Jump to content

HELP I HAVE BEEN HACKED


Cyberbob2021

Recommended Posts

Cyberbob2021

both my admin acc and the emby acc (local pc acc) locked out password would not work, pc would not restore, only way was to format and reinstall. 

Link to comment
Share on other sites

2 minutes ago, Cyberbob2021 said:

I think something is up with my emby connect account

Hi.  There is no way that your Emby Connect account could provide access to do something like this.

2 minutes ago, Cyberbob2021 said:

every file on NAS was encrypted with a read me file that's basically a virus too, pc locked out of completely.  I had an email address and wanted bitcoin,   i have had no choice but to wipe the lot.  every file on the nas was renamed too. 

This sounds like standard ransomware and none of this could be done through just an Emby Connect account.  That has no access to your file system.

  • Like 1
Link to comment
Share on other sites

Cyberbob2021

That's all the info I have, this is what windows picked up on another pc, , once I realised I could not get into the emby pc anymore, i looked at nas and see everything renamed,   

virus.jpg

Link to comment
Share on other sites

Cyberbob2021
5 minutes ago, ebr said:

Hi.  There is no way that your Emby Connect account could provide access to do something like this.

This sounds like standard ransomware and none of this could be done through just an Emby Connect account.  That has no access to your file system.

fair enough, perhaps its been on machine a while. ive scanned all other machine nothing picked up 

Link to comment
Share on other sites

rbjtech

My advice is to wipe and re-install everything on your network - including resetting your router and NAS back to factory default - I know it's a colossal pain in the **** but as you have been compromised - you have no idea what else has been installed. 

Then install all the security patches for all the equipment - starting from the router, then NAS, then PC's etc.  Then run a check from the likes of 'Shields Up' to check you have no open ports on your router/firewall.

Only then can you be sure that things are clean enough to start again .. 

Edited by rbjtech
Link to comment
Share on other sites

Cyberbob2021
7 minutes ago, rbjtech said:

My advice is to wipe and re-install everything on your network - including resetting your router and NAS back to factory default - I know it's a colossal pain in the **** but as you have been compromised - you have no idea what else has been installed. 

Then install all the security patches for all the equipment - starting from the router, then NAS, then PC's etc.  Then run a check from the likes of 'Shields Up' to check you have no open ports on your router/firewall.

Only then can you be sure that things are clean enough to start again .. 

its my own fault, I backed up fully on the 21 oct, 2021  done a lot since lol,  I could use backups, but am doing as you say starting again from scratch.  

  • Like 1
Link to comment
Share on other sites

Gilgamesh_48
32 minutes ago, Cyberbob2021 said:

every file on NAS was encrypted with a read me file that's basically a virus too, pc locked out of completely.  I had an email address and wanted bitcoin,   i have had no choice but to wipe the lot.  every file on the nas was renamed too. 

I do not think Emby connect could have anything to do with this. As far as I know Emby connect just allows people to connect to your Emby server and, if your account has been compromised then that could lock you out of your account but it could not encrypt your files.

The only way for your files to get corrupted is for something to run on your computer that has full privileges and can operate on your files at the operating system level and nothing Emby does or uses can do that.

I think, assuming you did not leave the door open after you were helped, that something completely unrelated to Emby is the root cause of your issue and the fact it happened after you were helped is just a form of the "Post hoc ergo propter hoc" fallacy.

Link to comment
Share on other sites

Don't want to sound callous but when one is inexperienced in how to secure their boxes from Internet attacks, they will suffer the consequences of it. As already mentioned EMBY has ZERO things to do with your ransomware attack. Just to give you an idea of what happened in the QNAP NAS world recently and I am running 3 QNAP NASs 24/7 exposed to the net. You may also want to search the site bleepingcomputer.com if there were recent ransomware attacks.

