Jump to content


Photo

Emby shows unknown users

connect users login server

  • Please log in to reply
35 replies to this topic

#1 Doebert OFFLINE  

Doebert

    Member

  • Members
  • 17 posts
  • Local time: 04:04 PM

Posted 02 May 2019 - 07:46 PM

All of a sudden I can no longer get into Emby??

When I start Emby in windows 10 it shows 2 unknown users. 1-computerguyiptv and 2-doom. I have no idea who they are? When I try to log in with my credentials it doesn't recognize my account.

I first noticed a problem when I was trying to access it on Roku and it showed my server name with addition info after that "LIVETV VOD AND MORE". I have no idea where that came from either??

So........what should I do to resolve this without losing all my media?

 

Thanks in advance.

 

 



#2 Happy2Play OFFLINE  

Happy2Play

    Trial and Error

  • Moderators
  • 14741 posts
  • Local time: 01:04 PM
  • LocationWashington State

Posted 02 May 2019 - 08:00 PM

Shutdown Emby server until resolved.

 

Unfortunately that would mean your server setup has been compromised.  I would PM your logs to @Luke.
 
https://emby.media/c...ty-compromised/


Edited by Happy2Play, 02 May 2019 - 08:12 PM.


#3 Doebert OFFLINE  

Doebert

    Member

  • Members
  • 17 posts
  • Local time: 04:04 PM

Posted 02 May 2019 - 08:38 PM

Emby server is shut down and I am currently doing a full system scan for virus's.

I located the logs and will forward to Luke.

 

Thanks for the quick responce.



#4 wayloncovil OFFLINE  

wayloncovil

    Advanced Member

  • Members
  • 52 posts
  • Local time: 01:04 PM

Posted 02 May 2019 - 08:54 PM

Emby server is shut down and I am currently doing a full system scan for virus's.

I located the logs and will forward to Luke.

 

Thanks for the quick responce.

@Doebert,

I'm sorry your system was compromised. This is a big deal.

Once you figure out what happened, please let us know so we can be educated so we can prevent this from happening to ourselves.

Thanks!



#5 Happy2Play OFFLINE  

Happy2Play

    Trial and Error

  • Moderators
  • 14741 posts
  • Local time: 01:04 PM
  • LocationWashington State

Posted 02 May 2019 - 09:01 PM

Did your admin user have a set password?



#6 Doebert OFFLINE  

Doebert

    Member

  • Members
  • 17 posts
  • Local time: 04:04 PM

Posted 02 May 2019 - 09:03 PM

@Doebert,

I'm sorry your system was compromised. This is a big deal.

Once you figure out what happened, please let us know so we can be educated so we can prevent this from happening to ourselves.

Thanks!

Will do.

I have rock solid virus protection and the complete system scan shows no threats.

I was thinking a system restore may work,  but I am not doing anything until the Admins review.

Also from a quick look @ my libraries it looks like all my media is OK, but will confirm later.



#7 Doebert OFFLINE  

Doebert

    Member

  • Members
  • 17 posts
  • Local time: 04:04 PM

Posted 02 May 2019 - 09:03 PM

Did your admin user have a set password?

Yes



#8 darkassassin07 OFFLINE  

darkassassin07

    Advanced Member

  • Members
  • 645 posts
  • Local time: 01:04 PM

Posted 02 May 2019 - 09:59 PM

This exact case has come up several times in the last couple months. It has always come down to users on the server having no password or a very weak password as well as admin rights on the server. A malicious third party has been getting into servers through poorly setup user accounts.


This can be made easier for hackers if you have 'my easy pincode' setup for easy lan access, and a reverse proxy that isnt correctly passing the clients ip address making all connections look like lan access.
I had that issue, where users that had a strong password setup as well as a blank pin code for password-less lan login could login outside the lan without a pass because the emby server saw the proxy as the client instead of seeing the client thats connected to the proxy.
  • Happy2Play likes this

#9 Doebert OFFLINE  

Doebert

    Member

  • Members
  • 17 posts
  • Local time: 04:04 PM

Posted 02 May 2019 - 10:36 PM

This exact case has come up several times in the last couple months. It has always come down to users on the server having no password or a very weak password as well as admin rights on the server. A malicious third party has been getting into servers through poorly setup user accounts.


This can be made easier for hackers if you have 'my easy pincode' setup for easy lan access, and a reverse proxy that isnt correctly passing the clients ip address making all connections look like lan access.
I had that issue, where users that had a strong password setup as well as a blank pin code for password-less lan login could login outside the lan without a pass because the emby server saw the proxy as the client instead of seeing the client thats connected to the proxy.

I only had 1 user and I thought the password was strong.

I have no idea what 'my easy pincode' is or how it is used.

As far as admin rights to the server this is required for a single user isn't it?

I was using an older version of Emby (3.5.3.0) as it was running great and didn't want to upgrade yet, but that may have been a mistake for security reasons.



#10 Pog22 OFFLINE  

Pog22

    Advanced Member

  • Members
  • 220 posts
  • Local time: 09:04 PM

Posted 03 May 2019 - 11:43 AM

I only had 1 user and I thought the password was strong.

