Leaderboard

tl;dr, a few suggestions for anyone intent on malware hunting. FYI, obviously nuking from orbit and rebuilding is the best approach to making sure all malware is gone but I thought I would add a few helpful suggestions for those otherwise trying to hunt down any remaining malware. The best approach for Windows machines is scan first with an offline/bootable scanner with current antivirus definitions if possible. A few examples are ESET's bootable scanner https://www.eset.com/int/support/sysrescue/ and Kaspersky's Rescue CD https://usa.kaspersky.com/downloads/free-rescue-disk (FYI, Kaspersky is a Russian company and with the current political climate some may not want to use Kaspersky at all). The biggest plus of rescue discs is it's hard for any malware to try and hide from the AV scanners when the AV is running from a separate OS. Another good approach is to download and update Malwarebytes and run a full system scan and/or standalone malware scanners and run them in Safe Mode. Microsoft https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/safety-scanner-download?view=o365-worldwide among others offers a standalone anti-malware scanner which can be used to check for malware. Add the file first while booted into regular Windows then manually trigger the standalone scanner when in Safe Mode. On the Mac side a number of AVs exist. Sophos unfortunately moved from an awesome free AV to a trial version for Mac. https://home.sophos.com/en-us/download-mac-anti-virus. On the plus side Sophos now incorporates machine learning detections into their MAC AV after incorporating the tech from purchasing Invincea a few years ago. Bitdefender usually tests well also and offers a free trial on their MAC AV also. https://www.bitdefender.com/solutions/antivirus-for-mac.html On the Linux side things went from awesome to horrible a few years ago. A number of top rated vendors offered free Linux AVs for home use which were eliminated in favor of enterprise only versions of the Linux AVs. One thing a person can do is download an AV which is good on both Linux and Mac on their Mac computer (i.e., Sophos' Linux and Mac AV utilize the same scanning engine) and mount the Linux computer as an extra drive from your Mac. https://osxfuse.github.io/ If you take this approach, make sure your MacOS is running the latest security updates for the OS before mapping the Linux computer. Taking this approach you can use the AV on the Mac to scan for malicious files on your Linux machine. ClamAV for Linux is also available and free; however, ClamAV does not have great detection numbers. It' better than nothing but I would not count on it to find hidden malware on any system. https://www.clamav.net/ For anyone who is "OCD" level about making sure their Windows machine does not have any more malware, HitmanPro performs cloud scans using a combination of Bitdefender, Sophos, and Kaspersky's AV engines (all highly rate with low false positive rates) in the "cloud" to verify files are not malicious. The scanner skips files it recognizes the hashes for but will upload the files to HitmanPro's servers it does not recognize thus, HitmanPro is not a suggestion for those who privacy is paramount and you definitely don't want HitmanPro scanning your media files by running an "Early Score Warning" scan on your entire computer.

Hallo zusammen, das es anscheinend niemanden groß interresiert das Emby immer noch alle Bilder ohne Authentifizierung ausliefert, habe ich mir hier was schnell selbst gebaut. Vielleicht kann es ja mal jemand gebrauchen.... Folgendes Prinzip habe ich dabei verwendet: Umleitung aller Emby Image Requests über Reverse Proxy (Nginx) auf ein PHP Script, prüfen ob User IP eingeloggt ist und Bilder ausliefern oder Zugriff verweigern. 1. Neuen Api Key in Emby anlegen, diesen Key kopieren 2. Php Script process.php wie folgt anlegen und auf den Nginx Proxy kopieren <?php $url = strip_tags($_SERVER['QUERY_STRING']); $url = str_replace('Primary&','Primary?',$url); $url = str_replace('Backdrop&','Backdrop?',$url); $url = str_replace('Banner&','Banner?',$url); $url = str_replace('Logo&','Logo?',$url); $url = str_replace('Thumb&','Thumb?',$url); $url = str_replace('Disc&','Disc?',$url); $url = str_replace('/0&','/0?',$url); $query = parse_url($url, PHP_URL_QUERY); parse_str($query, $result); $data = file_get_contents('http://127.0.0.1:8096/emby/Sessions?api_key=EMBY API KEY'); $decodedData = json_decode($data); foreach($decodedData as $d) { if ($result['ip'] == $d->RemoteEndPoint) { $size = getimagesize('http://127.0.0.1:8096'.$url); if (size) { header('Content-Type: '.$size['mime']); header('Content-Length: '.filesize('http://127.0.0.1:8096'.$url)); readfile('http://127.0.0.1:8096'.$url); exit; } } } echo 'Access denied!'; ?> 3. Emby Nginx Config anpassen (vor die Location /): location ~ /Images/ { rewrite (.*?)/Images/(.*?)$ /process.php?$1/Images/$2&ip=$remote_addr break; proxy_pass http://127.0.0.1; } Bitte beachten, das ganze dient nur als techn. Beispiel und kann, bzw. muss entprechend angepasst werden! pektoral

