Cyberbob2021 9 Posted December 1, 2021 Share Posted December 1, 2021 Help I have been hacked, my emby machine has been destroyed I cant get in it & my whole nas everything has been encrypted, and has a warning saying to pay in bit coins. its my nas and emby that has been got at. to the makop extension. have I lost everything Link to comment Share on other sites More sharing options...
Cyberbob2021 9 Posted December 1, 2021 Author Share Posted December 1, 2021 (edited) I have this warning over my whole nas read me files everywhere. I cant log into my emby server at all. so they have trashed my emby and everything on my nas Edited December 1, 2021 by Cyberbob2021 Link to comment Share on other sites More sharing options...
ember1205 23 Posted December 1, 2021 Share Posted December 1, 2021 What is it that you expect to get for help here? Odds are, your primary device/machine is what was hacked, and the use of a drive mapped onto the NAS is what allowed that machine to encrypt the filesystem. Back up, and back up often. 1 Link to comment Share on other sites More sharing options...
scb99 186 Posted December 1, 2021 Share Posted December 1, 2021 9 minutes ago, ember1205 said: What is it that you expect to get for help here? Odds are, your primary device/machine is what was hacked, and the use of a drive mapped onto the NAS is what allowed that machine to encrypt the filesystem. Back up, and back up often. That's a bit unsympathetic!!! But sadly, yes it's very unlikely that anyone here can help. By the way, many NAS's are potentially directly hackable, doesn't have to be via a drive map. 1 Link to comment Share on other sites More sharing options...
Gilgamesh_48 931 Posted December 1, 2021 Share Posted December 1, 2021 My suggestions are: 1. Pay the ransom. Thieves like the ones you encountered usually are true to their words in that they provide the needed key once the ransom is paid. 2. Reformat everything and start from scratch. This is the most reliable option and, usually, the least expensive. 3. There really is no three. But, sometimes but rarely, you can recover by hacking your own system. But that is so rare as to be virtually unknown. When you get it fixed I recommend a strong firewall and that you do not surf questionable sites. Also your server should be only a server and not be used for surfing the web at all. Also I recommend a good VPN. I use ExpressVPN and, so far, my firewall plus my VPN has prevented me from being attacked. Remember to always use protection when preforming risky acts. 1 Link to comment Share on other sites More sharing options...
Cyberbob2021 9 Posted December 1, 2021 Author Share Posted December 1, 2021 Its emby PC that's been hacked and the nas attached to it. no other pc was targeted just emby, and now I cant get into it, and all my nas files are encrypted. with this makop thing. a readme file on every single file folder, is it the ports open to emby or something. i had someone on here log in for me the other day, now this. im not performing any risky tasks, it seems emby targeted. Link to comment Share on other sites More sharing options...
maegibbons 1267 Posted December 1, 2021 Share Posted December 1, 2021 So what do you expect the emby community to do about it? Have a whip round? Emby is almost certainly NOT the attack vector. How is your machine firewalled? What ports do you have mapped on your router to this machine,? What else is running on the machine? Krs Mark 1 Link to comment Share on other sites More sharing options...
Cyberbob2021 9 Posted December 1, 2021 Author Share Posted December 1, 2021 21 minutes ago, maegibbons said: So what do you expect the emby community to do about it? Have a whip round? Emby is almost certainly NOT the attack vector. How is your machine firewalled? What ports do you have mapped on your router to this machine,? What else is running on the machine? Krs Mark The only 1 thing i have done, is got some help of emby tech here, and then a few days later this happens, I don't even think its his fault as he maybe he is compromised. i have my answers, get on with it on ya own & wipe and start again. I just don't see how after all these months, my nas could well be shit, id except it was nas fault if just nas was done in, but its not my log on details for emby have been changed as well, which suggests its that machine that was targeted. ill delete thread as i guess im on my own here, 1 hour ago, ember1205 said: What is it that you expect to get for help here? Odds are, your primary device/machine is what was hacked, and the use of a drive mapped onto the NAS is what allowed that machine to encrypt the filesystem. Back up, and back up often. Link to comment Share on other sites More sharing options...
maegibbons 1267 Posted December 1, 2021 Share Posted December 1, 2021 I would suggest grabbing the emby logs from the machine directly. You or perhaps someone with more experience can look through for suspicious login activity. Krs Mark Link to comment Share on other sites More sharing options...