I have no idea what 'my easy pincode' is or how it is used.

As far as admin rights to the server this is required for a single user isn't it?

I was using an older version of Emby (3.5.3.0) as it was running great and didn't want to upgrade yet, but that may have been a mistake for security reasons.

 

Have you used this password elsewhere? 

https://haveibeenpwned.com/


  • BAlGaInTl likes this

#11 BAlGaInTl OFFLINE  

BAlGaInTl

    Advanced Member

  • Members
  • 670 posts
  • Local time: 04:04 PM

Posted 03 May 2019 - 11:47 AM

Have you used this password elsewhere? 
https://haveibeenpwned.com/


I would definitely check your password there.

#12 Pog22 OFFLINE  

Pog22

    Advanced Member

  • Members
  • 220 posts
  • Local time: 09:04 PM

Posted 03 May 2019 - 11:53 AM

I would definitely check your password there.


You don't check your password there. You check your email address against a list of known public hacks

#13 BAlGaInTl OFFLINE  

BAlGaInTl

    Advanced Member

  • Members
  • 670 posts
  • Local time: 04:04 PM

Posted 03 May 2019 - 12:44 PM

You don't check your password there. You check your email address against a list of known public hacks


You are incorrect.

They recently added the ability to check passwords and provide an API for applications to use. That is why many password managers now have a check to see if a specific password has been compromised.

Here is the link to the direct password checking:

https://haveibeenpwned.com/Passwords

Yes... you can also check for email accounts that have been involved in breaches, but the direct password checking can be even more telling.
  • Pog22 and Senna like this

#14 Doebert OFFLINE  

Doebert

    Member

  • Members
  • 17 posts
  • Local time: 04:04 PM

Posted 03 May 2019 - 03:25 PM

Have you used this password elsewhere? 

https://haveibeenpwned.com/

The admin's think I did not set a password, but I am like 99% sure I did??

I would never leave the password blank as that would be stupid.

I used to have the same password for the server and the forum if that matters....but not any more!

I also think it's not a coincident that the unknown user 'Doom' was used in my account and in the link above that Happy2Play provided. Seems like there is someone out there targeting Emby servers.

 

Anyway, Thanks for the info. I checked my old password and it checked out OK.


Edited by Doebert, 03 May 2019 - 03:26 PM.


#15 Pog22 OFFLINE  

Pog22

    Advanced Member

  • Members
  • 220 posts
  • Local time: 09:04 PM

Posted 03 May 2019 - 03:31 PM

 

I also think it's not a coincident that the unknown user 'Doom' was used in my account and in the link above that Happy2Play provided. Seems like there is someone out there targeting Emby servers.

Not a person, a bot, crawls the internet looking for easily hacked servers



#16 Happy2Play OFFLINE  

Happy2Play

    Trial and Error

  • Moderators
  • 14741 posts
  • Local time: 01:04 PM
  • LocationWashington State

Posted 03 May 2019 - 03:37 PM

Local User and Connect user are two different accounts.  Local user has its own area to set password on your server, and Connect has the forum/Connect to control its password.

 

So you went to Dashboard-Users-selected your user-went to passwords tab and applied a password, as there was no password applied at the creation of the user.  This admin password issue has been resolved for new installs of v4.1+..



#17 Doebert OFFLINE  

Doebert

    Member

  • Members
  • 17 posts
  • Local time: 04:04 PM

Posted 03 May 2019 - 03:51 PM

Local User and Connect user are two different accounts.  Local user has its own area to set password on your server, and Connect has the forum/Connect to control its password.

 

So you went to Dashboard-Users-selected your user-went to passwords tab and applied a password, as there was no password applied at the creation of the user.  This admin password issue has been resolved for new installs of v4.1+..

Thanks for the info and I am now running 4.1.1.0

But let me ask you a stupid question....

When I would log out of the server and log back in I would enter a password. If I didn't create a password initially it would not let me log in would it?

Or am I missing something?

 

Thanks again



#18 Happy2Play OFFLINE  

Happy2Play

    Trial and Error

  • Moderators
  • 14741 posts
  • Local time: 01:04 PM
  • LocationWashington State

Posted 03 May 2019 - 04:00 PM

Thanks for the info and I am now running 4.1.1.0

But let me ask you a stupid question....

When I would log out of the server and log back in I would enter a password. If I didn't create a password initially it would not let me log in would it?

Or am I missing something?

 

Thanks again

 

How were you logging in?  Connect or locally?



#19 Doebert OFFLINE  

Doebert

    Member

  • Members
  • 17 posts
  • Local time: 04:04 PM

Posted 03 May 2019 - 04:05 PM

How were you logging in?  Connect or locally?

On my P.C. which is locally is that correct?



#20 Happy2Play OFFLINE  

Happy2Play

    Trial and Error

  • Moderators
  • 14741 posts
  • Local time: 01:04 PM
  • LocationWashington State

Posted 03 May 2019 - 04:12 PM

On my P.C. which is locally is that correct?

 

You can do either on your PC.  What url would that be?







Also tagged with one or more of these keywords: connect, users, login, server

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users