If anyone here is looking for something more supported than xteve (as it hasn't received any updates for a while now), try out Threadfin, essentially the same thing, just rebranded and actively developed: https://github.com/Threadfin/Threadfin

Yes - for both Emby and myself. I've never been much into security nor hacking . The used procedures were "invented" during the process. There were no such such plans somewhere on the shelf or intended There always needs to exist a level of trust. towards the developers of a software - you can't follow and validate all changes.

That did it. Thanks.

And it exactly shall not do that: "inspire confidence". The conclusion must be that you either analyze your server in an exhaustive way - until you are confident or you decide to re-install. A malware infection is a serious incident and spreading confidence is the most inappropriate thing we could do in that situation. It's not like "haha, we shut your server down and here are the instructions to get it start again". We did the shutdown because the situation is that serious. And when you are lacking confidence in the security of your server, then that's good and adequate to the situation.

This is a security release which all Emby Server users are recommended to update to. Here are the changes: Fix 172.X addresses always being considered private Don't allow local network addresses to be specified in x-forwarded-for and x-real-ip Adjust web app html tags to avoid false detection from Chrome as impersonating the Emby domain View the full article

https://github.com/Shurelol/Emby.CustomCssJS EmbyCustomJS_Css Note the risk of cross-site scripting attacks This plugin is based on mediabrowser.server.core 4.8.0.24-beta Admin page Provide scripts for All users, User can choose to use it or not unless the script is forced on User page Choose to use scripts provided by the admin or not Write own scripts, which are stored in localStorage The state of scripts is stored in localStorage, if there is an error, you can reset it

I I like the enhanced Home Screen where I can read the basics of the movie or show without clicking on it. can we do that on all areas and not just the Home Screen? I really like it and it makes its quicker when deciding on a movie.

Since there are official playback speed options, I think it would be better to show the time when playback finishes accurately. Currently, the two numbers at the end of the seek-bar show time left in the current video and the time on a clock when that time has passed from now (i.e. `time_done = now() + time_remaining`). I think it would be better to show it as `time_done = now() + time_remaining / playback_speed` such that it is closer to now when playback speed is greater than 1, and further away when speed is less than 1. Maybe the same could be done with the time remaining in the video, but that may be confusing if that changes based on playback speed.

@LukeI think we're still waiting for the next release which should resolve this issue (incorrect detection of hevc support in HLS)

There are also add-ons which allow changing playback speed to an arbitrary value, I use one for Firefox: https://addons.mozilla.org/de/firefox/addon/videospeed/ It allows changing speed in all html5 players.

My own changes below (some only in RBJ Formatting option) - 1. If above a certain bitrate for a certain resolution, the plugin added an automatic 'Remux' to the Title - My change just adds this after the bitrate instead. This is because on the AndroidTV client - the Title is limited to ~24 chars - and thus you lost the bitrate. With it round the other way, you just lose the word Remux, which is less of an issue. 2. Some minor changes in terminology - I use Digital+ instead of Digital Plus for example. 3. All Audio Tags are included - previously the 'standard' emby codecs were excluded, but I re-added them - which makes filtering by Tag so much easier. ie - I want to filter all my movies if they have a Dolby Digital+ and DTS audio tracks .. Now I can do that on the tags selection. 4. DTS:X IMX has been added (needs the latest MediaInfo CLI to detect it)

I believe this worked! I finally got to finish watching my movie with no interruptions. Thanks again!