QNAP did firmware updates to some of their programs on various models. They were warned that they have an open security hole where admin privileges could be granted to external users. The people who found this out told QNAP to correct it and gave them 60 days to do so. QNAP couldn't be bothered. After the 60 days they gave QNAP another week to respond, but the arrogant bastards couldn't be bothered. The information about the security hole was publicly released and within a week 1000s of QNAP NASs where effected by files with a size of less then 5MB all being zipped and password protected. A storm and threats of class action suits finally caused QNAP to act on it.

The bad actors wanted $500 for providing the password and many did. In these days unless you know how to isolate your PCs and NASs from the outside world through security measures you will be a target. Bad actors were scanning the Internet for QNAP devices and then attacked them. Anyone not running a full Internet security suit like BitDefender or others is playing Russian roulette and are just waiting to be hit. Even then there is still a good chance that something in the wild will cause damage.

So, my advise is if the information or data is worth the money they want pay it but be careful when you get your Bitcoins that no one else will steal them. If it is not worth it, then wipe everything clean, reinstall your programs and the content get it again from where you got it the first time. Next secure your NAS from the outside world and finally run an Internet security suit on your PC, as good as the Microsoft provided security is it can't measure up to a dedicated company that is focused on Internet security solely.

Finally, search the forums here for "Ransomware" and read the heartbreaking story of one of the regulars here who lost TBs of his content due to a ransomware attack.

I am very sorry for being so direct but you are in a war and this war is being fought on the data level, you have to educate yourself and take preventive measures, because it comes with the fact of being globally connected.

 

  • Like 1
Link to comment
Share on other sites

Ah man, sorry this happened.

This happened to me a while back, and I had to start from scratch. It was just aweful coming home and seeing the nasty message on my server.

Of course ii stupidly left remote desktop open to the internet... I will never do that again.

 

Strangely enough, even as we speak, there is a program hidden in my recycle bin, that I can not remove, and every once I a while it tries to call out.

Luckily I purchased Sophos and it keeps it a bay.

Still have to try and get rid of it... I know it's there, but it's stuck somehow...

There are some nasty coders out there. Using their skills for the dark side. 

 

Best of luck!

Link to comment
Share on other sites

41 minutes ago, chef said:

Ah man, sorry this happened.

This happened to me a while back, and I had to start from scratch. It was just aweful coming home and seeing the nasty message on my server.

Of course ii stupidly left remote desktop open to the internet... I will never do that again.

 

Strangely enough, even as we speak, there is a program hidden in my recycle bin, that I can not remove, and every once I a while it tries to call out.

Luckily I purchased Sophos and it keeps it a bay.

Still have to try and get rid of it... I know it's there, but it's stuck somehow...

There are some nasty coders out there. Using their skills for the dark side. 

 

Best of luck!

I read your story when you first broke it and felt really sorry for you and researched Sophos, but decided to use BitDefender $90 for 3 years for 5 devices did the trick for me. Having something that is connected to malware still on the system would drive me nuts. If it is on a PC have you tried running your AV software while the PC is in safe mode? But I guess as long as it is jailed in the recycle bin you should be good. If you are not allowed to kill something, jailing is the next best thing. How many TBs of your content were effected and did you get it all back?

  • Like 1
Link to comment
Share on other sites

3 hours ago, Gilgamesh_48 said:

I think, assuming you did not leave the door open after you were helped, that something completely unrelated to Emby is the root cause of your issue and the fact it happened after you were helped is just a form of the "Post hoc ergo propter hoc" fallacy.

The remote control program I'm using now is custom and uses public/private keys and if the keys don't match you won't even get a chance to login over SSH. It's "not installed" either but runs "in session".

3 hours ago, Cyberbob2021 said:

its my own fault, I backed up fully on the 21 oct, 2021  done a lot since lol,  I could use backups, but am doing as you say starting again from scratch.  

What is this a backup off?  Is it your NAS as well as your PC?  If so I'd do a restore and immediately disconnect your computers from each other and let each scan itself.
BTW, did you check to see if the Synology renamed files were intact just renamed?  In other words were the text files still there and your movies as well just with a messed up name?

If so and if you are using btrfs file system you should be able to undue that.
 

