jscheeren 16 Posted January 16, 2023 Share Posted January 16, 2023 G'day. I have 3 Emby servers operating in Windows 11 Pro - two on the same LAN. Have Emby Premiere. One of these servers has been infiltrated. About 6 months ago noticed via notifications that a user via a London England VPN server was watching TV Series on my Emby Server as one of my users. Being silly, I had all users using same password to make admin easier as users were friends and family, but not technically competent. Changed that users password, but hacker just then used another user account! So, I changed all passwords. Access stopped. A couple of months later noticed (by accident) that between about 2PM and 5:30PM (EST) that .rt text files were being created in my video file directories. Assumed this was not related to earlier problem These are apparently sub-title text files for a Real Time video player. However, no related activity was noted in Emby dashboard. I spent weeks trying to figure out what was going on on my PC using Windows tools such as resource monitors etc. Then installed an app called PA File Sight Pro pointing at my video directories and consequently discovered that in that same time frame, multiple video files were being read as well as .rt files being created if Emby Server Remote Access was turned on (no matter which port I selected via port forwarding or Emby auto select.) The reads and writes were usually in different and unrelated video file directories. I cannot figure any idea as to what is happening, but all *.rt file creation and video file reads completely stops if I sadly just shut down my Emby Server as cannot figure any solution. Any ideas out there? Thank you so much in advance, Jan Link to comment Share on other sites More sharing options...
rbjtech 4260 Posted January 16, 2023 Share Posted January 16, 2023 A compromised system, no matter what the 'clean up' can never be trusted again. My personal view is you need to start fresh with a brand new emby install - using unique passwords on top of a brand new operating system install. From an emby shared access perspective - you need to ensure a) you are using TLS/SSL (https) and refresh/change the certificate if you were already. Change the admin passwords on any portal used to manage the domain etc. b) port forwarding is manually setup on your router c) upnp on the router is turned off d) admin password on the router is changed & firmware updated d) OS firewall and AV is up to date and active e) disable the emby Admin account from remote access - local only f) emby user passwords used are all unique and at least 8 chars. g) check all system connected to your network - they may have been compromised too Providing public access to your 'emby' server without providing the above 'basics' is inherently 'risky' - there are, to the best of my knowledge, no known vulnerabilities in the emby web server itself - but without ensuring the basics are covered - hackers will just work around them via other means (weak passwords etc). 2 Link to comment Share on other sites More sharing options...
rbjtech 4260 Posted January 16, 2023 Share Posted January 16, 2023 To add - a debug log of when you believe the system is being compromised might also be useful - it will show the remote access id/ip etc and may show other useful details. Ping via PM to myself or the Admins ( @Luke or @ebr) if you wish. Link to comment Share on other sites More sharing options...
jscheeren 16 Posted January 16, 2023 Author Share Posted January 16, 2023 Thank you rbjtech very much for your very detailed suggestions and offer for further assistance. I must say, that the idea of completely rebuilding all of the software and OS on this server (which does much more than being an Emby server) is onerous, to say the least. It would take days. I certainly understand that in the end, this may be the only solution if I wish to keep using Emby on it. So, I am thinking that I should try a bit harder to find out the weak link(s) first as I had not previously used all of your suggestions a-g that you listed. Would a debug log show this hackers activity, even though absolutely nothing shows up in the Activity log accessed on the Emby Server Dashboard? Cheers, jan Link to comment Share on other sites More sharing options...
rbjtech 4260 Posted January 16, 2023 Share Posted January 16, 2023 14 minutes ago, jscheeren said: Would a debug log show this hackers activity, even though absolutely nothing shows up in the Activity log accessed on the Emby Server Dashboard? Yes, the log shows a huge amount of information on every activity - system processes as well as user processes. The dashboard shows very little in comparison. Link to comment Share on other sites More sharing options...
jscheeren 16 Posted January 16, 2023 Author Share Posted January 16, 2023 OK thanks yet again rbjtech. I have restarted the Emby server with Remote access on and turned on the debug logging. Would I send all of the 6 log files to you? Cheers, jan Link to comment Share on other sites More sharing options...
rbjtech 4260 Posted January 16, 2023 Share Posted January 16, 2023 1 hour ago, jscheeren said: OK thanks yet again rbjtech. I have restarted the Emby server with Remote access on and turned on the debug logging. Would I send all of the 6 log files to you? Cheers, jan Yes that's fine - I can take a look for you to see if there is anything obvious in them. Link to comment Share on other sites More sharing options...
