Jump to content

Server security compromised?


PoBear

Recommended Posts

PoBear

Hi

 

I've just tried to log into my Emby server and none of my users are defined and two users that I most certainly have not defined are registered; "Doom" and "Droidman683522"

 

I've closed the server but where do I go from here? What has happened and why?

 

Link to comment
Share on other sites

Gilgamesh_48

During setup the question is asked "Do you want Emby to allow connections outside your network". (Or something like that.) The default is "yes" so, unless you changed then it is possible to share your library. More actions are required to actually share your library but you can stop all sharing outside your network by simply changing that setting to off. Since I do not ever share I have that turned off.

Link to comment
Share on other sites

Happy2Play

Depending how old your installation is, that option is available in Dashboard-Advanced-"Allow remote connections to this Emby Server".

 

Were these users local users or Emby Connect users (invited guests)?

 

The cloud represent Connect users, but could mean a linked local user with a linked connect account.

 

example Media is a local user linked to Connect, where the other two are invited Connect guests.

 

5ca020e74f64e_users.jpg

 

5ca0222b72324_users2.jpg

Edited by Happy2Play
Link to comment
Share on other sites

PoBear

Guys, great info but I have no access to my system so I can't check anything and my Emby system is years old, so as far as I remember I disabled external access as it was not something that I would ever use,

Link to comment
Share on other sites

Happy2Play

Guys, great info but I have no access to my system so I can't check anything and my Emby system is years old, so as far as I remember I disabled external access as it was not something that I would ever use,

 

What do you mean you have no access?  Are you saying you are locked out, or password will not work?

Link to comment
Share on other sites

Happy2Play

The devs will need to see all your server logs, assuming this was done within the last 72hrs as that is as long as the server logs are maintained.

 

I assume you have access to the machine Emby is installed on.  I would click forgot password and enter one of those displayed names (it will only work if one of them are admin accounts), that will tell you to go to a text file in "*\Emby-Server\programdata\passwordreset.txt" with a pin number and a link to remove the password. Then log in with that account.

 

Only issue I see is if the admin account is hidden. If that is the case then I can talk you through some other steps.

Edited by Happy2Play
Link to comment
Share on other sites

PoBear

LInk to latest log [now removed]

 

There's a reference to Droidman at 2019-03-31 00:31:49.030

 

and two more later on.

 

The IP address 172.58.4.19 is for T-Mobile in the US. I'm in the UK!

 

Have a look at 2019-03-31 00:28:05.099 and following, it looks like they got access via my "HTPC" user, however, that account did not have admin rights.

Edited by PoBear
Link to comment
Share on other sites

PoBear

I can't do a password reset the button is not working. Does this mean that neither is an admin account?

Link to comment
Share on other sites

PoBear

What access would someone have outside of Emby is this is a hack, could they get access to the machine it is running on? What about the network?

 

How do I delete Emby from my system totally, will any Registry information be left what about files other than media content?

Edited by PoBear
Link to comment
Share on other sites

Happy2Play

The log clearly shows remote access to Emby's via remote access wanip:port from a 172.x.x.x address, and the deleting user accounts.

 

**you can see the email address of the users added also.

	Line 135: 2019-03-31 00:28:52.824 Info UserManager: Authentication request for HTPC has succeeded.
	Line 536: 2019-03-31 00:30:53.828 Info UserManager: Authentication request for HTPC has succeeded.
	Line 612: 2019-03-31 00:31:04.365 Info UserManager: Authentication request for Server has succeeded.
	Line 625: 2019-03-31 00:31:11.277 Info UserManager: Authentication request for Server has succeeded.
	Line 812: 2019-03-31 00:32:14.346 Info UserManager: Authentication request for Droidman683522 has succeeded.
	Line 924: 2019-03-31 00:33:08.789 Info UserManager: Authentication request for Doom has succeeded.
	Line 1068: 2019-03-31 00:33:45.260 Info UserManager: Authentication request for Droidman683522 has succeeded.

@@Luke should there be anything done about these Connect users also?

 

 

I can't do a password reset the button is not working. Does this mean that neither is an admin account?

