TheDrifter363 0 Posted April 4, 2019 Share Posted April 4, 2019 Hi, I have a friend who's running an emby server on freenas in a jail. Instead of using the freenas plugin, we decided to use the freebsd package, as that might be more recently updated. Regardless, the server was running well, until he noticed that someone had hacked into his emby server, deleted all the users, and created two new user accounts. We decided to delete the jail and start from scratch, but not before looking at the logs and see when and how the hack happened. I am posting here, on behalf of him, to determine how did the hacker gain access to the emby server. The emby server is running through a reverse proxy to another jail running nginx. The proxy is https secured, with a lets encrypt certificate, so ssl is not an issue. I don't know if the fault was with a security hole in emby, or nginx, or bad user practice. I am posting here to figure that out. I will post the log, that specifically shows when the hack occurred. I think it was around 16:15:00 hours. The reverse proxy, nginx, is running on internal IP address 192.168.1.250, and the emby server is running on 192.168.1.248. The attached txt file should not have any personal information, but in case I let something slip, please let me know and I can delete the offending information and resubmit the txt file. Thank you. embyserver-63689584778.txt Link to comment Share on other sites More sharing options...
Happy2Play 8282 Posted April 4, 2019 Share Posted April 4, 2019 It is related to these topics. You can see the IP at "2019-03-30 16:06:23.337". https://emby.media/community/index.php?/topic/71982-server-security-compromised https://emby.media/community/index.php?/topic/72074-41014-hacked/ Link to comment Share on other sites More sharing options...
TheDrifter363 0 Posted April 6, 2019 Author Share Posted April 6, 2019 It is related to these topics. You can see the IP at "2019-03-30 16:06:23.337". https://emby.media/community/index.php?/topic/71982-server-security-compromised https://emby.media/community/index.php?/topic/72074-41014-hacked/ Thank you very much. For my friend, he actually had passwords on all his user accounts, plus a reverse proxy with ssl security. I'm not sure if this was a javascript of some other exploit in emby. I saw a link somewhere around here that said that emby was vulnerable to said script exploit. Regardless, thank you. Separating the admin account from user account appears to be prudent, as well as setting all media to read only so the admin cannot delete anything. Link to comment Share on other sites More sharing options...
ebr 14913 Posted April 6, 2019 Share Posted April 6, 2019 I saw a link somewhere around here that said that emby was vulnerable to said script exploit. Hi. We are not aware of any such exploit. Can you please point us to where you saw that? Thanks. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now