I'll write a bit more in a few minutes on proactive things to do once you get things restored and operational.
BTW, how much were they asking for via bitcoins?

Link to comment
Share on other sites

RanmaCanada

The other potential vector could also have been a compromised router.  I recently had to replace a few friends' routers on their businesses as they were being DDOS'd with attempts to log into them, all were older DLINK routers.  It was so bad that their internet refused to work, and ISP support said "not our problem, internet is working".  I ended up replacing their routers with high end ASUS routers, and the problem vanished instantly.  List most knowledgeable people I do any "sketchy" stuff off my main network, or isolate in a sandbox.  I have a router setup specifically out of subnet range so it can not see anything on my main network, just in case.  Crytpo locker sucks, and sadly I've seen this hundreds of times, and really, if they want in, there ain't much you can do to stop them.  We had an entire province's hospitals in Canada taken down by it just recently.

As others have said, replace/wipe/reload.  It's horrible that this has happened and it is my biggest nightmare.

  • Like 2
Link to comment
Share on other sites

After I was hacked I purchased some okay networking equipment. Especially since I had forward facing services running.

I decided on Ubiquity. It isn't top of the line but it allows me to see what kind of  attacks on my domain/network are.

They are stopped by either the Firewall router, or Sophos if the attack gets through to my server.

But I get attacked everyday. Sometimes a lot, and sometimes a little... but everyday.

firewall_pic1.thumb.png.a1055edc1e6592be916562c440362414.png

firewall_pic2.thumb.png.793bd7e9ec3e864e58baf20c1628d783.png

 

PXL_20211202_030441871.thumb.jpg.4b727b49ff2b9a90c91fc91c5777ffca.jpg

 

Edited by chef
  • Like 3
Link to comment
Share on other sites

Cyberbob2021
9 hours ago, cayars said:

The remote control program I'm using now is custom and uses public/private keys and if the keys don't match you won't even get a chance to login over SSH. It's "not installed" either but runs "in session".

What is this a backup off?  Is it your NAS as well as your PC?  If so I'd do a restore and immediately disconnect your computers from each other and let each scan itself.
BTW, did you check to see if the Synology renamed files were intact just renamed?  In other words were the text files still there and your movies as well just with a messed up name?

If so and if you are using btrfs file system you should be able to undue that.
 

I'll write a bit more in a few minutes on proactive things to do once you get things restored and operational.
BTW, how much were they asking for via bitcoins?

had no figure, just to email them, tbh lost so much prob not worth redoing it all, my backup drive failed half way through too.  

  • Sad 1
Link to comment
Share on other sites

rbjtech
8 hours ago, chef said:

After I was hacked I purchased some okay networking equipment. Especially since I had forward facing services running.

I decided on Ubiquity. It isn't top of the line but it allows me to see what kind of  attacks on my domain/network are.

They are stopped by either the Firewall router, or Sophos if the attack gets through to my server.

But I get attacked everyday. Sometimes a lot, and sometimes a little... but everyday.

firewall_pic1.thumb.png.a1055edc1e6592be916562c440362414.png

firewall_pic2.thumb.png.793bd7e9ec3e864e58baf20c1628d783.png

 

PXL_20211202_030441871.thumb.jpg.4b727b49ff2b9a90c91fc91c5777ffca.jpg

 

Almost all 'hack' attempts are simply bots scanning all public IP addresses for KNOWN vulnerabilities.  Once they get a 'hit' they are targeted and/or added to a list for sale.  It's all about money.

Zero Day vulnerabilities are actually pretty rare (exploits that do not have available patches) - so on top of all the layered protection, it is also essential that all updates are applied - although this does potentially open up supply chain backdoors - so on key gateways, personally I never 'automatically' update - but it's still better to Auto update than not update at all.

At the end of the day - any data that is critical/personal/irreplaceable - should be backed up/verified/encrypted and then taken off any form of connected network - ideally with multiple copies in multiple locations.