 

Don't know what not working means.  You should get a pop-up message showing it worked or a message to contact your administrator to reset the password.

 

 

What access would someone have outside of Emby is this is a hack, could they get access to the machine it is running on? What about the network?

 

How do I delete Emby from my system totally, will any Registry information be left what about files other than media content?

Well is isn't that easy but I guess they could sort of navigate via library "add folders".

 

There is no registry information.  Just uninstall Emby and select Remove all.

Edited by Happy2Play
Link to comment
Share on other sites

PoBear

From what I can see they have somehow managed to corrupt the html for the sign in page as the buttons are all labelled xxxbutton and I'm pretty sure that the reset button is not actually doing anything as the broswers "working" spinner doesn't move when I click on it. There's refernce to the branding information at 2019-03-31 00:31:03.239 in the log.

Link to comment
Share on other sites

Happy2Play

From what I can see they have somehow managed to corrupt the html for the sign in page as the buttons are all labelled xxxbutton and I'm pretty sure that the reset button is not actually doing anything as the broswers "working" spinner doesn't move when I click on it. There's refernce to the branding information at 2019-03-31 00:31:03.239 in the log.

 

Would need to see a screenshot to understand what you are seeing.  But the log does show 2 external ip addresses accessing your Emby server.

Link to comment
Share on other sites

PoBear

I've deleted the installation so no screen shots I'm afraid but I think they have managed to install new html templates via the branding option which has diabled some of the buttons on the sign in screen and in particular password reset.

 

How did they gain control of the system given the user was not an admin?

Edited by PoBear
Link to comment
Share on other sites

Happy2Play

I've deleted the installation so no screen shots I'm afraid but I think they have managed to install new html templates via the branding option which has diabled some of the buttons on the sign in screen and in particular password reset.

 

How did they gain control of the system given the user was not an admin?

 

I guess the first question would be did your admin user have a password set? 

 

As for connectivity, If you did not portforward the default ports I can only guess that upnp port mapping was enabled in Emby and on your router as the connection was via your wan address with Emby's default port..

Link to comment
Share on other sites

Happy2Play

I would remove the link to your log and pm it to Luke (with a link to this topic) do to the information in it.

Edited by Happy2Play
Link to comment
Share on other sites

Hi guys, i had a possible break in attempt yesterday from an ip adress in Hamburg, Germany. They did not get in but i thought i would let you all know as this topic is related. My users all have passwords.

Link to comment
Share on other sites

PoBear

I guess the first question would be did your admin user have a password set? 

 

As for connectivity, If you did not portforward the default ports I can only guess that upnp port mapping was enabled in Emby and on your router as the connection was via your wan address with Emby's default port..

 

I thought the users had passwords but the system was set up so long ago that I can't confirm it.

 

Definitely, do not have upnp mapping defined on my router.

Link to comment
Share on other sites

PoBear

Hi guys, i had a possible break in attempt yesterday from an ip adress in Hamburg, Germany. They did not get in but i thought i would let you all know as this topic is related. My users all have passwords.

 

Is your system setup for Connect?

Link to comment
Share on other sites

m326697

Folks I had the same problem.

First User was Doom...Emby Connect username was TheBestTV

Second User ...Droidman683522 ... Emby Connect...Droidman683522

 

All of a sudden I have the same users listed on my Emby Server and my account was deleted.

User Mikestang has been deleted from Emby Server
‎3‎/‎30‎/‎2019‎ ‎8‎:‎36‎:‎36‎ ‎pm
 
How can this be possible ??
Link to comment
Share on other sites

Happy2Play

 

Folks I had the same problem.

First User was Doom...Emby Connect username was TheBestTV

Second User ...Droidman683522 ... Emby Connect...Droidman683522

 

All of a sudden I have the same users listed on my Emby Server and my account was deleted.

User Mikestang has been deleted from Emby Server
‎3‎/‎30‎/‎2019‎ ‎8‎:‎36‎:‎36‎ ‎pm
 
How can this be possible ?

 

 

Do you have server logs you can pm?

 

 

Only way I know of would accessing your local account that does not have a password.

 

@@Luke shouldn't something be done to these identified account?

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...