Jump to content

HELP I HAVE BEEN HACKED


Cyberbob2021

Recommended Posts

Cyberbob2021

Help I have been hacked,  my emby machine has been destroyed I cant get in it & my whole nas everything has been encrypted, and has a warning saying to pay in bit coins. its my nas and emby that has been got at. to the makop extension. 

have I lost everything 

 

 

Link to comment
Share on other sites

Cyberbob2021

I have this warning over my whole nas  read me files everywhere. 

I cant log into my emby server at all.

so they have trashed my emby and everything on my nas 

 

 

 

 

 

Edited by Cyberbob2021
Link to comment
Share on other sites

ember1205

What is it that you expect to get for help here? Odds are, your primary device/machine is what was hacked, and the use of a drive mapped onto the NAS is what allowed that machine to encrypt the filesystem.

 

Back up, and back up often.

  • Sad 1
Link to comment
Share on other sites

9 minutes ago, ember1205 said:

What is it that you expect to get for help here? Odds are, your primary device/machine is what was hacked, and the use of a drive mapped onto the NAS is what allowed that machine to encrypt the filesystem.

 

Back up, and back up often.

That's a bit unsympathetic!!! But sadly, yes it's very unlikely that anyone here can help. By the way, many NAS's are potentially directly hackable, doesn't have to be via a drive map.

 

  • Thanks 1
Link to comment
Share on other sites

Gilgamesh_48

My suggestions are:

1. Pay the ransom. Thieves like the ones you encountered usually are true to their words in that they provide the needed key once the ransom is paid.

2. Reformat everything and start from scratch. This is the most reliable option and, usually, the least expensive.

3. There really is no three. But, sometimes but rarely, you can recover by hacking your own system. But that is so rare as to be virtually unknown.

When you get it fixed I recommend a strong firewall and that you do not surf questionable sites. Also your server should be only a server and not be used for surfing the web at all.

Also I recommend a good VPN. I use ExpressVPN and, so far, my firewall plus my VPN has prevented me from being attacked.

Remember to always use protection when preforming risky acts. ;)

  • Thanks 1
Link to comment
Share on other sites

Cyberbob2021

Its emby PC that's been hacked and the nas attached to it.

no other pc was targeted just emby, and now I cant get into it, and all my nas files are encrypted. with this makop thing. a readme file on every single file folder,  is it the ports open to emby or something. i had someone on here log in for me the other day, now this. 

im not performing any risky tasks,  it seems emby targeted. 

 

Link to comment
Share on other sites

maegibbons

So what do you expect the emby community to do about it?  Have a whip round?

Emby is almost certainly NOT the attack vector.

How is your machine firewalled?  What ports do you have mapped on your router to this machine,?  

What else is running on the machine?

Krs

Mark

  • Like 1
Link to comment
Share on other sites

Cyberbob2021
21 minutes ago, maegibbons said:

So what do you expect the emby community to do about it?  Have a whip round?

Emby is almost certainly NOT the attack vector.

How is your machine firewalled?  What ports do you have mapped on your router to this machine,?  

What else is running on the machine?

Krs

Mark

The only 1 thing i have done, is got some help of emby tech here, and then a few days later this happens, I don't even think its his fault as he maybe he is compromised.  i have my answers, get on with it on ya own & wipe and start again. 

I just don't see how after all these months,  my nas could well be shit, id except it was nas fault if just nas was done in, but its not my log on details for emby have been changed as well, which suggests its that machine that was targeted. 

ill delete thread as i guess im on my own here, 

1 hour ago, ember1205 said:

What is it that you expect to get for help here? Odds are, your primary device/machine is what was hacked, and the use of a drive mapped onto the NAS is what allowed that machine to encrypt the filesystem.

 

Back up, and back up often.

 

Link to comment
Share on other sites

maegibbons

I would suggest grabbing the emby logs from the machine directly.

You or perhaps someone with more experience can look through for suspicious login activity.

Krs

Mark

Link to comment
Share on other sites

Cyberbob2021
25 minutes ago, maegibbons said:

I would suggest grabbing the emby logs from the machine directly.

You or perhaps someone with more experience can look through for suspicious login activity.

Krs

Mark

I cant log on the machine, I cant even hack the password, my whole naz encrypted, and lost everything emby,  its my emby pc and naz attacked, my other naz is not attached to the emby machine and is fine, 

maybe best not to use emby connect and just use internal, as firewall is on and im only a small user 

 

 

Link to comment
Share on other sites

Gilgamesh_48
52 minutes ago, Cyberbob2021 said:

maybe best not to use emby connect and just use internal, as firewall is on and im only a small user 

I do not see how using Emby connect or any other Emby feature could produce the problem you are seeing. Nor can I see how anything Emby does could allow malware onto your computer. I believe that something was done on your computer that allowed some bad actor to install malware on it.

I do not use Emby connect and , unless you have remote users, I do not see any reason why anyone would use Emby connect.

However I am quite sure that it is/was not Emby causing your problems. I just do not see how Emby could allow the kind of access that installing malware requires.

