Emby was using uPnP to add a port forward and it turns out my router kindly does not show uPnP added entries alongside user added ones, so from my point of view there was no remote acces, hence my lack of caring about an admin password.

 

It sounds like you guys have changed some defaults now and also changed it to not allow remote access without a password. That sounds great, but can I check that these are retrospective changes applying to running systems, not just newly installed ones? My guess is not as I was up to date and I still got caught.

 

Having since pulled my activity log from the database I actually feel a little sick going through finding events that were not me. I can see remote users accessing my content and have been for the last month. People even connecting their smart TV's to it.

 

This has left me feeling really uneasy about my emby install, which at this point I am considering deleting to be certain they have not placed a malicious file in the system for a later date. That said I am not seeing a sane/easy way to backup current settings, so that may be slightly more annoying.

What scares me the most about all of this is I work in the IT industry, I am a developer by trade and I had not noticed this nor prevented it. That tells me your average user is really going to struggle with this. I had not gone hunting through all the advanced settings looking for defaults like remote access.

 

Feeling really unimpressed, especially since I pay for the premium service.

 

Would appreciate your thoughts and some reassurance that this is being taken seriously as an issue.

 

Thanks

Craig

Link to comment
Share on other sites

denz

I too didn’t have a password until these issues started popping up and I probably be using emby for at least 4 years I think so I was probably lucky that nothing was lost.

 

So probably on an update there should be some kind of check is there password or a notification on the home screen to check for password leaving it to the devs to answer.

Link to comment
Share on other sites

Hi there, I apologize for the disruption. The recent 4.1 server release has changed many of the default behaviors such as requiring a password when setting up the server, hiding users from login screens when remote, and others.

 

What you should do now is make sure you've updated to 4.1, and then go through all of your users and make sure they all have passwords. In fact just changing the password will sign out all existing sessions, so you may choose to do that if you don't mind logging in again.

Link to comment
Share on other sites

rbjtech

From a cyber perspective, the true enemy here is actually uPnP on your router.  Any piece of software you have on your internal network has the ability to create a 'hole' in your network gateway/firewall and allow whatever and whoever in without your knowledge.

 

My strong advice is to turn OFF uPnP in your router - and setup the port forwards manually as you need them.

 

I don't mean to scare you - but the fact that these 'intruders' left an obvious trail in emby is probably a good thing - they just want free access to your movies - nothing else.  To add, there has been no proof that Emby has been compromised to allow 'deeper' access onto your network - these are simply script kiddies making full use of the lack of Admin passwords on your system (and uPnP..) but I would still change all important passwords, run a full virus scan etc

  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...