Has my Windows emby server been hacked.

[tongeha 2]

I will preface this by saying I have over 20 years experience developing software in C++ and Java on many different platforms. 

I was checking my emby server today to see who is streaming, I do this by opening Process Explorer and looking at the ffmpeg processes that are running. I know I could just look at the emby manager but I'm a low level kind of guy. While in procexp I noticed 5 hidden command windows that have executed their command and were sitting idle. I could see the command they were trying to execute. The command was trying to download a dll file to the emby install directory. The dll was called helper.dll it was being downloaded from this URL.

https://explain7843-1253122316.cos.ap-beijing.myqcloud.com/helper.dll

I tried downloading the file so I could decompile it and see if it was legit but both my Win 10 and 11 servers flagged it a virus. So I hopped over to a nix box and grabbed the file.

I ran the strings command on the dll and it is definitely emby related and written in .net,  

A few of the more interesting strings are:

EmbyHelper.EventManagers.SessionManager

/EmbyHelper/CleanLogs

/EmbyHelper/Ping

EmbyHelper.Api

EmbyHelper.dll

Anthony Musgrove

 

The question is is this a legit file that Windows is erroneously flagging as a virus or has emby been compromise and tricked into trying to install some hacked plugin or addon.

 

[Abobader 2947]

Hello tongeha,

** This is an auto reply **

Please wait for someone from staff support or our members to reply to you.

It's recommended to provide more info, as it explain in this thread:

Thank you.

Emby Team

[TeamB 2354]

The domain info:

https://www.netify.ai/resources/domains/myqcloud.com

It looks like a CDN

it could be an FP, if you have the sample submit it to

https://www.virustotal.com

The details I have for the file

helper.dll
0ae4f9ca1906d7fa6e7b4d43c32dee52d281d615de451a67e2407c0e6a32dc2b
Windows Defender Detection : VirTool:MSIL/Mousewe.A!MTB

Edited May 19, 2023 by TeamB

[TeamB 2354]

Looking more like an FP
https://www.virustotal.com/gui/file/0ae4f9ca1906d7fa6e7b4d43c32dee52d281d615de451a67e2407c0e6a32dc2b

EDIT: looks like this is actually malicious

Edited May 20, 2023 by TeamB

[tongeha 2]

I also saw this in my events, and the dev for ScripterX is Anthony Musgrove.

"Emby ScripterX Has Been Uninstalled from emby_3"

https://github.com/AnthonyMusgrove/Emby-ScripterX

I did not request the install of the ScripterX plugin. Was it part of the update process? Server has auto updates turned on.

 

 

On another note, why can't I copy text from the alert screen. 

[TeamB 2354]

that is a little weird, perhaps @Lukehas more of an idea what is going on.

Scripter-X is not the sort of plugin you want running on your systems if your Emby is compromised

Edited May 20, 2023 by TeamB

[rbjtech 4289]

 127.0.0.1 

Are you running Beta or the Release version ?  Reverse proxy ?

It's possible this is exploiting the 'local' injection bug - and making a remote call appear as 'local' to emby.  If passwords are not being used locally (for the Admin account), then this is possibly where unautorised access has been gained....

@softworkz

Does the Release version have the RP fixes ?  if not, then should Emby not patch these in an emergency release ?

Edited May 19, 2023 by rbjtech

[Q-Droid 654]

I hope you have taken the steps to disable remote access, at least for now until this is investigated and resolved.

[tongeha 2]

No beta or RP. The emby instance runs on an open port.

I shut the machine down until I figure this out, may move emby to my truenas server.

All the items in red are failed logins from a valid user id and it looks like a local login attempt from a non admin account.

Does emby keep web server access logs?

 

 

[rbjtech 4289]

10 minutes ago, tongeha said:

Does emby keep web server access logs?

They are in the main emby logs - so worth taking a copy of all of those as they will eventually get overwritten.

Do all the local emby accounts have decent paswords ? - as the failed login attempts is 'probably' the exploit getting attempted.

Because the exploit 'shows' the local users remotely, they have access to the names of the user accounts, thus can try and brute force them.

Shutting down is wise - but change all passwords, remove scripter-x and remove the remote access at the very least.  Scan you system for unwanted tasks, scripter-x is being used (I think) as a way to potentially get unapproved code onto your system via it's 'package' feature but can't be sure without logs.

Edited May 19, 2023 by rbjtech

[ebr 14930]

9 hours ago, tongeha said:

I did not request the install of the ScripterX plugin.

This is a 3rd party plug-in.  You have to have installed it at some point.  Perhaps you did it manually when it was in testing or something.

Do we need to remove this plug-in from the catalog?

[rbjtech 4289]

30 minutes ago, ebr said:

This is a 3rd party plug-in.  You have to have installed it at some point.  Perhaps you did it manually when it was in testing or something.

Do we need to remove this plug-in from the catalog?

Any emby Admin can install a Plugin from the catlogue - so if the system is compromised via the remote/local vulnerability (still exists in the main Release?), then it may have been installed as part of the 'payload'.