Luke 37063 Posted January 16, 2023 Share Posted January 16, 2023 What if you try starting the server but disabling remote access? Link to comment Share on other sites More sharing options...
rbjtech 4260 Posted January 16, 2023 Share Posted January 16, 2023 49 minutes ago, Luke said: What if you try starting the server but disabling remote access? The OP has said it only happens when they enable remote access - so something odd is going on - once I get the logs we can confirm. Link to comment Share on other sites More sharing options...
Luke 37063 Posted January 16, 2023 Share Posted January 16, 2023 It could be the subtitle download features, and the video file reads could be the subtitle hashing process. Link to comment Share on other sites More sharing options...
ebr 14912 Posted January 17, 2023 Share Posted January 17, 2023 @jscheeren I modified the title of this post as I don't believe there is a "serious security problem" here and that is a very alarming title. Thanks. Link to comment Share on other sites More sharing options...
rbjtech 4260 Posted January 17, 2023 Share Posted January 17, 2023 @jscheeren - I haven't received any logs to confirm activity ? As above - it may well be a background process - BUT this process would happen whether remote access is allowed or not (it's just metadata collection) - so by you saying it only happen when you enable 'remote access' in emby makes it a strange one and imho it needs looking at - but need the logs to do so .. Link to comment Share on other sites More sharing options...
Guest Cottage2 0 Posted January 17, 2023 Share Posted January 17, 2023 Thanks rbjtech for your follow-up. I will dig deeper into your query as soon as the .rt file creations and the video file reads start up again after having restarted Emby Server last night, but so far, strangely, neither has occurred. The Emby server had been shut down for three days because of this concern, but before that both occurred consistently between about 2PM and 5:30PM (EST) and stopped and started immediately whenever Emby Server was running. To address your question, I know for sure that the .rt file writes stopped as soon as Emby Server was shut down, or Remote Access option was turned off. But it was only after the PA File Sight Pro app was installed just a few days ago, that I discovered that the video file reads were also occurring. So, what I need to clarify for you is whether the video file reads are also stopped just by turning off Remote Access, but I can confirm that they definitely stop if Emby Server is shut down. ebr As the .rt writes and video file reads, only occur if Emby Server is running, (i.e. it is not any nefarious code otherwise running on my PC) but that the Activity Log on Dashboard shows no activity i.e. no users are logged on, to me, this seems to be a serious security issue. Unless I can figure this out, it will require me to completely reinstall everything on my server, (and risk it all happening again) or to stop using Emby Server. I love Emby and so much respect what you guys have done, so I want to be able to continue using it. I spent many years starting up and managing hitech companies that developed software, firmware and hardware, so I think I have a perspective on this and understand your concern that the title was overstated, however I do feel that your edit maybe made it understated. Cheers, Jan Link to comment Share on other sites More sharing options...
ebr 14912 Posted January 17, 2023 Share Posted January 17, 2023 4 minutes ago, Guest Cottage2 said: but before that both occurred consistently between about 2PM and 5:30PM Hi. Do you have a server log from that time period? Link to comment Share on other sites More sharing options...
rbjtech 4260 Posted January 17, 2023 Share Posted January 17, 2023 1 hour ago, Guest Cottage2 said: So, what I need to clarify for you is whether the video file reads are also stopped just by turning off Remote Access, but I can confirm that they definitely stop if Emby Server is shut down. Exactly - clarification on this statement will make a big different to the level of concern. SYSTEM processes happen all the time within emby - these happen under the account emby is launched from. These run on schedules - and regardless of who is 'logged on' to the server - these still run. There are no security issues here. If however you only see this activity when you turn on Remote Access - THEN we have something to investigate. In summary - the logs will reveal all ps - don't reinstall anything yet - this could be a big false alarm / misunderstanding of how emby is functioning .. Link to comment Share on other sites More sharing options...
