Emby Blog

For those who might be a struggling a bit with Putty, I'd suggest WinSCP which has a graphical UI similar to File  Explorer.  Makes folder navigation and the host file editing a lot simpler.

@Lukefrom the banner:

Quote

and had an insecure configuration for administrative user accounts

What does this mean? is it that the hack only worked on instances that didn't have a secure password on an admin account?

ie what precisely was the attack vector?

 

8 minutes ago, obo78 said:

For those who might be a struggling a bit with Putty, I'd suggest WinSCP which has a graphical UI similar to File  Explorer.  Makes folder navigation and the host file editing a lot simpler.

fantastic suggestion! so I just used WinSCP and I did not find helper.dll but I did find embyhelper.dll. Now my secondary issue is when I click delete WinSCP says I do not have permission to delete. any thoughts on why?

10 minutes ago, AP123 said:

thank you for your reply. this does not work. "no such directory" and cd does not launch anything in Putty for me. Again, I appreciate the help, but there does not seem to be one blanket solution for everyone.

Type cd (space) .. (two periods) (Enter) do that twice and you are at the to of the tree.

type ls and it will display all the directories

type cd share

type ls  and you will see all the directories the one you want is CACHEDEV1_DATA

type cd CACHEDEV1_DATA

now type ls and again you have listed all the directories under this one and just follow the rest of the directories one at a time until you get to the plugin one. This is very rudimentary and if it doesn't work either your operating system has a different directory structure or you need to get someone to look at your device.

 

Folks,

It's not clear which server systems are impacted by the hack (windows, Linux, macOS, etc).

I do not enable public access to my NAS..it's local LAN only.

Bottom line, my NAS is OpenMediaVault and I am running Emby server (installed via the .deb package) so am I affected ?

Having said that, I did notice today (25th May) when I powered ON the NAS after a long time and tried to go to the Emby home page locally on the LAN, that I could not log in.

The password was not accepted. 

I clicked on the forgot password and was told to read the file at /var/lib/emby/passwordreset.txt

I followed the instructions in that file which essentially cleared the password and allowed me to setup a new one.

So...was that a symptom of a hack ?

 

1 minute ago, macnb said:

Folks,

It's not clear which server systems are impacted by the hack (windows, Linux, macOS, etc).

I do not enable public access to my NAS..it's local LAN only.

Bottom line, my NAS is OpenMediaVault and I am running Emby server (installed via the .deb package) so am I affected ?

Having said that, I did notice today (25th May) when I powered ON the NAS after a long time and tried to go to the Emby home page locally on the LAN, that I could not log in.

The password was not accepted. 

I clicked on the forgot password and was told to read the file at /var/lib/emby/passwordreset.txt

I followed the instructions in that file which essentially cleared the password and allowed me to setup a new one.

So...was that a symptom of a hack ?

 

Hi, no, if you were impacted your Emby Server would have been stopped from running at all.

6 minutes ago, AP123 said:

fantastic suggestion! so I just used WinSCP and I did not find helper.dll but I did find embyhelper.dll. Now my secondary issue is when I click delete WinSCP says I do not have permission to delete. any thoughts on why?

You must be logged in as admin since admin "owns" the files.  Logging in with another user name, even if it has admin privileges, won't work.  (Ask me how I know   )

A suggestion.

Would it be more efficient for people needing help to start or post to a thread in the sub-forums for their OS/platform? Perhaps creating threads with the subject/title "Security Advisory Help: <OS/platform>" in those sub-forums could bring help from others familiar with those systems.

It's getting a bit crowded in here with multiple reports and requests for help across the wide variety of Emby installations. Hard to keep track and contribute.

1 minute ago, obo78 said:

You must be logged in as admin since admin "owns" the files.  Logging in with another user name, even if it has admin privileges, won't work.  (Ask me how I know   )

logged in to what? my ras pi? I only have one user name and password so I can't imagine how I'm not an admin

1 minute ago, Luke said:

Hi, no, if you were impacted your Emby Server would have been stopped from running at all.

Thx Luke.

It would be good to clarify on this page https://emby.media/support/articles/advisory-23-05.html which systems are affected. It may mean something to IT savvy folks but not to casual users.

4 hours ago, One2Go said:

I thought that this was a joke unless he is using the same credential for paypal, amazon & ebay which is not wise in the first place

 

3 hours ago, BrianJFox said:

My thought exactly.   Don't re-use credentials.

nope, the only credentials that were the same were the email address, the passwords all were different. this occurred on may 18th by the way.

