.rt files being created and files read

[jscheeren 16]

G'day.

I have 3 Emby servers operating in Windows 11 Pro - two on the same LAN. Have Emby Premiere.

One of these servers has been infiltrated. About 6 months ago noticed via notifications that a user via a London England VPN server was watching TV Series on my Emby Server as one of my users. Being silly, I had all users using same password to make admin easier as users were friends and family, but not technically competent. Changed that users password, but hacker just then used another user account! So, I changed all passwords. Access stopped.

A couple of months later noticed (by accident) that between about 2PM and 5:30PM (EST) that .rt text files were being created in my video file directories. Assumed this was not related to earlier problem These are apparently sub-title text files for a Real Time video player. However, no related activity was noted in Emby dashboard. I spent weeks trying to figure out what was going on on my PC using Windows tools such as resource monitors etc. Then installed an app called PA File Sight Pro pointing at my video directories and consequently discovered that in that same time frame, multiple video files were being read as well as .rt files being created if Emby Server Remote Access was turned on (no matter which port I selected via port forwarding or Emby auto select.) The reads and writes were usually in different and unrelated video file directories.

I cannot figure any idea as to what is happening, but all *.rt file creation and video file reads completely stops if I sadly just shut down my Emby Server as cannot figure any solution.

Any ideas out there?

Thank you so much in advance,

Jan 

[rbjtech 4260]

A compromised system, no matter what the 'clean up' can never be trusted again.

My personal view is you need to start fresh with a brand new emby install - using unique passwords on top of a brand new operating system install.

From an emby shared access perspective - you need to ensure 

a) you are using TLS/SSL (https) and refresh/change the certificate if you were already.   Change the admin passwords on any portal used to manage the domain etc.

b) port forwarding is manually setup on your router

c) upnp on the router is turned off

d) admin password on the router is changed & firmware updated

d) OS firewall and AV is up to date and active

e) disable the emby Admin account from remote access - local only

f) emby user passwords used are all unique and at least 8 chars.

g) check all system connected to your network - they may have been compromised too

 

Providing public access to your 'emby' server without providing the above 'basics' is inherently  'risky' - there are, to the best of my knowledge, no known vulnerabilities in the emby web server itself - but without ensuring the basics are covered - hackers will just work around them via other means (weak passwords etc).

 

[rbjtech 4260]

To add - a debug log of when you believe the system is being compromised might also be useful - it will show the remote access id/ip etc and may show other useful details.

Ping via PM to myself or the Admins ( @Luke or @ebr) if you wish. 

[jscheeren 16]

Thank you rbjtech very much for your very detailed suggestions and offer for further assistance.

I must say, that the idea of completely rebuilding all of the software and OS on this server (which does much more than being an Emby server) is onerous, to say the least. It would take days. I certainly understand that in the end, this may be the only solution if I wish to keep using Emby on it.

So, I am thinking that I should try a bit harder to find out the weak link(s) first as I had not previously used all of your suggestions a-g that you listed. Would a debug log show this hackers activity, even though absolutely nothing shows up in the Activity log accessed on the Emby Server Dashboard?

Cheers,

jan

[rbjtech 4260]

14 minutes ago, jscheeren said:

Would a debug log show this hackers activity, even though absolutely nothing shows up in the Activity log accessed on the Emby Server Dashboard?

Yes, the log shows a huge amount of information on every activity - system processes as well as user processes.  The dashboard shows very little in comparison.

[jscheeren 16]

OK thanks yet again rbjtech. I have restarted the Emby server with Remote access on and turned on the debug logging. Would I send all of the 6 log files to you? 

Cheers,

jan

[rbjtech 4260]

1 hour ago, jscheeren said:

OK thanks yet again rbjtech. I have restarted the Emby server with Remote access on and turned on the debug logging. Would I send all of the 6 log files to you? 

Cheers,

jan

Yes that's fine - I can take a look for you to see if there is anything obvious in them.

[Luke 37063]

What if you try starting the server but disabling remote access?

[rbjtech 4260]

49 minutes ago, Luke said:

What if you try starting the server but disabling remote access?

The OP has said it only happens when they enable remote access - so something odd is going on - once I get the logs we can confirm.

[Luke 37063]

It could be the subtitle download features, and the video file reads could be the subtitle hashing process.

[ebr 14912]

@jscheeren I modified the title of this post as I don't believe there is a "serious security problem" here and that is a very alarming title.  Thanks.

[rbjtech 4260]

@jscheeren - I haven't received any logs to confirm activity ?

As above - it may well be a background process - BUT this process would happen whether remote access is allowed or not (it's just metadata collection) - so by you saying it only happen when you enable 'remote access' in emby makes it a strange one and imho it needs looking at - but need the logs to do so ..

[Guest Cottage2 0]

Thanks rbjtech for your follow-up.

I will dig deeper into your query as soon as the .rt file creations and the video file reads start up again after having restarted Emby Server last night, but so far, strangely, neither has occurred. The Emby server had been shut down for three days because of this concern, but before that both occurred consistently between about 2PM and 5:30PM (EST) and stopped and started immediately whenever Emby Server was running. 

