Jump to content


Photo

Emby shows unknown users

connect users login server

  • Please log in to reply
35 replies to this topic

#21 darkassassin07 OFFLINE  

darkassassin07

    Advanced Member

  • Members
  • 743 posts
  • Local time: 02:06 PM

Posted 03 May 2019 - 04:13 PM

He meams were you using app.emby.media or were you connecting directly to your server with an ip+port combo like 192.168.0.75:8096 or even your own domain name.

#22 Doebert OFFLINE  

Doebert

    Member

  • Members
  • 17 posts
  • Local time: 05:06 PM

Posted 03 May 2019 - 04:20 PM

You can do either on your PC.  What url would that be?

I am a little confused on the locally and the connect (imagine that), which I will have to read up on.

Let me put it another way.

On my PC where I have Emby installed in the browser is where I would log in.

Url is localhost:8096



#23 Happy2Play OFFLINE  

Happy2Play

    Trial and Error

  • Moderators
  • 15659 posts
  • Local time: 02:06 PM
  • LocationWashington State

Posted 03 May 2019 - 04:30 PM

I am a little confused on the locally and the connect (imagine that), which I will have to read up on.

Let me put it another way.

On my PC where I have Emby installed in the browser is where I would log in.

Url is localhost:8096

 

If you were connecting via localhost:8096 and had to enter a password, then you did have a applied password.  I guess the next question would be was that the only user account on the server?


Edited by Happy2Play, 03 May 2019 - 04:30 PM.


#24 Doebert OFFLINE  

Doebert

    Member

  • Members
  • 17 posts
  • Local time: 05:06 PM

Posted 03 May 2019 - 04:43 PM

If you were connecting via localhost:8096 and had to enter a password, then you did have a applied password.  I guess the next question would be was that the only user account on the server?

Yes

In the beginning I had a couple of users but I deleted them a few months ago.

The single user which of course was a admin was not hidden and I am guessing that may be how they got in.

Just trying to identify the problem so it doesn't happen again to me or anyone else.



#25 wayloncovil OFFLINE  

wayloncovil

    Advanced Member

  • Members
  • 56 posts
  • Local time: 02:06 PM

Posted 06 May 2019 - 11:10 AM

Yes

In the beginning I had a couple of users but I deleted them a few months ago.

The single user which of course was a admin was not hidden and I am guessing that may be how they got in.

Just trying to identify the problem so it doesn't happen again to me or anyone else.

 

How complex was the admin password?



#26 Doebert OFFLINE  

Doebert

    Member

  • Members
  • 17 posts
  • Local time: 05:06 PM

Posted 06 May 2019 - 11:20 AM

How complex was the admin password?

Alpha numeric 10 characters long.



#27 wayloncovil OFFLINE  

wayloncovil

    Advanced Member

  • Members
  • 56 posts
  • Local time: 02:06 PM

Posted 06 May 2019 - 11:26 AM

A couple of general questions for everyone about this situation...

1. How could someone have found this system in the first place? This would indicate to me that there could be some aggressive port scanning going on by people looking for an Emby server. That seems strange that someone on the Internet would be looking for an Emby server to hijack. Or am I naive?

2. (Yeah, anything's possible, but...) should the user be concerned that a vulnerability could be found in a hijacked Emby server and the hijackers could have gained access to the server itself and other devices on the network? Just wondering how compromised the environment could be. And then, what should a user do to ensure their system aren't compromised.

 

Personally, I don't have a real reason to expose my Emby server to the Internet so I can watch stuff away from home (although it would be cool), so I haven't opened the port. I also don't have the time presently to investigate how to set things up so when I do open a port, all my "t"s are crossed and my "i"s are dotted. It almost sounds like we need an "Emby Security for Dummies" write up so people go through all the right steps when exposing their system.



#28 Doebert OFFLINE  

Doebert

    Member

  • Members
  • 17 posts
  • Local time: 05:06 PM

Posted 06 May 2019 - 11:40 AM

Here is what I did so far:

I did a complete uninstall of the emby server and reinstalled 4.1.1  

I entered a single user and a strong unique password with letters, numbers and special characters plus some are capitals.

Did not enter anything for Emby connect.

Unchecked allow remote access as my only use is for my home network.

I also checked hide user from login screens on local network.



#29 BAlGaInTl OFFLINE  

BAlGaInTl

    Advanced Member

  • Members
  • 697 posts
  • Local time: 05:06 PM

Posted 06 May 2019 - 02:39 PM

A couple of general questions for everyone about this situation...
1. How could someone have found this system in the first place? This would indicate to me that there could be some aggressive port scanning going on by people looking for an Emby server. That seems strange that someone on the Internet would be looking for an Emby server to hijack. Or am I naive?
2. (Yeah, anything's possible, but...) should the user be concerned that a vulnerability could be found in a hijacked Emby server and the hijackers could have gained access to the server itself and other devices on the network? Just wondering how compromised the environment could be. And then, what should a user do to ensure their system aren't compromised.
 
Personally, I don't have a real reason to expose my Emby server to the Internet so I can watch stuff away from home (although it would be cool), so I haven't opened the port. I also don't have the time presently to investigate how to set things up so when I do open a port, all my "t"s are crossed and my "i"s are dotted. It almost sounds like we need an "Emby Security for Dummies" write up so people go through all the right steps when exposing their system.


Bots are written to crawl the internet and look for it. There are search engines that you can use to easily find them. I won't go into details.

Bugs exist, so it's always a risk to open up a computer on your home network to the internet. There are several decent guides on securing emby or other applications out there.

You are right though. If you don't have a reason to expose it, then don't.

#30 Michael K. OFFLINE  

Michael K.