Cyberbob2021 9 Posted December 1, 2021 Author Share Posted December 1, 2021 25 minutes ago, maegibbons said: I would suggest grabbing the emby logs from the machine directly. You or perhaps someone with more experience can look through for suspicious login activity. Krs Mark I cant log on the machine, I cant even hack the password, my whole naz encrypted, and lost everything emby, its my emby pc and naz attacked, my other naz is not attached to the emby machine and is fine, maybe best not to use emby connect and just use internal, as firewall is on and im only a small user Link to comment Share on other sites More sharing options...
Gilgamesh_48 931 Posted December 1, 2021 Share Posted December 1, 2021 52 minutes ago, Cyberbob2021 said: maybe best not to use emby connect and just use internal, as firewall is on and im only a small user I do not see how using Emby connect or any other Emby feature could produce the problem you are seeing. Nor can I see how anything Emby does could allow malware onto your computer. I believe that something was done on your computer that allowed some bad actor to install malware on it. I do not use Emby connect and , unless you have remote users, I do not see any reason why anyone would use Emby connect. However I am quite sure that it is/was not Emby causing your problems. I just do not see how Emby could allow the kind of access that installing malware requires. But, from what you have said, there is no recovery possible so you just need to re-rip your media reformat your computer and NAS and re-install Emby if you want to continue using it. I will say that I have never seen anything that Emby does that would have any relationship to what has happened to you. 1 Link to comment Share on other sites More sharing options...
rbjtech 4170 Posted December 1, 2021 Share Posted December 1, 2021 2 hours ago, Cyberbob2021 said: The only 1 thing i have done, is got some help of emby tech here, and then a few days later this happens, I don't even think its his fault as he maybe he is compromised. Don't name names, but can you elaborate on this ? Was anything installed on your machine to assist ? It won't save your situation I'm afraid, but it may stop future attacks. 1 Link to comment Share on other sites More sharing options...
Cyberbob2021 9 Posted December 1, 2021 Author Share Posted December 1, 2021 1 minute ago, rbjtech said: Don't name names, but can you elaborate on this ? Was anything installed on your machine to assist ? It won't save your situation I'm afraid, but it may stop future attacks. yes some sort of software, but I really don't think its anything to do with the guy helping from here, I did get a warning about it being insecure and had issues getting windows to except it Link to comment Share on other sites More sharing options...
Cyberbob2021 9 Posted December 1, 2021 Author Share Posted December 1, 2021 5 minutes ago, Gilgamesh_48 said: I do not see how using Emby connect or any other Emby feature could produce the problem you are seeing. Nor can I see how anything Emby does could allow malware onto your computer. I believe that something was done on your computer that allowed some bad actor to install malware on it. I do not use Emby connect and , unless you have remote users, I do not see any reason why anyone would use Emby connect. However I am quite sure that it is/was not Emby causing your problems. I just do not see how Emby could allow the kind of access that installing malware requires. But, from what you have said, there is no recovery possible so you just need to re-rip your media reformat your computer and NAS and re-install Emby if you want to continue using it. I will say that I have never seen anything that Emby does that would have any relationship to what has happened to you. I love emby, and im a premium life time member, im not suggesting its anything to do with emby, something went up with my connect then this, Link to comment Share on other sites More sharing options...
rbjtech 4170 Posted December 1, 2021 Share Posted December 1, 2021 2 minutes ago, Cyberbob2021 said: yes some sort of software, but I really don't think its anything to do with the guy helping from here, I did get a warning about it being insecure and had issues getting windows to except it What makes you think these two things are unrelated ? I would ping the circumstances/details/names to @Luke - he will confirm if this was an official support person. I highly suspect that is how the Ransomware attack got into your system. Link to comment Share on other sites More sharing options...
