Jump to content


Photo

Server security compromised?


  • Please log in to reply
151 replies to this topic

#1 PoBear OFFLINE  

PoBear

    Advanced Member

  • Members
  • 184 posts
  • Local time: 09:38 AM

Posted 30 March 2019 - 08:59 PM

Hi

 

I've just tried to log into my Emby server and none of my users are defined and two users that I most certainly have not defined are registered; "Doom" and "Droidman683522"

 

I've closed the server but where do I go from here? What has happened and why?

 



#2 Luke OFFLINE  

Luke

    System Architect

  • Administrators
  • 137604 posts
  • Local time: 04:38 AM

Posted 30 March 2019 - 09:22 PM

Hi, did your users have passwords?



#3 PoBear OFFLINE  

PoBear

    Advanced Member

  • Members
  • 184 posts
  • Local time: 09:38 AM

Posted 30 March 2019 - 09:27 PM

Yes but all three have disappeared from the system



#4 PoBear OFFLINE  

PoBear

    Advanced Member

  • Members
  • 184 posts
  • Local time: 09:38 AM

Posted 30 March 2019 - 09:46 PM

Plus Emby should not be open to anything outside my personal network



#5 Gilgamesh_48 OFFLINE  

Gilgamesh_48

    Advanced Member

  • Members
  • 742 posts
  • Local time: 04:38 AM
  • LocationTennessee

Posted 30 March 2019 - 09:58 PM

During setup the question is asked "Do you want Emby to allow connections outside your network". (Or something like that.) The default is "yes" so, unless you changed then it is possible to share your library. More actions are required to actually share your library but you can stop all sharing outside your network by simply changing that setting to off. Since I do not ever share I have that turned off.



#6 Happy2Play OFFLINE  

Happy2Play

    Trial and Error

  • Moderators
  • 15617 posts
  • Local time: 01:38 AM
  • LocationWashington State

Posted 30 March 2019 - 10:09 PM

Depending how old your installation is, that option is available in Dashboard-Advanced-"Allow remote connections to this Emby Server".

 

Were these users local users or Emby Connect users (invited guests)?

 

The cloud represent Connect users, but could mean a linked local user with a linked connect account.

 

example Media is a local user linked to Connect, where the other two are invited Connect guests.

 

5ca020e74f64e_users.jpg

 

5ca0222b72324_users2.jpg


Edited by Happy2Play, 30 March 2019 - 10:13 PM.


#7 PoBear OFFLINE  

PoBear

    Advanced Member

  • Members
  • 184 posts
  • Local time: 09:38 AM

Posted 30 March 2019 - 10:25 PM

Guys, great info but I have no access to my system so I can't check anything and my Emby system is years old, so as far as I remember I disabled external access as it was not something that I would ever use,



#8 Happy2Play OFFLINE  

Happy2Play

    Trial and Error

  • Moderators
  • 15617 posts
  • Local time: 01:38 AM
  • LocationWashington State

Posted 30 March 2019 - 10:33 PM

Guys, great info but I have no access to my system so I can't check anything and my Emby system is years old, so as far as I remember I disabled external access as it was not something that I would ever use,

 

What do you mean you have no access?  Are you saying you are locked out, or password will not work?



#9 PoBear OFFLINE  

PoBear

    Advanced Member

  • Members
  • 184 posts
  • Local time: 09:38 AM

Posted 30 March 2019 - 10:38 PM

All of my users have been deleted and replaced by the two mentioned in my first post



#10 Happy2Play OFFLINE  

Happy2Play

    Trial and Error

  • Moderators
  • 15617 posts
  • Local time: 01:38 AM
  • LocationWashington State

Posted 30 March 2019 - 10:48 PM

The devs will need to see all your server logs, assuming this was done within the last 72hrs as that is as long as the server logs are maintained.
 
I assume you have access to the machine Emby is installed on.  I would click forgot password and enter one of those displayed names (it will only work if one of them are admin accounts), that will tell you to go to a text file in "*\Emby-Server\programdata\passwordreset.txt" with a pin number and a link to remove the password. Then log in with that account.

Only issue I see is if the admin account is hidden. If that is the case then I can talk you through some other steps.

Edited by Happy2Play, 30 March 2019 - 10:48 PM.


#11 PoBear OFFLINE  

PoBear

    Advanced Member

  • Members
  • 184 posts
  • Local time: 09:38 AM

Posted 30 March 2019 - 10:57 PM

LInk to latest log [now removed]

 

There's a reference to Droidman at 2019-03-31 00:31:49.030

 

and two more later on.

 

The IP address 172.58.4.19 is for T-Mobile in the US. I'm in the UK!

 

Have a look at 2019-03-31 00:28:05.099 and following, it looks like they got access via my "HTPC" user, however, that account did not have admin rights.


Edited by PoBear, 31 March 2019 - 12:46 AM.


#12 PoBear OFFLINE  

PoBear

    Advanced Member

  • Members
  • 184 posts
  • Local time: 09:38 AM

Posted 30 March 2019 - 11:03 PM

I can't do a password reset the button is not working. Does this mean that neither is an admin account?



