wonderwond 2 Posted February 24 Share Posted February 24 this is the second time the .0xxx ransom ware has attacked me in a year its ate all my pictures and movies, its only related to the emby server, this morning, three plugins installed out of the blue then bam was infected, not sure if that had anything to do with it or not but can anyone help me save my pictures and movies? I've already repaired my music. !0XXX_DECRYPTION_README.TXT anyone else having the same issues ? or how to prevent it ? Link to comment Share on other sites More sharing options...
Happy2Play 8282 Posted February 24 Share Posted February 24 8 minutes ago, wonderwond said: this morning, three plugins installed out of the blue then bam was infected Devs will want to see the server logs for this. Link to comment Share on other sites More sharing options...
wonderwond 2 Posted February 24 Author Share Posted February 24 where do I find those?? Link to comment Share on other sites More sharing options...
Happy2Play 8282 Posted February 24 Share Posted February 24 (edited) Depends on your platform. Emby Server Data Folder | Emby Documentation But do not know if the Ransom issue affect these files. Edited February 24 by Happy2Play Link to comment Share on other sites More sharing options...
Luke 37071 Posted February 24 Share Posted February 24 Also, what three plugins? Link to comment Share on other sites More sharing options...
wonderwond 2 Posted February 25 Author Share Posted February 25 6 hours ago, Luke said: Also, what three plugins? Addic7ed 1.1.1.0 XmlTV 1.1.6.0 SubDb 1.0.7 Link to comment Share on other sites More sharing options...
Luke 37071 Posted February 25 Share Posted February 25 12 minutes ago, wonderwond said: Addic7ed 1.1.1.0 XmlTV 1.1.6.0 SubDb 1.0.7 OK as requested before, we'd have to see the server log. The xmltv plugin is included with the server, so anytime we publish updates for it, you'll get that update. So this was not a new plugin installation, it was an update of an existing one. Link to comment Share on other sites More sharing options...
wonderwond 2 Posted February 25 Author Share Posted February 25 6 minutes ago, Luke said: OK as requested before, we'd have to see the server log. The xmltv plugin is included with the server, so anytime we publish updates for it, you'll get that update. So this was not a new plugin installation, it was an update of an existing one. logs.zip 7 hours ago, Luke said: Also, what three plugins? Addic7ed 1.1.1.0 XmlTV 1.1.6.0 SubDb 1.0.7 logs.zip Link to comment Share on other sites More sharing options...
Luke 37071 Posted February 25 Share Posted February 25 8 minutes ago, wonderwond said: logs.zipUnavailable Addic7ed 1.1.1.0 XmlTV 1.1.6.0 SubDb 1.0.7 logs.zip 2.31 MB · 0 downloads This is a whole folder full of log files, so obviously a lot of information so sift through. So first some questions: What makes you think this is emby server related? Do you think an unknown actor accessed your server, if so, do you have any idea when? Have you noticed any unrecognized ip addresses in the server activity viewer? If so, what, when, etc? Do all of your users have passwords? Link to comment Share on other sites More sharing options...
Luke 37071 Posted February 25 Share Posted February 25 15 minutes ago, wonderwond said: logs.zipUnavailable Addic7ed 1.1.1.0 XmlTV 1.1.6.0 SubDb 1.0.7 logs.zip 2.31 MB · 1 download And by the way, these are not newly installed plugins. They are present in every single log that you provided. I do see where you uninstalled Addic7ed, but they were not just installed during the time of these logs. Link to comment Share on other sites More sharing options...
softworkz 3336 Posted February 25 Share Posted February 25 @wonderwondThis malware is very unlikely connected to Emby in any way. You can: Submit your data here: https://id-ransomware.malwarehunterteam.com/ to see whether there's a known decryption tool available Further reading: https://www.bleepingcomputer.com/forums/t/753400/0xxx-nas-ransomware-0xxx-support-topic/ Link to comment Share on other sites More sharing options...
wonderwond 2 Posted February 28 Author Share Posted February 28 On 2/25/2024 at 5:08 PM, softworkz said: @wonderwondThis malware is very unlikely connected to Emby in any way. You can: Submit your data here: https://id-ransomware.malwarehunterteam.com/ to see whether there's a known decryption tool available Further reading: https://www.bleepingcomputer.com/forums/t/753400/0xxx-nas-ransomware-0xxx-support-topic/ maybe not, but all i do know is that it only effected folders on emby, no other folder or drive was infected by it,, just emby media folders that were used Link to comment Share on other sites More sharing options...
softworkz 3336 Posted February 28 Share Posted February 28 14 minutes ago, wonderwond said: maybe not, but all i do know is that it only effected folders on emby, no other folder or drive was infected by it,, just emby media folders that were used Emby does not set the permissions on your media folders, that's something that you do. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now