Cyberbob2021 9 Posted December 1, 2021 Author Share Posted December 1, 2021 1 minute ago, rbjtech said: What makes you think these two things are unrelated ? I would ping the circumstances/details/names to @Luke - he will confirm if this was an official support person. I highly suspect that is how the Ransomware attack got into your system. Luke was on my post, he has a badge OMG no Link to comment Share on other sites More sharing options...
Gilgamesh_48 931 Posted December 1, 2021 Share Posted December 1, 2021 2 minutes ago, rbjtech said: Don't name names, but can you elaborate on this ? Was anything installed on your machine to assist ? It won't save your situation I'm afraid, but it may stop future attacks. There is a good reason I never allow anyone to remotely access my computers but, if the "help" was from a user on this forum that is among the "moderators" or "Tech support" or on "Emby staff" then I very much doubt it is anything they did or installed. However the software that allows remote access does open things up and if it is not completely turned off after it is used then there could easily be a "door" left open and that "door" could then be walked through by anyone with a bit of effort. I believe that it is a very bad idea to allow others to remotely access and control your computer. There are just too many ways crap can happen if you allow others to access your computer. It is like allowing a stranger into your house unsupervised. The damage can be done during initial access or it can show up a long time later or it can allow others to get in through the same door. In the modern computer world people should trust no one. It seems paranoid but the question becomes: "Yes, I'm paranoid — but am I paranoid enough?" ― David Foster Wallace or "Just because I'm paranoid does not mean they're not out to get me." Link to comment Share on other sites More sharing options...
Cyberbob2021 9 Posted December 1, 2021 Author Share Posted December 1, 2021 5 minutes ago, Gilgamesh_48 said: There is a good reason I never allow anyone to remotely access my computers but, if the "help" was from a user on this forum that is among the "moderators" or "Tech support" or on "Emby staff" then I very much doubt it is anything they did or installed. However the software that allows remote access does open things up and if it is not completely turned off after it is used then there could easily be a "door" left open and that "door" could then be walked through by anyone with a bit of effort. I believe that it is a very bad idea to allow others to remotely access and control your computer. There are just too many ways crap can happen if you allow others to access your computer. It is like allowing a stranger into your house unsupervised. The damage can be done during initial access or it can show up a long time later or it can allow others to get in through the same door. In the modern computer world people should trust no one. It seems paranoid but the question becomes: "Yes, I'm paranoid — but am I paranoid enough?" ― David Foster Wallace or "Just because I'm paranoid does not mean they're not out to get me." fair points, I would not normally allow and im still testing having lots of issues to be fair, connect being the biggest, maybe my connect is comprised I am still looking scanning, all I know is my nas and my emby are dead. how when why I have no idea, yes maybe the thing I run left something open I had a hell of a job getting the file in the first place. I just don't know, I was having issues hence the log in, I was having issues with emby connect, and still am to this day, I have changed the password, and yet it still takes an age to get to the connect part, maybe that's my problem I just don't know, I use the pc for emby and nothing else Link to comment Share on other sites More sharing options...
Cyberbob2021 9 Posted December 1, 2021 Author Share Posted December 1, 2021 21 minutes ago, rbjtech said: What makes you think these two things are unrelated ? I would ping the circumstances/details/names to @Luke - he will confirm if this was an official support person. I highly suspect that is how the Ransomware attack got into your system. [redacted] Install this and it should be obvious what to do. this is what I installed, it was a nightmare as win 10 kept blocking it. im worried now what else is compromised. i thought it was all down to my internet provider changing over tbh, as that's when it all started. Link to comment Share on other sites More sharing options...