  • Like 1
Link to comment
Share on other sites

Painkiller8818
19 hours ago, Cyberbob2021 said:

That's all the info I have, this is what windows picked up on another pc, , once I realised I could not get into the emby pc anymore, i looked at nas and see everything renamed,   

virus.jpg

Here we got it. This file is an EXE file and not a txt. File.

Windows Defender does not pop up for text files, only for executeable files. This file for sure is a .txt.exe file and you hide the file extensions.

I would say, you downloaded this tv show and you got a little present in the season 2 ;)

 

Link to comment
Share on other sites

Cyberbob2021
1 hour ago, Painkiller8818 said:

Here we got it. This file is an EXE file and not a txt. File.

Windows Defender does not pop up for text files, only for executeable files. This file for sure is a .txt.exe file and you hide the file extensions.

I would say, you downloaded this tv show and you got a little present in the season 2 ;)

 

nope it was a txt file, granted was exe labeled txt files. I don't DL anything to the pc at all, that was what come up on another pc when trying to open the txt doc, another stupid mistake. I had put no shows on, I have now got to bottom of what happened, all down to new router and a setting. so I left the door open all my own fault, while  was trying to get connect going, @cayars I found the screen shot 

Untitled.jpg

Edited by Cyberbob2021
Link to comment
Share on other sites

@Cyberbob2021 Just wanted to check in with you to find out how you're making out and what your current status is?

Do you actually have a copy of the virus/malware?  If so could you zip it up for me.
I'd love to have the real deal to test with in a virtual cloud environment.  I'd like to see what tools are best against this type of thing first hand.

  • Like 1
Link to comment
Share on other sites

Cyberbob2021
1 hour ago, cayars said:

@Cyberbob2021 Just wanted to check in with you to find out how you're making out and what your current status is?

Do you actually have a copy of the virus/malware?  If so could you zip it up for me.
I'd love to have the real deal to test with in a virtual cloud environment.  I'd like to see what tools are best against this type of thing first hand.

I don't sorry.  its was win32/Uwansome.A1ml trojan file renamer, maybe I should have tried to get around with cure however it messed so much up, clean was the better option. just unlucky drive with backup failed 3rd way in 

Link to comment
Share on other sites

15 hours ago, chef said:

After I was hacked I purchased some okay networking equipment. Especially since I had forward facing services running.

I decided on Ubiquity. It isn't top of the line but it allows me to see what kind of  attacks on my domain/network are.

They are stopped by either the Firewall router, or Sophos if the attack gets through to my server.

But I get attacked everyday. Sometimes a lot, and sometimes a little... but everyday.

 

 

 

 

 

Aww that brings good memories of threat detection in Unifi, i am on the Early access release software and can confirm their latest version of Traffic Inspector (TD) is utter rubbish and tells you nothing, in fact the Whole EA UI has basically taken all the relevant info you would want about whats going on your network and chucked it in the recycle bin and now you get really stupid screens like the attached, that make no sense and are utterly pointless. But to be fair the Dream Machine has been solid and has a pretty decent firewall on it.

Can you guess what this means?

 

 

 

Screenshot 2021-12-02 at 19.14.01.png

  • Like 2
Link to comment
Share on other sites

51 minutes ago, Cyberbob2021 said:

I don't sorry.  its was win32/Uwansome.A1ml trojan file renamer, maybe I should have tried to get around with cure however it messed so much up, clean was the better option. just unlucky drive with backup failed 3rd way in 

If by chance you still have these on disk and have 1 or 2 files with the before and after results it's possible to recover from this.
https://id-ransomware.malwarehunterteam.com/ allows you to upload the good and bad version of the files.  It does a check to establish the difference between the files then checks that against it's every growing database.  If you get a match from them your files can be fixed with a recover key.

It's also possible to add it to a system setup for forensics  that appears to be Internet connected  and of course doing packet capture.  Once it starts to do it's thing you can track it byte by byte as well as capture the key it's going to upload for that system. Normally this is done from memory not the transport (typically encrypted). Either way you also get the before/after versions of the files as well as be able to attach a debugger to it and step through the machine code.

