Step By Step Guide to Restart Server for Asustor NAS AS5202T?

[HKWang 2]

Hello all,

I'm not an IT expert and most of what's on Emby Server does not start - Security advisory 2023-05-25 does not make sense to me. I have the Asustor AS5202T and have Emby Server 4.7.11.0 installed on it. I realized last night that my TV wouldn't connect to the server so I restarted my NAS but same thing and discovered the above advisory.

Can you post a beginner's step by step guide on how to restart the server on the Asustor?

Thank you.

 

[Luke 37068]

HI, did you follow the actions to take section?

[HKWang 2]

Quote

• Add an entry to your server machine etc/hosts file: emmm.spxaebjhxtmddsri.xyz 127.0.0.1 This is the host name of the control server which the malware is communicating with

As I mentioned, I am not an IT expert and I really don't know what this means and how it is done.

Quote

• Suspicious user accounts

If this is referring to user accounts of the NAS, I checked and there are no suspicious user accounts. If you are referring to Emby user accounts, I cannot open the server so I do not know.

Quote

• Unknown processes
• Unknown network connections and open ports
• SSH configuration
• Firewall rules

As I mentioned, I am not an IT expert and I really don't know what this means and how it is done.

Quote

• Change all passwords

Yes.

[HKWang 2]

Will I still have to do all those things if I delete Emby Server from my Asustor AS-5202T and install the beta Emby Server 4.8.0.37?

 

[scb99 187]

9 hours ago, HKWang said:

Will I still have to do all those things if I delete Emby Server from my Asustor AS-5202T and install the beta Emby Server 4.8.0.37?

 

Yes you will. Deleting the Emby server from the Asustor doesn't remove its data or plugins. When you reinstall Emby whatever this dll is will just come back. 

You will ned to ssh in to the Asustor to sort this out. Better wait for a dev to reply to be on the safe side. I just wanted to quickly warn you that delete and reinstall wont help and probably will make the situation worse.

[HKWang 2]

@scb99Thank you.

@LukeI hope we get a resolution soon or at least a “for dummies” version of the guide on how to bypass this.

 

 

[scb99 187]

Hi I am typing this from memory but in the absence of an answer from Luke here is an idea

1. On the Asustor server got into Services and enable Terminal Service (ssh) on default port 22

2. From windows pc open a command window and type

ssh [ip address of your NAS] -l [logon]

for instance

ssh 192.168.1.1 -l admin

it will ask for your password, type it in

Now you are on the NAS and you need to find Emby's plugin directory. I'm not sure from memory where this is but try

cd /volume1/home/emby/data

then type

ls

Hopefully you see plugins

if you have found plugins, since I'm not sure what this thing is doing I think the safest thing is to just forcefully remove it, and re-add your plugins once you have reinstalled emby. This is probably overkill but better safe than sorry

the command should be simply

rm -rF plugins

if you get an error try

sudo rm -rF plugins

but I don't think on the Asustor this is necessary

Remember for security reasons to disable the terminal service again once you have done this

Regarding the hosts file I think this is in

/volume1/etc/

but you would need to edit this with vi and I think you will struggle

The easiest thing, wherever your asustor is getting its DNS from (maybe your local router?), would be to add an entry there for "emmm.spxaebjhxtmddsri.xyz" and then just any old garbage ip address

Having done this you should be able to remove Emby and reinstall the new secured version, then reinstall your desired plugins

Hope I have helped

 

 

 

Edited May 30, 2023 by scb99

[Luke 37068]

@HKWanghas this helped?

[HKWang 2]

@scb99 @Luke

Thank you again. I was able to access my NAS using command prompt. I found out that the "plugins" folder was at" volume1/home/emby/plugins" and deleted it. Asustor didn't like "rm -rF plugins" but it accepted the command with lower case "f" (rm -rf plugins).

After that, I actually decided to delete the entire emby folder. So I moved up the directory and used "rm -rf emby" which (as far as I can tell) deleted the entire Emby folder. I restarted my NAS just in case, and re-installed "emby-server-asustor_4.7.12.0_x86-64.apk".

When I tried to run Emby server (connected to my NAS using Chrome), I got the error message "This site can't be reached" again.

 

[Jägs 72]

I'd suggest starting from scratch by removing the Emby folder and user, as I outline in the attached post.  Please heed the warning.

 

[scb99 187]

Hi @HKWangSo sorry for the errors in what I wrote, glad you could work your way around them.

If you don't want to start from scratch you can try  renaming the data directory first, then starting with a new install, and seeing if Emby is working again

1. Deinstall Emby from the Asustor

2. Rename the data directory

You can ssh into the Emby like before

Find the Emby data directory which I think is /volume1/home/emby/data

so cd /volume1/home/emby

ls

see if data is there

if it is

mv data data_backup

3. Reinstall Emby and see if it now works

If it's now working, the next thing to try would be to stop Emby, move the library.db from the data_backup into data, restart Emby and see if it still works

(a) if it works, good

(b) if it doesn't work then the problem is with a corrupted db, there is a utility DB Browser which may or may not be able to help with that

[HKWang 2]

@JägsThank you. It seems like I have deleted all emby related folders/files.