10 minutes ago, One2Go said:

Type cd (space) .. (two periods) (Enter) do that twice and you are at the to of the tree.

type ls and it will display all the directories

type cd share

type ls  and you will see all the directories the one you want is CACHEDEV1_DATA

type cd CACHEDEV1_DATA

now type ls and again you have listed all the directories under this one and just follow the rest of the directories one at a time until you get to the plugin one. This is very rudimentary and if it doesn't work either your operating system has a different directory structure or you need to get someone to look at your device.

 

I can get as far as cd share and it says "no such file directory" clearly I just need another method. thank you anyway

3 minutes ago, Q-Droid said:

A suggestion.

Would it be more efficient for people needing help to start or post to a thread in the sub-forums for their OS/platform? Perhaps creating threads with the subject/title "Security Advisory Help: <OS/platform>" in those sub-forums could bring help from others familiar with those systems.

It's getting a bit crowded in here with multiple reports and requests for help across the wide variety of Emby installations. Hard to keep track and contribute.

Yes it would. It's crowded here because the this https://emby.media/support/articles/advisory-23-05.html is not specific enough to spell out what's affected and what is not.

2 minutes ago, AP123 said:

logged in to what? my ras pi? I only have one user name and password so I can't imagine how I'm not an admin

I can't help you on RasPi but if you're being denied permission then you are not logged in via WinSCP with the proper admin privileges.  On my QNAP NAS that is the case.

Just to ask a simple question, if I delete my emby from portainer and yacht and completely set it up again from scratch, will this solve the issue? 

4 minutes ago, AP123 said:

Just to ask a simple question, if I delete my emby from portainer and yacht and completely set it up again from scratch, will this solve the issue? 

Yes, if its easier to do so and you don't mind re-building.

Just ensure you follow these guidelines when setting back up again:

Quote

• Assign new passwords to all of your Emby Server users
• Don't allow local login without password
• Ensure no user has an empty password

 

8 minutes ago, seanbuff said:

Yes, if its easier to do so and you don't mind re-building.

Just ensure you follow these guidelines when setting back up again:

 

Thank you. At this point I can’t figure out how to delete the dll files and do all the other stuff so rebuilding might just be easier if not more tedious

49 minutes ago, macnb said:

Yes it would. It's crowded here because the this https://emby.media/support/articles/advisory-23-05.html is not specific enough to spell out what's affected and what is not.

@macnbthe vulnerability is not specific to any particular system, OS, etc. The article clearly spells out in the opening section "Applicability" the symptoms of those affected. It is not tied to just Windows, NAS or any particular flavor of Linux - they can all be affected equally under the right circumstances.

If you did not experience any of the opening symptoms listed, then it's likely you weren't affected. However, it is advisable to follow the guide to ensure your system is properly secured moving forward.

Was anyone on a Synology system affected? Mine seems fine....

1 hour ago, Luke said:

Hi, no, if you were impacted your Emby Server would have been stopped from running at all.

So about 1200 system were affected by this before you were able to put the block in place?

On my Synology system with Emby my server never went down. I have since updated to .12 of the new update. So I should be fine?

37 minutes ago, Racerprose said:

Was anyone on a Synology system affected? Mine seems fine....

Yes there were reports of Synology's being affected.

If you had the right things in place, i.e. no blank passwords and required password for local access then you should be okay.

Recommended you check the advisory for the presence of any of the affected files and remove anyway, just for peace of mind.

 

16 minutes ago, Racerprose said:

I have since updated to .12 of the new update. So I should be fine?

Yes

Just now, seanbuff said:

Yes there were reports of Synology's being affected.

If you had the right things in place, i.e. no blank passwords and required password for local access then you should be okay.

Recommended you check the advisory for the presence of any of the affected files and remove anyway, just for peace of mind.

 

Yes

Yes, I was using local passwords.

Are  there any easy instructions for Synology users to check for the potential affected files? There is no easy way within DSM.

I just wanted to share what our firewall had caught since the 11th (when this all began) from what I can tell.

 

I'm guessing they published at least my server info somewhere as I have since been getting multiple attempts to find more ways in. shown in the attached log.

These are attempts and blocked, I do not know what may have gotten through. if anyone might see these or like addresses and attacks may be able to narrow down the source and targets

2008R210Today.txt

Synology Users: You can use WinSCP to check if the malicious files are present. I looked on mine and they were not.

Hope anyone affected is able to clean things up and get back to normal again.