But, from what you have said, there is no recovery possible so you just need to re-rip your media reformat your computer and NAS and re-install Emby if you want to continue using it.

I will say that I have never seen anything that Emby does that would have any relationship to what has happened to you.

  • Like 1
Link to comment
Share on other sites

rbjtech
2 hours ago, Cyberbob2021 said:

The only 1 thing i have done, is got some help of emby tech here, and then a few days later this happens, I don't even think its his fault as he maybe he is compromised. 

Don't name names, but can you elaborate on this ?  Was anything installed on your machine to assist ?

It won't save your situation I'm afraid, but it may stop future attacks.

  • Thanks 1
Link to comment
Share on other sites

Cyberbob2021
1 minute ago, rbjtech said:

Don't name names, but can you elaborate on this ?  Was anything installed on your machine to assist ?

It won't save your situation I'm afraid, but it may stop future attacks.

yes some sort of software, but I really don't think its anything to do with the guy helping from here, I did get a warning about it being insecure and had issues getting windows to except it  

Link to comment
Share on other sites

Cyberbob2021
5 minutes ago, Gilgamesh_48 said:

I do not see how using Emby connect or any other Emby feature could produce the problem you are seeing. Nor can I see how anything Emby does could allow malware onto your computer. I believe that something was done on your computer that allowed some bad actor to install malware on it.

I do not use Emby connect and , unless you have remote users, I do not see any reason why anyone would use Emby connect.

However I am quite sure that it is/was not Emby causing your problems. I just do not see how Emby could allow the kind of access that installing malware requires.

But, from what you have said, there is no recovery possible so you just need to re-rip your media reformat your computer and NAS and re-install Emby if you want to continue using it.

I will say that I have never seen anything that Emby does that would have any relationship to what has happened to you.

I love emby, and im a premium life time member, im not suggesting its anything to do with emby,  something went up with my connect then this, 

Link to comment
Share on other sites

rbjtech
2 minutes ago, Cyberbob2021 said:

yes some sort of software, but I really don't think its anything to do with the guy helping from here, I did get a warning about it being insecure and had issues getting windows to except it  

What makes you think these two things are unrelated ?

I would ping the circumstances/details/names to @Luke - he will confirm if this was an official support person.

I highly suspect that is how the Ransomware attack got into your system.

Link to comment
Share on other sites

Cyberbob2021
1 minute ago, rbjtech said:

What makes you think these two things are unrelated ?

I would ping the circumstances/details/names to @Luke - he will confirm if this was an official support person.

I highly suspect that is how the Ransomware attack got into your system.

Luke was on my post, he has a badge OMG no

Link to comment
Share on other sites

Gilgamesh_48
2 minutes ago, rbjtech said:

Don't name names, but can you elaborate on this ?  Was anything installed on your machine to assist ?

It won't save your situation I'm afraid, but it may stop future attacks.

There is a good reason I never allow anyone to remotely access my computers but, if the "help" was from a user on this forum that is among the "moderators" or "Tech support" or on "Emby staff" then I very much doubt it is anything they did or installed. However the software that allows remote access does open things up and if it is not completely turned off after it is used then there could easily be a "door" left open and that "door" could then be walked through by anyone with a bit of effort.

I believe that it is a very bad idea to allow others to remotely access and control your computer. There are just too many ways crap can happen if you allow others to access your computer. It is like allowing a stranger into your house unsupervised. The damage can be done during initial access or it can show up a long time later or it can allow others to get in through the same door.

In the modern computer world people should trust no one. It seems paranoid but the question becomes:
"Yes, I'm paranoid — but am I paranoid enough?" ― David Foster Wallace
or
"Just because I'm paranoid does not mean they're not out to get me."

Link to comment
Share on other sites

Cyberbob2021
5 minutes ago, Gilgamesh_48 said:

There is a good reason I never allow anyone to remotely access my computers but, if the "help" was from a user on this forum that is among the "moderators" or "Tech support" or on "Emby staff" then I very much doubt it is anything they did or installed. However the software that allows remote access does open things up and if it is not completely turned off after it is used then there could easily be a "door" left open and that "door" could then be walked through by anyone with a bit of effort.

I believe that it is a very bad idea to allow others to remotely access and control your computer. There are just too many ways crap can happen if you allow others to access your computer. It is like allowing a stranger into your house unsupervised. The damage can be done during initial access or it can show up a long time later or it can allow others to get in through the same door.

In the modern computer world people should trust no one. It seems paranoid but the question becomes:
"Yes, I'm paranoid — but am I paranoid enough?" ― David Foster Wallace
or
"Just because I'm paranoid does not mean they're not out to get me."

fair points, I would not normally allow and im still testing having lots of issues to be fair, connect being the biggest, maybe my connect is comprised I am still looking scanning, all I know is my nas and my emby are dead. how when why I have no idea,  yes maybe the thing I run left something open I had a hell of a job getting the file in the first place.  I just don't know, I was having issues hence the log in, I was having issues with emby connect, and still am to this day, I have changed the password, and yet it still takes an age to get to the connect part, maybe that's my problem I just don't know, I use the pc for emby and nothing else  

Link to comment
Share on other sites

Cyberbob2021
21 minutes ago, rbjtech said:

What makes you think these two things are unrelated ?