Luke 37063 Posted January 17, 2023 Share Posted January 17, 2023 Quote As the .rt writes and video file reads, only occur if Emby Server is running, (i.e. it is not any nefarious code otherwise running on my PC) but that the Activity Log on Dashboard shows no activity i.e. no users are logged on, to me, this seems to be a serious security issue. I think this is all normal based on what I mentioned about subtitle downloading. It looks like you enabled that feature and the server is downloading subtitles in the background just like you asked it to do. Link to comment Share on other sites More sharing options...
jscheeren 16 Posted January 17, 2023 Author Share Posted January 17, 2023 (edited) Thanks guys for your comments. Can anyone confirm two things: 1. Is there any possibility that any official Emby routine creates .rt files? I understand that Emby may be creating sub-title files as I had asked it to (Luke) but would that not be .srt files? Because if not, and if there are no uses logged on to Emby during these times, and it does not happen when Emby Server is not running, then the implication is that it is some outside party/routine that is somehow using the Emby Server to access my video directories. 2. I have now seen .rt files being created between about 11:55 to about 12:21 PM EST. I had started up Emby Server last night but this is the first occurrence of .rt files being created since. There has been a lot of video files read however over a much longer time frame. Who else might I send log files to, or only rbjtech? Here is a grab from a File Explorer search *.rt from one of my two main directories. Previously many many .rt files were being created, even for a single episode, but I have been deleting them prior. Edited January 17, 2023 by jscheeren Link to comment Share on other sites More sharing options...
Luke 37063 Posted January 17, 2023 Share Posted January 17, 2023 I've never heard of rt files, but OpenSubtitles has a lot of different formats of subtitles and the server saves them using whatever the extension was that came from OpenSubtitles (or other subtitle provider). Again we'd really have to look at the server log from when they were downloaded to learn more. Link to comment Share on other sites More sharing options...
rbjtech 4260 Posted January 17, 2023 Share Posted January 17, 2023 7 minutes ago, jscheeren said: Who else might I send log files to, or only rbjtech? Entirely your call - I'm just trying to help. If you wish to send them to @Luke and/or @ebr then I won't be offended .. There is a subtitle process (SubtitleManager) that will clearly show in the log if it's writing the files - infact you can find it yourself if you just do a string search for '.rt' files or 'SubtitleManager' in any text editor - just search the embyserver.txt file for the current log, or the log file you think has the issue. We have the tools to make this quick and easy - but you can do yourself if you like. An example subtitle log line is below (polish srt subtitle for a film) - but a log file may have 100s of thousands of entries - thus needing to automate the search .. 2023-01-17 21:02:39.337 Info SubtitleManager: Saving subtitles to \\media\Films\The Old Man & the Gun (2018)\The Old Man & the Gun (2018) - HD.pl.srt Link to comment Share on other sites More sharing options...
jscheeren 16 Posted January 17, 2023 Author Share Posted January 17, 2023 I sent logs to Luke and rgjtech Cheers, Jan Link to comment Share on other sites More sharing options...
Luke 37063 Posted January 17, 2023 Share Posted January 17, 2023 It's the Subscene plugin. Unfortunately rt is not actually a supported subtitle extension in Emby Server, so having it save with that extension means the server won't even recognize the downloaded subtitles. What should happen: It should save them as srt if they are in fact srt format The server should recognize rt if it is a real subtitle format that people actually use It is still unfortunate though that you enabled the feature, the feature did what you asked it to do, and then you ended up interpreting it as a security risk. 1 Link to comment Share on other sites More sharing options...
Happy2Play 8281 Posted January 17, 2023 Share Posted January 17, 2023 So are these just wrong extension srt subtitles? Have you opened on in text editor? A debug server log could show more info. Link to comment Share on other sites More sharing options...
rbjtech 4260 Posted January 17, 2023 Share Posted January 17, 2023 (edited) 13 minutes ago, Luke said: It's the Subscene plugin. Unfortunately rt is not actually a supported subtitle extension in Emby Server, so having it save with that extension means the server won't even recognize the downloaded subtitles. What should happen: It should save them as srt if they are in fact srt format The server should recognize rt if it is a real subtitle format that people actually use It is still unfortunate though that you enabled the feature, the feature did what you asked it to do, and then you ended up interpreting it as a security risk. Yep - oddly I posted this as well but it's not being displayed .. so here again .. Edited January 17, 2023 by rbjtech Link to comment Share on other sites More sharing options...
rbjtech 4260 Posted January 17, 2023 Share Posted January 17, 2023 So in summary - there are no unwanted processes here Maybe configure subscene to not download .rt files as emby can't use them - or as H2P has suggested, maybe open the .rt file in an editor as you 'may' be able to just rename to .srt and they work perfectly well.. Link to comment Share on other sites More sharing options...
Luke 37063 Posted January 17, 2023 Share Posted January 17, 2023 Can you please provide the contents of one of these .rt files so that we can look at them? Thanks. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now