If scripter-x has the ability to download DLL's from external sources - then this is a problem I agree. 

[richt 73]

4 hours ago, tongeha said:

No beta or RP. The emby instance runs on an open port.

Exposing ANY application (not just Emby) directly to the internet without a reverse proxy and some measure of intrusion detection / prevention is never a good idea.

[TMCsw 122]

9 hours ago, rbjtech said:

If scripter-x has the ability to download DLL's from external sources - then this is a problem I agree. 

Of coarse Scripter-X can ‘download’ from the internet (any file), It runs a ‘script file’ or ‘program’ in the interpreter selected (cmd/powershell/bash/sh …) and it will run under the permissions that the Admin has granted (may very well be able to wipe the libraries and cripple embyserver and more) and the programs/script run can certainly include ‘wget’, ‘curl’, ‘git’, etc.

BUT KEEP IN MIND ! :

emby has to have already been comprised to get to there…

so this brings up the question previously asked in this thread, but a little more specific:

Has the stable version (4.7.11.0) been patched for the ‘security risk previously identified’ ? It doesn't appear so..

[Spaceboy 2496]

18 hours ago, ebr said:

This is a 3rd party plug-in.  You have to have installed it at some point.  Perhaps you did it manually when it was in testing or something.

Do we need to remove this plug-in from the catalog?

this plugin is essential to me

[rbjtech 4289]

9 hours ago, TMCsw said:

Of coarse Scripter-X can ‘download’ from the internet (any file), It runs a ‘script file’ or ‘program’ in the interpreter selected (cmd/powershell/bash/sh …) and it will run under the permissions that the Admin has granted (may very well be able to wipe the libraries and cripple embyserver and more) and the programs/script run can certainly include ‘wget’, ‘curl’, ‘git’, etc.

Agree, and I said this already, the system must have been compromised earlier and the Admin account logged into.  Scripter-X cannot be run as a standard user.  The perpitrator is simply using it as a method to futher the exploit.

9 hours ago, TMCsw said:

Has the stable version (4.7.11.0) been patched for the ‘security risk previously identified’ ? It doesn't appear so..

@ebr@Luke@softworkz

Please could we get this confirmed - this is your software and if it has a vulnerability that is being exploited out in the wild, then you need to patch it asap on the Stable Release.  I believe the beta has been patched, tested and confirmed ok.

[softworkz 3341]

Attention: This is a VIRUS!

From initial analysis I can say the following:

• That helper dll is a trojan which opens a backdoor with a number of APIs, allowing remote code execution and other tasks
• It also intercepts authentication and forwards the intercepted credentials to a control server
• I tries to eliminate traces of existence by cleaning the corresponding lines from the log files. 
  There's also the ability to delete logs completely
• It appears that the infection is done through ScripterX
  • Probably going through some package updating mechanism
  • The server for ScripterX package updates is showing a certificate error
    (https://packagecatalog.emby-scripterx.com)
  • The package catalog wiki link is going to an empty page
    (https://wiki.emby-scripterx.com/doku.php?id=packages)
  • The whole wiki appears empty
    So it's likely that they hacked that wiki site to serve compromised update packages

More info shortly.

[ebr 14930]

13 hours ago, TMCsw said:

emby has to have already been comprised to get to there…

I don't believe that is true as the compromise could be wholly within the plug-in.

[pwhodges 1533]

The compromise is that an external actor got access to the plugin - which surely means they went through Emby.

Paul

[softworkz 3341]

12 minutes ago, pwhodges said:

The compromise is that an external actor got access to the plugin - which surely means they went through Emby.

No, it didn't happen like that.

ScripterX is a plugin which loads and updates individual functionality as "packages" from its own "store" which is not under control of Emby.

What you could argue at max is that a plugin like this shouldn't have been admitted to the catalog.

[ebr 14930]

3 minutes ago, softworkz said:

What you could argue at max is that a plugin like this shouldn't have been admitted to the catalog.

Except that we really have no idea what "like this" is as most plugins download something from somewhere...

[softworkz 3341]

1 minute ago, ebr said:

Except that we really have no idea what "like this" is as most plugins download something from somewhere...

What I mean by "like this" is that this plugin downloads functionality (in form of script packages) while almost all other plugins are downloading data only but no runnable code.

[ebr 14930]

24 minutes ago, softworkz said:

What I mean by "like this" is that this plugin downloads functionality (in form of script packages) while almost all other plugins are downloading data only but no runnable code.

Right, but how do we know that?

I guess we're going to have to be much more strict about what we allow.

[Luke 37116]

2 minutes ago, ebr said:

Right, but how do we know that?

I guess we're going to have to be much more strict about what we allow.

We’ll be able to tell by the features they advertise. 

[Luke 37116]

6 hours ago, Spaceboy said:

this plugin is essential to me

The actual scripting feature is nice yes, but that should have been done without the whole downloading of remote code aspect.