Corrections needed for the hacked server

[One2Go 98]

I am on a QNAP NAS and had the latest server version installed. When I try to connect I get the error message that the server can't be found. After stopping and restarting the server and having the same results came the forum and realized what the problem is.

I noticed on May 13th that an installation of a scriptX plugin was attempted but failed with the user ID and pass word.

The problem for me is I am really limited in my Linux knowledge and have no idea where the config files and the Emby program files are located.

I can only imagine the workload you are now having but any help would be appreciated.

[One2Go 98]

Followed the instructions for changes including using v1 to change the host file, which was a first for me. Started it again and works. Thanks for your efforts and please advise if there are any6 further precautions to be done.

[Luke 37091]

Hi, so you're saying you were able to complete them all?

[One2Go 98]

1 hour ago, Luke said:

Hi, so you're saying you were able to complete them all?

Yes deleted the one DLL that was found, created the entry in the hosts file

127.0.0.1  emmm.spxaebjhxtmddsri.xyz

deleted the ReadyState.xml and the EmbyScripterX.xml files. Than started the Emby server on my QNAP NAS and could log in. Got a Security Alert that one of my User ID with admin privileges had no password and it was disabled. Changed the passwords on my main admin account. and deleted the one user that was flagged as a security alert.

Here is a weird thing the User ID that had no password was created a few months ago via the Emby Connect route and it had a difficult password so no idea why it said there was no password. In addition I have an additional question.

I would like to know the answer to this question: Analysis of the plug-in has revealed that it is forwarding the login credentials including the password for every successful login to an external server under control of the hackers."

I presume those are just the Emby credentials. I have a few users that have not logged in over a month. At what date did you notice the hacking activity? Do these users need to change their passwords?

Here is a copy of the log that alerted me to failed logins as well as installations and uninstalls of Emby Scripter-X

Thanks for your help.

[Luke 37091]

Quote

I presume those are just the Emby credentials. I have a few users that have not logged in over a month. At what date did you notice the hacking activity? Do these users need to change their passwords?

Only the local server credentials, not Emby Connect information, or information for anything else. so it sounds like in that case they may have been sending usernames and blank passwords.

[One2Go 98]

9 minutes ago, Luke said:

Only the local server credentials, not Emby Connect information, or information for anything else. so it sounds like in that case they may have been sending usernames and blank passwords.

Thanks, hope you get a handle on the extra work and looking forward to the version .12 release