To address your question, I know for sure that the .rt file writes stopped as soon as Emby Server was shut down, or Remote Access option was turned off. But it was only after the PA File Sight Pro app was installed just a few days ago, that I discovered that the video file reads were also occurring. So, what I need to clarify for you is whether the video file reads are also stopped just by turning off Remote Access, but I can confirm that they definitely stop if Emby Server is shut down.

ebr

As the .rt writes and video file reads, only occur if Emby Server is running, (i.e. it is not any nefarious code otherwise running on my PC) but that the Activity Log on Dashboard shows no activity i.e. no users are logged on, to me, this seems to be a serious security issue. Unless I can figure this out, it will require me to completely reinstall everything on my server, (and risk it all happening again) or to stop using Emby Server. I love Emby and so much respect what you guys have done, so I want to be able to continue using it. I spent many years starting up and managing hitech companies that developed software, firmware and hardware, so I think I have a perspective on this and understand your concern that the title was overstated, however I do feel that your edit maybe made it understated.

Cheers,

Jan

[ebr 14912]

4 minutes ago, Guest Cottage2 said:

but before that both occurred consistently between about 2PM and 5:30PM

Hi.  Do you have a server log from that time period?

[rbjtech 4260]

1 hour ago, Guest Cottage2 said:

So, what I need to clarify for you is whether the video file reads are also stopped just by turning off Remote Access, but I can confirm that they definitely stop if Emby Server is shut down.

Exactly - clarification on this statement will make a big different to the level of concern.

SYSTEM processes happen all the time within emby - these happen under the account emby is launched from.  These run on schedules - and regardless of who is 'logged on' to the server - these still run.  There are no security issues here.   

If however you only see this activity when you turn on Remote Access - THEN we have something to investigate.

In summary - the logs will reveal all

ps - don't reinstall anything yet - this could be a big false alarm / misunderstanding of how emby is functioning ..

 

[Luke 37063]

Quote

As the .rt writes and video file reads, only occur if Emby Server is running, (i.e. it is not any nefarious code otherwise running on my PC) but that the Activity Log on Dashboard shows no activity i.e. no users are logged on, to me, this seems to be a serious security issue.

I think this is all normal based on what I mentioned about subtitle downloading. It looks like you enabled that feature and the server is downloading subtitles in the background just like you asked it to do.

[jscheeren 16]

Thanks guys for your comments.

Can anyone confirm two things:

1. Is there any possibility that any official Emby routine creates .rt files? I understand that Emby may be creating sub-title files as I had asked it to (Luke) but would that not be .srt files? Because if not, and if there are no uses logged on to Emby during these times, and it does not happen when Emby Server is not running, then the implication is that it is some outside party/routine that is somehow using the Emby Server to access my video directories.

2. I have now seen .rt files being created between about 11:55 to about 12:21 PM EST. I had started up Emby Server last night but this is the first occurrence of .rt files being created since. There has been a lot of video files read however over a much longer time frame. Who else might I send log files to, or only rbjtech?

Here is a grab from a File Explorer search *.rt from one of my two main directories. Previously many many .rt files were being created, even for a single episode, but I have been deleting them prior. 

 

Edited January 17, 2023 by jscheeren

[Luke 37063]

I've never heard of rt files, but OpenSubtitles has a lot of different formats of subtitles and the server saves them using whatever the extension was that came from OpenSubtitles (or other subtitle provider).

Again we'd really have to look at the server log from when they were downloaded to learn more.

[rbjtech 4260]

7 minutes ago, jscheeren said:

Who else might I send log files to, or only rbjtech? 

Entirely your call - I'm just trying to help.  If you wish to send them to @Luke and/or @ebr then I won't be offended .. 

There is a subtitle process (SubtitleManager) that will clearly show in the log if it's writing the files - infact you can find it yourself if you just do a string search for '.rt' files or 'SubtitleManager' in any text editor - just search the embyserver.txt file for the current log, or the log file you think has the issue.

We have the tools to make this quick and easy - but you can do yourself if you like.

An example subtitle log line is below (polish srt subtitle for a film) - but a log file may have 100s of thousands of entries - thus needing to automate the search ..

2023-01-17 21:02:39.337 Info SubtitleManager: Saving subtitles to \\media\Films\The Old Man & the Gun (2018)\The Old Man & the Gun (2018) - HD.pl.srt

 

[jscheeren 16]

I sent logs to Luke and rgjtech

Cheers,

Jan

[Luke 37063]

It's the Subscene plugin. Unfortunately rt is not actually a supported subtitle extension in Emby Server, so having it save with that extension means the server won't even recognize the downloaded subtitles.

What should happen:

• It should save them as srt if they are in fact srt format
• The server should recognize rt if it is a real subtitle format that people actually use

It is still unfortunate though that you enabled the feature, the feature did what you asked it to do, and then you ended up interpreting it as a security risk.

[Happy2Play 8281]

So are these just wrong extension srt subtitles?  Have you opened on in text editor?

A debug server log could show more info.

[rbjtech 4260]

13 minutes ago, Luke said:

It's the Subscene plugin. Unfortunately rt is not actually a supported subtitle extension in Emby Server, so having it save with that extension means the server won't even recognize the downloaded subtitles.

What should happen:

• It should save them as srt if they are in fact srt format
• The server should recognize rt if it is a real subtitle format that people actually use

It is still unfortunate though that you enabled the feature, the feature did what you asked it to do, and then you ended up interpreting it as a security risk.

Yep - oddly I posted this as well but it's not being displayed .. so here again ..

Edited January 17, 2023 by rbjtech

[rbjtech 4260]

So in summary - there are no unwanted processes here

Maybe configure subscene to not download .rt files as emby can't use them - or as H2P has suggested, maybe open the .rt file in an editor as you 'may' be able to just rename to .srt and they work perfectly well.. 

[Luke 37063]

Can you please provide the contents of one of these .rt files so that we can look at them? Thanks.