It's a lot of work for sure and but the average person only needs a file or two in the before/after state to upload to that site to see if a solution is available yet.

  • Thanks 1
Link to comment
Share on other sites

49 minutes ago, CassTG said:

Can you guess what this means?

Screenshot 2021-12-02 at 19.14.01.png

That's not really very helpful in my opinion.

  • Like 1
  • Agree 1
Link to comment
Share on other sites

11 hours ago, rbjtech said:

Almost all 'hack' attempts are simply bots scanning all public IP addresses for KNOWN vulnerabilities.  Once they get a 'hit' they are targeted and/or added to a list for sale.  It's all about money.

Zero Day vulnerabilities are actually pretty rare (exploits that do not have available patches) - so on top of all the layered protection, it is also essential that all updates are applied - although this does potentially open up supply chain backdoors - so on key gateways, personally I never 'automatically' update - but it's still better to Auto update than not update at all.

At the end of the day - any data that is critical/personal/irreplaceable - should be backed up/verified/encrypted and then taken off any form of connected network - ideally with multiple copies in multiple locations.

Totally agree with that procedure with one exception perhaps because of irresponsible vendors. The massive QNAP ransomware attack was caused by a security hole in their most recent firmware updates. I am running two NASs with EOL for firmware support and they were fine no damage done. The 3rd NAS I had not updated in over 6 months and it also was fine as none of the "improvements" on the backup programs and cloud interaction was installed and operational. No damage done on my QNAPs, but there were small businesses that used their NAS for working from different locations from home during the pandemic. Some who had recommended QNAP and assisted with the installation were inundated after the ransomware attack, with requests for help. All their PDF business documents and photos were ZIP and passworded.

Long story short, your procedure is excellent if the vendor is judicious and dependable. With QNAP they were arrogant chumps.

Link to comment
Share on other sites

7 hours ago, CassTG said:

Aww that brings good memories of threat detection in Unifi, i am on the Early access release software and can confirm their latest version of Traffic Inspector (TD) is utter rubbish and tells you nothing, in fact the Whole EA UI has basically taken all the relevant info you would want about whats going on your network and chucked it in the recycle bin and now you get really stupid screens like the attached, that make no sense and are utterly pointless. But to be fair the Dream Machine has been solid and has a pretty decent firewall on it.

Can you guess what this means?

 

 

 

Screenshot 2021-12-02 at 19.14.01.png

I have no idea what that chart means. 

I will not be updating the web client, that for certain. Wonder what they are trying to do with that? 

Link to comment
Share on other sites

rbjtech
8 hours ago, One2Go said:

Totally agree with that procedure with one exception perhaps because of irresponsible vendors. The massive QNAP ransomware attack was caused by a security hole in their most recent firmware updates. I am running two NASs with EOL for firmware support and they were fine no damage done. The 3rd NAS I had not updated in over 6 months and it also was fine as none of the "improvements" on the backup programs and cloud interaction was installed and operational. No damage done on my QNAPs, but there were small businesses that used their NAS for working from different locations from home during the pandemic. Some who had recommended QNAP and assisted with the installation were inundated after the ransomware attack, with requests for help. All their PDF business documents and photos were ZIP and passworded.

Long story short, your procedure is excellent if the vendor is judicious and dependable. With QNAP they were arrogant chumps.

Quote

...although this does potentially open up supply chain backdoors..

Exactly - and this is why I mentioned caution on the Auto upgrade - there is always the possibility of introducing new vulnerabilities - they can come from both poor internal QA (as in the case of your QNAP example) or via supply chain interception such as the SolarWinds hack.

My personal view is do not upgrade automatically unless there is good reason to do so - ie if an Critical patch is released to resolve a ZeroDay, then I review, install and monitor.  If there is a patch for 'generic enhancements' then I will wait until it has been out there a couple of weeks or may choose to not install it at all using the 'if it ain't broke' policy.. 🤣

  • Haha 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...