Emby Blog

was I one of them, servers failed about half hour ago and cant get it back. rebooted whole server, process looks to be running but I get nothing from server when accessing through app, browser, or anything.

Please shutdown again instantly Didn't you look into the logs?

Did you see the red banner in the forums here?

 

13 minutes ago, softworkz said:

Please shutdown again instantly Didn't you look into the logs?

Did you see the red banner in the forums here?

 

apparently not! BUT instead of asking rhetorical questions you may want to apologize for your failures and help me fix your mistakes instead of acting like I'm the A-hole here.

10 minutes ago, jackthejerk said:

apparently not! BUT instead of asking rhetorical questions you may want to apologize for your failures and help me fix your mistakes instead of acting like I'm the A-hole here.

Hi, apologies for the disruption. Please see the attention banner at the top of the community for more info on how to get back up and running. Thanks.

18 minutes ago, jackthejerk said:

apparently not! BUT instead of asking rhetorical questions you may want to apologize for your failures and help me fix your mistakes instead of acting like I'm the A-hole here.

Please apologize. I've been working more than two days non-stop on that matter, and I guess it's time for a rest.

alright, sorry, I'm on edge as well as I see I'm going to have to overhaul our security to clear this up, my first hiccup here is When I download the installer from your site it reinstalls 4.7.11.0 automatically, where do I get the 4.7.12.0?

Never mind, I see your help guide is changing every few minutes. .12 is not out yet but I'll be awaiting it, I have my side covered for now.

Do you have an eta on when .12 will be released?

I have shutdown my server.

I'm assuming that, if none of the symptoms are present, no action is needed (other than updating to .12 when it comes out), correct?

Or do we have to go through the "remove helper.dll", "change passwords", etc. part too?

Thanks in advance

26 minutes ago, heffeque said:

I have shutdown my server.

I'm assuming that, if none of the symptoms are present, no action is needed (other than updating to .12 when it comes out), correct?

Correct. 

Personally, it is worth a small investment in your time just to give your system a 'once over' but only a compromised system needs those actions.

If my system is effected will it be necessary to perform the file changes or will the update clear the problem?

If it is necessary to perform the fix outlined in the service advisory, could a more detailed how-to be posted for those of us unfamiliar with Linux?  I could probably muddle through but help would be appreciated.

1 hour ago, heffeque said:

I have shutdown my server.

I'm assuming that, if none of the symptoms are present, no action is needed (other than updating to .12 when it comes out), correct?

If you have none of the symptoms, and already have in place the recommendations, you should be good to restart Emby server.
 

I've noticed the .12 release on Github. When will the debian .deb files be available?

Seeing how the beta releases tend to miss certain packages/artifacts like rpms for several days after release, I hope that won't be the case here.

I for one am appreciative of how quickly you acted regarding this hack. I run Emby in docker (on Unraid) and it doesn't appear anything has been compromised and I didn't see any unusual activity in Emby but as your blog suggested I changed everyone's passwords as a precaution.

Thank you for being diligent.

I was affected.  Made the changes and changed everyone's password.  I noticed one of my family members was logging in just a day ago.  I thought it was a little strange.  Now I know it was.

 

Once you all get the full details, I'd really like you all to post as much information about what was occurring as possible.

I am on a QNAP NAS and have just limited knowledge. I am totally relying on you to guide me through this.

From the comments I take that version .12 will fix this but do I still have to remove any files? I have no idea where to find them on Linux and do they have different names?

Please assist.

Went thru my Asustor configuration and only had the 'EmbyHelper.dll' and not the 'helper.dll'.   Curious if that makes any difference.   Out of an abundance of caution I've deleted my Emby install (which when uninstalled from the Asustor app store, DOES NOT remove the hidden Emby data), deleted the Emby directory via SSH and am awaiting the .12 release before rebuilding.  

I would like clarification on this from the explanation "Analysis of the plug-in has revealed that it is forwarding the login credentials including the password for every successful login to an external server under control of the hackers."  Was this a compromises of JUST Emby credentials, or ALL user (Linux) accounts? 

Also makes me wonder how the Emby Connect syncs passwords between end user and Emby configuration - it's just linked via the email address, correct?  Because I never give out 'passwords' to end users, they just setup on Emby connect, and I link them.   I'd suggest making some user setup changes to not allow blank passwords as well. 

Love the product and I know this sucks - thanks for working so hard as you all are to make this right.   It's the rapidness of the response that I'm judging you on and kudos.    You all need a nap and beer after this.

I also found on my QNAP just the EmbyHelper.dll and nothing in the cache nor data directory.

I noticed on May 13th attempts to install a plugin on my server with User ID that was unique to Emby connect and this forum.

@BrianJFoxDid you do the changes in the hosts file and if yes what did you enter?

Thanks

well this explains how my paypal, amazon and ebay were hacked and used a few days ago -_-

4 minutes ago, roaddog1088 said:

well this explains how my paypal, amazon and ebay were hacked and used a few days ago

This suggests the exploit payload has potential further repercussions - may I suggest reaching out to luke and/or ebr via PM to get further details. 

I thought that this was a joke unless he is using the same credential for paypal, amazon & ebay which is not wise in the first place

36 minutes ago, One2Go said:

I thought that this was a joke unless he is using the same credential for paypal, amazon & ebay which is not wise in the first place

My thought exactly.   Don't re-use credentials.

59 minutes ago, One2Go said:

I also found on my QNAP just the EmbyHelper.dll and nothing in the cache nor data directory.

I noticed on May 13th attempts to install a plugin on my server with User ID that was unique to Emby connect and this forum.

@BrianJFoxDid you do the changes in the hosts file and if yes what did you enter?

Thanks

I added a router based block to that domain, and then did a DNS lookup to add the IP's to the block list in ADM Defender.   Not a Linux wunderkind, so that was my approach.   Wish Asustor made it a little easier to add that via the GUI. 

Please pardon any ignorance or user error in my posts, as this is something very foreign to me and someone set up my emby server. I'm running Emby on a raspberry pi connected to my network and my home pc is running windows 11. I used Putty for the SSH and ran the commands to search and delete the .dll files, however, the command returned "no files found" so I assume I was not compromised. However, I'm not savvy enough to know how to check the logs. I also shut down my emby server via Portainer while doing the checks. Once I saw the dll returned no files, I turned emby back on in portainer, however, when I try to access emby via the web I still get the page saying "emby is loading, please try later." How can I get back into my server so I can change all the passwords if I can't get by this page? I'm happy to provide whatever information is necessary to help, but please be patient as I am very very new to all of this.