#13 PoBear OFFLINE  

PoBear

    Advanced Member

  • Members
  • 184 posts
  • Local time: 09:38 AM

Posted 30 March 2019 - 11:07 PM

What access would someone have outside of Emby is this is a hack, could they get access to the machine it is running on? What about the network?

 

How do I delete Emby from my system totally, will any Registry information be left what about files other than media content?


Edited by PoBear, 30 March 2019 - 11:12 PM.


#14 Happy2Play OFFLINE  

Happy2Play

    Trial and Error

  • Moderators
  • 15617 posts
  • Local time: 01:38 AM
  • LocationWashington State

Posted 30 March 2019 - 11:25 PM

The log clearly shows remote access to Emby's via remote access wanip:port from a 172.x.x.x address, and the deleting user accounts.

 

**you can see the email address of the users added also.

	Line 135: 2019-03-31 00:28:52.824 Info UserManager: Authentication request for HTPC has succeeded.
	Line 536: 2019-03-31 00:30:53.828 Info UserManager: Authentication request for HTPC has succeeded.
	Line 612: 2019-03-31 00:31:04.365 Info UserManager: Authentication request for Server has succeeded.
	Line 625: 2019-03-31 00:31:11.277 Info UserManager: Authentication request for Server has succeeded.
	Line 812: 2019-03-31 00:32:14.346 Info UserManager: Authentication request for Droidman683522 has succeeded.
	Line 924: 2019-03-31 00:33:08.789 Info UserManager: Authentication request for Doom has succeeded.
	Line 1068: 2019-03-31 00:33:45.260 Info UserManager: Authentication request for Droidman683522 has succeeded.

@Luke should there be anything done about these Connect users also?

 

 

I can't do a password reset the button is not working. Does this mean that neither is an admin account?

 

Don't know what not working means.  You should get a pop-up message showing it worked or a message to contact your administrator to reset the password.

 

 

What access would someone have outside of Emby is this is a hack, could they get access to the machine it is running on? What about the network?

 

How do I delete Emby from my system totally, will any Registry information be left what about files other than media content?

Well is isn't that easy but I guess they could sort of navigate via library "add folders".

 

There is no registry information.  Just uninstall Emby and select Remove all.


Edited by Happy2Play, 31 March 2019 - 12:34 AM.


#15 PoBear OFFLINE  

PoBear

    Advanced Member

  • Members
  • 184 posts
  • Local time: 09:38 AM

Posted 30 March 2019 - 11:34 PM

From what I can see they have somehow managed to corrupt the html for the sign in page as the buttons are all labelled xxxbutton and I'm pretty sure that the reset button is not actually doing anything as the broswers "working" spinner doesn't move when I click on it. There's refernce to the branding information at 2019-03-31 00:31:03.239 in the log.



#16 Happy2Play OFFLINE  

Happy2Play

    Trial and Error

  • Moderators
  • 15617 posts
  • Local time: 01:38 AM
  • LocationWashington State

Posted 30 March 2019 - 11:41 PM

From what I can see they have somehow managed to corrupt the html for the sign in page as the buttons are all labelled xxxbutton and I'm pretty sure that the reset button is not actually doing anything as the broswers "working" spinner doesn't move when I click on it. There's refernce to the branding information at 2019-03-31 00:31:03.239 in the log.

 

Would need to see a screenshot to understand what you are seeing.  But the log does show 2 external ip addresses accessing your Emby server.



#17 PoBear OFFLINE  

PoBear

    Advanced Member

  • Members
  • 184 posts
  • Local time: 09:38 AM

Posted 31 March 2019 - 12:05 AM

I've deleted the installation so no screen shots I'm afraid but I think they have managed to install new html templates via the branding option which has diabled some of the buttons on the sign in screen and in particular password reset.

 

How did they gain control of the system given the user was not an admin?


Edited by PoBear, 31 March 2019 - 12:16 AM.


#18 Happy2Play OFFLINE  

Happy2Play

    Trial and Error

  • Moderators
  • 15617 posts
  • Local time: 01:38 AM
  • LocationWashington State

Posted 31 March 2019 - 12:17 AM

I've deleted the installation so no screen shots I'm afraid but I think they have managed to install new html templates via the branding option which has diabled some of the buttons on the sign in screen and in particular password reset.

 

How did they gain control of the system given the user was not an admin?

 

I guess the first question would be did your admin user have a password set? 

 

As for connectivity, If you did not portforward the default ports I can only guess that upnp port mapping was enabled in Emby and on your router as the connection was via your wan address with Emby's default port..



#19 Happy2Play OFFLINE  

Happy2Play

    Trial and Error

  • Moderators
  • 15617 posts
  • Local time: 01:38 AM
  • LocationWashington State

Posted 31 March 2019 - 12:25 AM

I would remove the link to your log and pm it to Luke (with a link to this topic) do to the information in it.


Edited by Happy2Play, 31 March 2019 - 12:26 AM.


#20 Dwarf OFFLINE  

Dwarf

    Member

  • Members
  • 20 posts
  • Local time: 10:38 AM

Posted 31 March 2019 - 03:54 AM

Hi guys, i had a possible break in attempt yesterday from an ip adress in Hamburg, Germany. They did not get in but i thought i would let you all know as this topic is related. My users all have passwords.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users