Jump to content

Hack of Emby Server - FreeNAS Jail


TheDrifter363

Recommended Posts

TheDrifter363

Hi,

 

I have a friend who's running an emby server on freenas in a jail. Instead of using the freenas plugin, we decided to use the freebsd package, as that might be more recently updated. Regardless, the server was running well, until he noticed that someone had hacked into his emby server, deleted all the users, and created two new user accounts. We decided to delete the jail and start from scratch, but not before looking at the logs and see when and how the hack happened. I am posting here, on behalf of him, to determine how did the hacker gain access to the emby server. The emby server is running through a reverse proxy to another jail running nginx. The proxy is https secured, with a lets encrypt certificate, so ssl is not an issue. I don't know if the fault was with a security hole in emby, or nginx, or bad user practice. I am posting here to figure that out. I will post the log, that specifically shows when the hack occurred. I think it was around 16:15:00 hours. The reverse proxy, nginx, is running on internal IP address 192.168.1.250, and the emby server is running on 192.168.1.248. The attached txt file should not have any personal information, but in case I let something slip, please let me know and I can delete the offending information and resubmit the txt file. Thank you.

embyserver-63689584778.txt

Link to comment
Share on other sites

TheDrifter363

 

Thank you very much. For my friend, he actually had passwords on all his user accounts, plus a reverse proxy with ssl security. I'm not sure if this was a javascript of some other exploit in emby. I saw a link somewhere around here that said that emby was vulnerable to said script exploit. Regardless, thank you. Separating the admin account from user account appears to be prudent, as well as setting all media to read only so the admin cannot delete anything.

Link to comment
Share on other sites

I saw a link somewhere around here that said that emby was vulnerable to said script exploit. 

 

Hi.  We are not aware of any such exploit.  Can you please point us to where you saw that?

 

Thanks.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...