Cyberbob2021 9 Posted December 1, 2021 Author Share Posted December 1, 2021 message with said program, and i had to allow it for it to run, maybe that was mistake and never un allowed after I just don't know, thought maybe i had security too high on it, as I don't use machine for anything Link to comment Share on other sites More sharing options...
rbjtech 4170 Posted December 1, 2021 Share Posted December 1, 2021 Please remove the attachment - it may be compromised ! This should be a private conversation with whoever you installed this software for. Link to comment Share on other sites More sharing options...
ebr 14862 Posted December 1, 2021 Share Posted December 1, 2021 1 minute ago, Cyberbob2021 said: message with said program, and i had to allow it for it to run, maybe that was mistake and never un allowed after I just don't know, thought maybe i had security too high on it, as I don't use machine for anything That message in and of itself is no big deal. It just means the EXE isn't signed by a known entity. It doesn't mean it is nefarious. I assume your support session was with @cayars? 1 Link to comment Share on other sites More sharing options...
Carlo 4328 Posted December 1, 2021 Share Posted December 1, 2021 2 hours ago, Cyberbob2021 said: The only 1 thing i have done, is got some help of emby tech here, and then a few days later this happens, I don't even think its his fault as he maybe he is compromised. i have my answers, get on with it on ya own & wipe and start again. That would be me and I can assure you this did not come from me or anything we did.. The reason I say that is two fold. First I actually use a VM machine to do remote work that does not have access to my network. I do this because I isolate myself from my network when doing this and take a "clean room" approach as I don't want to get anything from somebody else. Plus I've got inline Intrusion Detection, ad and malware blocking running in real time on my router and other security measures in place as well as 2 different virus/malware checkers that run network wide. But besides that I never actually touched your files or system with any files of mine as we did a screen share so anything done is from your PC itself. Make sense? The only exception to that is the tiny agent you installed to run on the desktop (no admin privs). You still have that in the PM I sent you so feel free to scan that file with any program you can find. It will turn up clean. It's very tiny on it's own: Now about your current problem. Do you have snapshots of your Synology or your Windows PC? Both support this out of the box and it's one of the best ways of turning back the clock on these types of things. Is it both your Windows machine and your NAS that is now encrypted? Do programs still run but content, text, office files, media files are encrypted? If programs still run look at the list of things installed in control panel to see what has recently been installed. Check browsers as well for plugins. Try running malware bytes to see if it finds the source and what exactly it is. How much are they asking for in USD? Can you take a picture of what you see to give us a better idea. Link to comment Share on other sites More sharing options...
rbjtech 4170 Posted December 1, 2021 Share Posted December 1, 2021 Nobody is accusing guys - we are just trying to get to the bottom of it. If the remote session has the ability to remote control and has been left 'open', then simply put - it is an attack surface which may have been used. If the user deleted the agent and rebooted immediately after the session, then it's reasonable to rule it out. Link to comment Share on other sites More sharing options...
Cyberbob2021 9 Posted December 1, 2021 Author Share Posted December 1, 2021 30 minutes ago, cayars said: That would be me and I can assure you this did not come from me or anything we did.. The reason I say that is two fold. First I actually use a VM machine to do remote work that does not have access to my network. I do this because I isolate myself from my network when doing this and take a "clean room" approach as I don't want to get anything from somebody else. Plus I've got inline Intrusion Detection, ad and malware blocking running in real time on my router and other security measures in place as well as 2 different virus/malware checkers that run network wide. But besides that I never actually touched your files or system with any files of mine as we did a screen share so anything done is from your PC itself. Make sense? The only exception to that is the tiny agent you installed to run on the desktop (no admin privs). You still have that in the PM I sent you so feel free to scan that file with any program you can find. It will turn up clean. It's very tiny on it's own: Now about your current problem. Do you have snapshots of your Synology or your Windows PC? Both support this out of the box and it's one of the best ways of turning back the clock on these types of things. Is it both your Windows machine and your NAS that is now encrypted? Do programs still run but content, text, office files, media files are encrypted? If programs still run look at the list of things installed in control panel to see what has recently been installed. Check browsers as well for plugins. Try running malware bytes to see if it finds the source and what exactly it is. How much are they asking for in USD? Can you take a picture of what you see to give us a better idea. I don't think its you guys, I think something is up with my emby connect account, every file on NAS was encrypted with a read me file that's basically a virus too, pc locked out of completely. I had an email address and wanted bitcoin, i have had no choice but to wipe the lot. every file on the nas was renamed too. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now