Jump to content

Emby shows unknown users

Doebert

By Doebert
in General/Windows

 Share

Recommended Posts

wayloncovil

wayloncovil   2

Posted
Posted

A couple of general questions for everyone about this situation...

1. How could someone have found this system in the first place? This would indicate to me that there could be some aggressive port scanning going on by people looking for an Emby server. That seems strange that someone on the Internet would be looking for an Emby server to hijack. Or am I naive?

2. (Yeah, anything's possible, but...) should the user be concerned that a vulnerability could be found in a hijacked Emby server and the hijackers could have gained access to the server itself and other devices on the network? Just wondering how compromised the environment could be. And then, what should a user do to ensure their system aren't compromised.

 

Personally, I don't have a real reason to expose my Emby server to the Internet so I can watch stuff away from home (although it would be cool), so I haven't opened the port. I also don't have the time presently to investigate how to set things up so when I do open a port, all my "t"s are crossed and my "i"s are dotted. It almost sounds like we need an "Emby Security for Dummies" write up so people go through all the right steps when exposing their system.

Link to comment
Share on other sites
Doebert

Doebert   0

Posted
  • Author
Posted

Here is what I did so far:

I did a complete uninstall of the emby server and reinstalled 4.1.1  

I entered a single user and a strong unique password with letters, numbers and special characters plus some are capitals.

Did not enter anything for Emby connect.

Unchecked allow remote access as my only use is for my home network.

I also checked hide user from login screens on local network.

Link to comment
Share on other sites
BAlGaInTl

BAlGaInTl   279

Posted
Posted

A couple of general questions for everyone about this situation...

1. How could someone have found this system in the first place? This would indicate to me that there could be some aggressive port scanning going on by people looking for an Emby server. That seems strange that someone on the Internet would be looking for an Emby server to hijack. Or am I naive?

2. (Yeah, anything's possible, but...) should the user be concerned that a vulnerability could be found in a hijacked Emby server and the hijackers could have gained access to the server itself and other devices on the network? Just wondering how compromised the environment could be. And then, what should a user do to ensure their system aren't compromised.

 

Personally, I don't have a real reason to expose my Emby server to the Internet so I can watch stuff away from home (although it would be cool), so I haven't opened the port. I also don't have the time presently to investigate how to set things up so when I do open a port, all my "t"s are crossed and my "i"s are dotted. It almost sounds like we need an "Emby Security for Dummies" write up so people go through all the right steps when exposing their system.

Bots are written to crawl the internet and look for it. There are search engines that you can use to easily find them. I won't go into details.

 

Bugs exist, so it's always a risk to open up a computer on your home network to the internet. There are several decent guides on securing emby or other applications out there.

 

You are right though. If you don't have a reason to expose it, then don't.

Link to comment
Share on other sites
Michael K.

Michael K.   24

Posted
Posted

This happened to me today. The server was on the latest release of v3 (can't remember the exact version). 

 

Fortunately this is just a transcoding processor, so no damage done to the library. 

 

Big supporter of emby, but at this moment a little weary of using it again. 

 

Do the emby devs want the log files to analyze? 

 

Who can I PM about security concerns and get some advice on how to prevent this again?  

Link to comment
Share on other sites
Doebert

Doebert   0

Posted
  • Author
Posted

This happened to me today. The server was on the latest release of v3 (can't remember the exact version). 

 

Fortunately this is just a transcoding processor, so no damage done to the library. 

 

Big supporter of emby, but at this moment a little weary of using it again. 

 

Do the emby devs want the log files to analyze? 

 

Who can I PM about security concerns and get some advice on how to prevent this again?  

Sorry to hear that.

The first thing I was told to do was shutdown Emby server.

The admin's will probably want you to pm them your logs.

They will reply when they have the chance.

Link to comment
Share on other sites
speechles Emby Team

speechles   1917

Posted
Posted (edited)

Who can I PM about security concerns and get some advice on how to prevent this again?  

 

Be aware of who has access to your Wifi and access to your LAN. This can happen through the web app if you have it log you immediately in as admin with no password. Then anyone can be on your network and do the same pretty much. Log in as you and then add themselves as users. Then when they get home, "Hey guess what?". They get remote access too now. Sweet deal. Would be nice to be your friend. This is a social engineering exploit and everything has holes for these types of exploits. Humans are fragile and that is the exploit. Not sure if this is the same as what you really have experienced.

 

The best bet is change the port Emby uses both local and remote. Force the attacker to port scan you again. Not hard to do but you make more work for them. More work for them increases the chance they give up. Also set a password on your admin user if you open up the port remotely. Then you can also wrap the entire process into SSL on port 443 if you want. Then you can stick a reverse proxy over it to hide your exact IP from the attacker on top. Then you can add logging to your network to log these attacks for later investigating. You are your best detective since you are the one experience the attackers.

 

They think they have a honey pot. Maybe set up a bullshit machine/VM and just put something interesting there with broken files all over. See if the same people try to attack it. It is always interesting seeing why they do what they do. What draws them like flies. What makes a person attack another for no monetary gain. Just some weird egotistical gain or some kind of free media type of gain. It can't be anything more. I doubt Russian and North Korean spies have inflitrated your server and are now conspiring with China to mass profit from that access.. Lol.. very very doubtful. The best advice is keep your secrets close. Hide the porn. Don't put things on the server you wouldn't want your mother to see.

 

Start here: https://www.cbsnews.com/news/why-human-vulnerabilities-are-more-dangerous-than-software-flaws/\

Edited by speechles
  • Like 1
Link to comment
Share on other sites
ebr Emby Team

ebr   14903

Posted
Posted

This happened to me today. The server was on the latest release of v3 (can't remember the exact version). 

 

Fortunately this is just a transcoding processor, so no damage done to the library. 

 

Big supporter of emby, but at this moment a little weary of using it again. 

 

Do the emby devs want the log files to analyze? 

 

Who can I PM about security concerns and get some advice on how to prevent this again?  

 

Hi.  We're sorry this happened to you but we are relatively certain it was due to an admin user having no LOCAL password.  I know you thought the user had a password, but that was probably the Connect user.  In previous versions it was possible for your initial user to have no password because we didn't force you to create one in the initial start up.  We do now.

 

So, all you need to do to be sure it is secure is go to the LOCAL user setup in the dashboard and ensure there is a password set.

 

Thanks.

  • Like 1
Link to comment
Share on other sites
simpsons11

simpsons11   2

Posted
Posted

Hi.  We're sorry this happened to you but we are relatively certain it was due to an admin user having no LOCAL password.  I know you thought the user had a password, but that was probably the Connect user.  In previous versions it was possible for your initial user to have no password because we didn't force you to create one in the initial start up.  We do now.

 

So, all you need to do to be sure it is secure is go to the LOCAL user setup in the dashboard and ensure there is a password set.

 

Thanks.

 

Ebr is correct. I had this issue come up about two months ago and disabled external access to see if disabling it would prevent these unknown users. After having no issues with it disabled, I enabled and created passwords on the admin account and have had zero issues for the past couple weeks.

  • Like 1
Link to comment
Share on other sites
Doebert

Doebert   0

Posted
  • Author
Posted

Ebr is correct. I had this issue come up about two months ago and disabled external access to see if disabling it would prevent these unknown users. After having no issues with it disabled, I enabled and created passwords on the admin account and have had zero issues for the past couple weeks.

I have done the same and so far so good.

Link to comment
Share on other sites
Michael K.

Michael K.   24

Posted
Posted

Sounds good. I'll try the new v4 and make sure the local user password is set. Thanks to everyone for your advice and restoring my faith... Emby rocks! 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...