I would ping the circumstances/details/names to @Luke - he will confirm if this was an official support person.

I highly suspect that is how the Ransomware attack got into your system.

[redacted]

Install this and it should be obvious what to do.  this is what I installed, it was a nightmare as win 10 kept blocking it.  im worried now what else is compromised. i thought it was all down to my internet provider changing over tbh, as that's when it all started.

 

Link to comment
Share on other sites

Cyberbob2021

message with said program, and i had to allow it for it to run, maybe that was mistake and never un allowed after I just don't know, thought maybe i had security too high on it, as I don't use machine for anything 

Untitled.jpg

Link to comment
Share on other sites

rbjtech

Please remove the attachment - it may be compromised !

This should be a private conversation with whoever you installed this software for.

Link to comment
Share on other sites

1 minute ago, Cyberbob2021 said:

message with said program, and i had to allow it for it to run, maybe that was mistake and never un allowed after I just don't know, thought maybe i had security too high on it, as I don't use machine for anything 

Untitled.jpg

That message in and of itself is no big deal.  It just means the EXE isn't signed by a known entity.  It doesn't mean it is nefarious.

I assume your support session was with @cayars?

  • Agree 1
Link to comment
Share on other sites

2 hours ago, Cyberbob2021 said:

The only 1 thing i have done, is got some help of emby tech here, and then a few days later this happens, I don't even think its his fault as he maybe he is compromised.  i have my answers, get on with it on ya own & wipe and start again. 

That would be me and I can assure you this did not come from me or anything we did..  The reason I say that is two fold.  First I actually use a VM machine to do remote work that does not have access to my network.  I do this because I isolate myself from my network when doing this and take a "clean room" approach as I don't want to get anything from somebody else.  Plus I've got inline Intrusion Detection, ad and malware blocking running in real time on my router and other security measures in place as well as 2 different virus/malware checkers that run network wide.

But besides that I never actually touched your files or system with any files of mine as we did a screen share so anything done is from your PC itself.
Make sense?  The only exception to that is the tiny agent you installed to run on the desktop (no admin privs).  You still have that in the PM I sent you so feel free to scan that file with any program you can find.  It will turn up clean.  It's very tiny on it's own:
image.png.4604e4a5fb0b51705b430ff6bb365b68.png

 

Now about your current problem.
Do you have snapshots of your Synology or your Windows PC?  Both support this out of the box and it's one of the best ways of turning back the clock on these types of things.
Is it both your Windows machine and your NAS that is now encrypted?

Do programs still run but content, text, office files, media files are encrypted?
If programs still run look at the list of things installed in control panel to see what has recently been installed.
Check browsers as well for plugins.
Try running malware bytes to see if it finds the source and what exactly it is.

How much are they asking for in USD?
Can you take a picture of what you see to give us a better idea.

Link to comment
Share on other sites

rbjtech

Nobody is accusing guys - we are just trying to get to the bottom of it.

If the remote session has the ability to remote control and has been left 'open', then simply put - it is an attack surface which may have been used.

If the user deleted the agent and rebooted immediately after the session, then it's reasonable to rule it out.

Link to comment
Share on other sites

Cyberbob2021
30 minutes ago, cayars said:

That would be me and I can assure you this did not come from me or anything we did..  The reason I say that is two fold.  First I actually use a VM machine to do remote work that does not have access to my network.  I do this because I isolate myself from my network when doing this and take a "clean room" approach as I don't want to get anything from somebody else.  Plus I've got inline Intrusion Detection, ad and malware blocking running in real time on my router and other security measures in place as well as 2 different virus/malware checkers that run network wide.

But besides that I never actually touched your files or system with any files of mine as we did a screen share so anything done is from your PC itself.
Make sense?  The only exception to that is the tiny agent you installed to run on the desktop (no admin privs).  You still have that in the PM I sent you so feel free to scan that file with any program you can find.  It will turn up clean.  It's very tiny on it's own:
image.png.4604e4a5fb0b51705b430ff6bb365b68.png

 

Now about your current problem.
Do you have snapshots of your Synology or your Windows PC?  Both support this out of the box and it's one of the best ways of turning back the clock on these types of things.
Is it both your Windows machine and your NAS that is now encrypted?

Do programs still run but content, text, office files, media files are encrypted?
If programs still run look at the list of things installed in control panel to see what has recently been installed.
Check browsers as well for plugins.
Try running malware bytes to see if it finds the source and what exactly it is.

How much are they asking for in USD?
Can you take a picture of what you see to give us a better idea.

I don't think its you guys, I think something is up with my emby connect account, 

every file on NAS was encrypted with a read me file that's basically a virus too, pc locked out of completely.  I had an email address and wanted bitcoin,   i have had no choice but to wipe the lot.  every file on the nas was renamed too. 

 

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...