    Advanced Member

  • Members
  • 160 posts
  • Local time: 05:06 PM

Posted 06 May 2019 - 09:17 PM

This happened to me today. The server was on the latest release of v3 (can't remember the exact version). 

 

Fortunately this is just a transcoding processor, so no damage done to the library. 

 

Big supporter of emby, but at this moment a little weary of using it again. 

 

Do the emby devs want the log files to analyze? 

 

Who can I PM about security concerns and get some advice on how to prevent this again?  



#31 Doebert OFFLINE  

Doebert

    Member

  • Members
  • 17 posts
  • Local time: 05:06 PM

Posted 06 May 2019 - 11:11 PM

This happened to me today. The server was on the latest release of v3 (can't remember the exact version). 

 

Fortunately this is just a transcoding processor, so no damage done to the library. 

 

Big supporter of emby, but at this moment a little weary of using it again. 

 

Do the emby devs want the log files to analyze? 

 

Who can I PM about security concerns and get some advice on how to prevent this again?  

Sorry to hear that.

The first thing I was told to do was shutdown Emby server.

The admin's will probably want you to pm them your logs.

They will reply when they have the chance.



#32 speechles OFFLINE  

speechles

    Advanced Member

  • App Developer
  • 5432 posts
  • Local time: 02:06 PM

Posted 06 May 2019 - 11:31 PM

Who can I PM about security concerns and get some advice on how to prevent this again?  

 

Be aware of who has access to your Wifi and access to your LAN. This can happen through the web app if you have it log you immediately in as admin with no password. Then anyone can be on your network and do the same pretty much. Log in as you and then add themselves as users. Then when they get home, "Hey guess what?". They get remote access too now. Sweet deal. Would be nice to be your friend. This is a social engineering exploit and everything has holes for these types of exploits. Humans are fragile and that is the exploit. Not sure if this is the same as what you really have experienced.

 

The best bet is change the port Emby uses both local and remote. Force the attacker to port scan you again. Not hard to do but you make more work for them. More work for them increases the chance they give up. Also set a password on your admin user if you open up the port remotely. Then you can also wrap the entire process into SSL on port 443 if you want. Then you can stick a reverse proxy over it to hide your exact IP from the attacker on top. Then you can add logging to your network to log these attacks for later investigating. You are your best detective since you are the one experience the attackers.

 

They think they have a honey pot. Maybe set up a bullshit machine/VM and just put something interesting there with broken files all over. See if the same people try to attack it. It is always interesting seeing why they do what they do. What draws them like flies. What makes a person attack another for no monetary gain. Just some weird egotistical gain or some kind of free media type of gain. It can't be anything more. I doubt Russian and North Korean spies have inflitrated your server and are now conspiring with China to mass profit from that access.. Lol.. very very doubtful. The best advice is keep your secrets close. Hide the porn. Don't put things on the server you wouldn't want your mother to see.

 

Start here: https://www.cbsnews....software-flaws/\


Edited by speechles, 06 May 2019 - 11:41 PM.

  • denz likes this

#33 ebr OFFLINE  

ebr

    Chief Bottle Washer

  • Administrators
  • 46943 posts
  • Local time: 05:06 PM

Posted 09 May 2019 - 10:05 AM

This happened to me today. The server was on the latest release of v3 (can't remember the exact version). 

 

Fortunately this is just a transcoding processor, so no damage done to the library. 

 

Big supporter of emby, but at this moment a little weary of using it again. 

 

Do the emby devs want the log files to analyze? 

 

Who can I PM about security concerns and get some advice on how to prevent this again?  

 

Hi.  We're sorry this happened to you but we are relatively certain it was due to an admin user having no LOCAL password.  I know you thought the user had a password, but that was probably the Connect user.  In previous versions it was possible for your initial user to have no password because we didn't force you to create one in the initial start up.  We do now.

 

So, all you need to do to be sure it is secure is go to the LOCAL user setup in the dashboard and ensure there is a password set.

 

Thanks.


  • simpsons11 likes this

#34 simpsons11 OFFLINE  

simpsons11

    Member

  • Members
  • 16 posts
  • Local time: 03:06 PM

Posted 15 May 2019 - 12:09 PM

Hi.  We're sorry this happened to you but we are relatively certain it was due to an admin user having no LOCAL password.  I know you thought the user had a password, but that was probably the Connect user.  In previous versions it was possible for your initial user to have no password because we didn't force you to create one in the initial start up.  We do now.

 

So, all you need to do to be sure it is secure is go to the LOCAL user setup in the dashboard and ensure there is a password set.

 

Thanks.

 

Ebr is correct. I had this issue come up about two months ago and disabled external access to see if disabling it would prevent these unknown users. After having no issues with it disabled, I enabled and created passwords on the admin account and have had zero issues for the past couple weeks.


  • BAlGaInTl likes this

#35 Doebert OFFLINE  

Doebert

    Member

  • Members
  • 17 posts
  • Local time: 05:06 PM

Posted 15 May 2019 - 03:04 PM

Ebr is correct. I had this issue come up about two months ago and disabled external access to see if disabling it would prevent these unknown users. After having no issues with it disabled, I enabled and created passwords on the admin account and have had zero issues for the past couple weeks.

I have done the same and so far so good.



#36 Michael K. OFFLINE  

Michael K.

    Advanced Member

  • Members
  • 160 posts
  • Local time: 05:06 PM

Posted 15 May 2019 - 11:13 PM

Sounds good. I'll try the new v4 and make sure the local user password is set. Thanks to everyone for your advice and restoring my faith... Emby rocks! 







Also tagged with one or more of these keywords: connect, users, login, server

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users