Still no luck after re-installing Emby Server. Kind of lost here and considering if I should "factory reset" my NAS but I don't want to lose my data.

 

[HKWang 2]

How is this done? I'm not sure if not following the below step is preventing my Asustor NAS from running Emby Server.

"Add an entry to your server machine etc/hosts file: emmm.spxaebjhxtmddsri.xyz 127.0.0.1"

[Jägs 72]

1 hour ago, HKWang said:

How is this done? I'm not sure if not following the below step is preventing my Asustor NAS from running Emby Server.

"Add an entry to your server machine etc/hosts file: emmm.spxaebjhxtmddsri.xyz 127.0.0.1"

First, you'll need to install some sort of command-line text editor.  I'd suggest "nano," as it is a simple text editor.  You can find it by typing in "nano" into App Central.

Next, after ssh'ing into your ASUSTOR, you''ll want to do the following:

sudo nano /etc/hosts

You'll be prompted for your password.

In the editor, copy the "emmm.spxaebjhxtmddsri.xyz 127.0.0.1" and paste it into the editor.  

Hit CTRL+O to write the file and CTRL+X to exit.  Reboot.  That should do it.

[HKWang 2]

13 minutes ago, Jägs said:

sudo nano /etc/hosts

nano: error while loading shared libraries: libncurses.so.5: cannot open shared object file: No such file or directory

This is the message I received from that command.

 

[Jägs 72]

Ugh, yeah, I received that when I tried, too, but hoped it was just my NAS.  I'm not sure if there is a default command-line editor for ASUSTOR, so others can chime in if there is; otherwise, the other way to get nano is a bit more involved:

• from App Central, install Entware
• on the command line, run

opkg install nano

Once installed, you should be able to do the rest above...

[scb99 187]

i think vi is the default editor on asustor

but i dont think lack of this entry would stop emby from starting? It‘s just a spoof to stop the malware phoning home?

[HKWang 2]

I have found and deleted the plugins folder as well as the entire Emby folder. I am not able to get Emby Server to start after re-installing. I've tried Plex last couple days but really like Emby over it. I just hope a new stable version is released soon that don't require all the complicated steps in order to use it.

 

[Luke 37068]

22 minutes ago, HKWang said:

I have found and deleted the plugins folder as well as the entire Emby folder. I am not able to get Emby Server to start after re-installing. I've tried Plex last couple days but really like Emby over it. I just hope a new stable version is released soon that don't require all the complicated steps in order to use it.

 

What happens when you try to start?

[HKWang 2]

2 minutes ago, Luke said:

What happens when you try to start?

I'm using the Chrome browser. I get into the NAS using my login and when I click on the Emby Server icon, Chrome opens a new tab using this address "http://192.168.68.10:8096" and Chrome returns the "This site can't be reached" error.

 

[Jägs 72]

Just to confirm, on the ASUSTOR, is the numeric IP address (192.168.68.10) the same?  For example, the left-most tab in the screenshot above, where it says "HKW-ASUSTOR...," is it something like 192.168.10:8000?

Also, in App Central, does it show Emby Server as running?

[Gantzed 0]

I am having the same issue. I have deleted everything I could find embed related and reinstalled the latest version. When I start it, Emby pops up in the processes list for a few seconds and the status is listed as Zombie. And then it disappears. I have edited the hosts file as well. For the record, many say to find emby at /volume1/home/emby and I have never found it there. 
There is still something lurking on the server that is not letting Emby start properly. I can't seem to find any other locations.

[scb99 187]

Well Im at my desk now and can say definitively if you want to wipe Emby completely there are two locations and this time I‘ve got it right

data:

/volume1/home/emby

app:

/volume1/.@plugins/AppCentral/emby-server

uninstall Emby first then delete these two directories and I‘m pretty sure it‘s gone

If if was me I would then do a quick scan of the Asustor‘s ports using your favourite portscanner and make sure nothing else is there before reinstalling Emby

Edited June 3, 2023 by scb99

[Gantzed 0]

I have, without a doubt, deleted /volume1/.@plugins/AppCentral/emby-server. In fact, it vanished on its own after I uninstalled Emby.  

I feel like there is a residual file or dependency located somewhere else. Ports are open and forwarded when it is installed. The server just doesn't start. properly and run.

[Luke 37068]

1 hour ago, Gantzed said:

I have, without a doubt, deleted /volume1/.@plugins/AppCentral/emby-server. In fact, it vanished on its own after I uninstalled Emby.  

I feel like there is a residual file or dependency located somewhere else. Ports are open and forwarded when it is installed. The server just doesn't start. properly and run.

Is there anything under the server data folder?

Emby Server Data Folder