Leaderboard

I for one am appreciative of how quickly you acted regarding this hack. I run Emby in docker (on Unraid) and it doesn't appear anything has been compromised and I didn't see any unusual activity in Emby but as your blog suggested I changed everyone's passwords as a precaution. Thank you for being diligent.

Correct. Personally, it is worth a small investment in your time just to give your system a 'once over' but only a compromised system needs those actions.

Thx Luke. It would be good to clarify on this page https://emby.media/support/articles/advisory-23-05.html which systems are affected. It may mean something to IT savvy folks but not to casual users.

A suggestion. Would it be more efficient for people needing help to start or post to a thread in the sub-forums for their OS/platform? Perhaps creating threads with the subject/title "Security Advisory Help: <OS/platform>" in those sub-forums could bring help from others familiar with those systems. It's getting a bit crowded in here with multiple reports and requests for help across the wide variety of Emby installations. Hard to keep track and contribute.

I added a router based block to that domain, and then did a DNS lookup to add the IP's to the block list in ADM Defender. Not a Linux wunderkind, so that was my approach. Wish Asustor made it a little easier to add that via the GUI.

Went thru my Asustor configuration and only had the 'EmbyHelper.dll' and not the 'helper.dll'. Curious if that makes any difference. Out of an abundance of caution I've deleted my Emby install (which when uninstalled from the Asustor app store, DOES NOT remove the hidden Emby data), deleted the Emby directory via SSH and am awaiting the .12 release before rebuilding. I would like clarification on this from the explanation "Analysis of the plug-in has revealed that it is forwarding the login credentials including the password for every successful login to an external server under control of the hackers." Was this a compromises of JUST Emby credentials, or ALL user (Linux) accounts? Also makes me wonder how the Emby Connect syncs passwords between end user and Emby configuration - it's just linked via the email address, correct? Because I never give out 'passwords' to end users, they just setup on Emby connect, and I link them. I'd suggest making some user setup changes to not allow blank passwords as well. Love the product and I know this sucks - thanks for working so hard as you all are to make this right. It's the rapidness of the response that I'm judging you on and kudos. You all need a nap and beer after this.

If you have none of the symptoms, and already have in place the recommendations, you should be good to restart Emby server.

Please apologize. I've been working more than two days non-stop on that matter, and I guess it's time for a rest.

apparently not! BUT instead of asking rhetorical questions you may want to apologize for your failures and help me fix your mistakes instead of acting like I'm the A-hole here.

well this explains how my paypal, amazon and ebay were hacked and used a few days ago -_-