Both, but all of the ones that are bundled with Emby Server are built by us.

I will try this, and thank you so much for your time I'll come back and let you know how it went.

After update MovieDb plugin to 1.6.7, just refresh the metadata of this media then the actor photos will be shown

Okay, I think this is the situation we've seen on a couple of rare occasions where the Android system is actually moving us to the background for some reason, so we are stopping playback. I don't think we've ever been able to discover what it is on these particular systems that is doing this but the standard app, I believe, will not have this issue. You could try sideloading that. https://emby.media/emby-for-android.html Thanks.

Thanks for helping me so much with this!

Yeah, looking at the TV logic, I don't think we ever put the transcode logic in for video range. So that explains at least that much of it.

I've found the issue - i think - it only effected the 'RBJ' formatting. As THD without Atmos is classed as a 'normal' codec, it needs to be processed in that code segment, as it then breaks out. In the non-rbj formatting - you added it - case "MLP FBA": output = "Dolby THD"; break; or "Dolby TrueHD" if not abbreviated - but in RBJ formatting this was missing - so I added it case "MLP FBA": // Added by RBJ output = "Dolby THD " + ChannelOutput(channels); // Added by RBJ break; // Added by RBJ and it now all works perfectly @MagicDoubleM- Please can you try the version below (1.0.1.24) - but be advised, this version has a lot of my own modifications to the code - such as swapping around some formatting, adding tags for all Audio types, IMAX Update etc + this fix - so take a copy of the old DLL first. If all ok, then I'll update the branch on github with the change and Dave can merge into the master. btw - let me know if you like/prefer the other changes I made - and I may add those in a seperate update for review. Emby.MediaInfo.dll

I did library refresh and that fix the problem

Yep it's fixed. Looks like Luke made the change. Thanks!

I agree that the logic is good. If the json output has no additional features, when this is serialised to the model then addition features property will be null or string.Empty. the only possibility that may have happened is that they(mediaInfo) have changed the case in the json output for either the format or the additional features and our model must match the case when stating the [json property] attribute or the property itself.

This is what I see which is correct: Maybe someone made an edit? Can you take another look?

I was referring to the updates made afterwards. Besides that I have answered all questions and "revealed" everything.

The problem here is that the malware is just opening doors wide for the hackers to do what they want but the code doesn't include any specific actions (except saving off login credentials). We just don't have the slightest idea whether and what the hackers might have done or not. They could have done X on one server, Y on another server and nothing on once another server. That's why we can't say anything specific. Also we did not scan servers for possible impacts - because digging around in users' data is absolutely none of our business. For those reasons, it is inevitable that users take action and find out what might have been done and take measures to become secure again - eventually, a full re-install is the most secure option you have.

HI, the stats feature in the video player will indicate if it's direct playing or transcoding, as will the server dashboard.

Hi, yea it's a neat idea that could help improve shuffle.

avr and syncbox in the middle but i've taken the syncbox out and that made no change. avr is not that recent, yamaha ysp2500. yes it works fine then. although there is still inconsistency in what is reported on the OSD, SFN and on the dashboard

Thanks for the suggestion. Problem solved. Weird thing is that I have always had the hide check marks turned on but I used to be able to switch between them. They are both admin users. Good suggestion to create a separate admin user for server and to make these both non-admin users. I will do that next.

Still trying to figure out what could cause emby theater app to randomly "pause forever" remote streams. I tried to stream the same file on direct play on both browser and emby theater with wireshark opened. The logs for emby theater show TCP ZeroWindow Warnings frequently (more than once per minute ) while the logs from the browser do not show this kind of behaviour. I don't know if this could lead to problems like mine. I'm throwing darts blindfolded

unfortunately, in tmdb the Chinese name of this Chinese actor is in Also Known As it means changing the language of metadata in emby can't help

sorry now i think they are updating the nfo files I didn't realize that I had to restart post update as soon as I have news I write to you

thanks a lot @gillmacca01, yes there is a setting for new content to be automatically converted. Thank you!

Sweet. Thank you

If you bring up the menu on the main recordings folder (not show level) and select convert, there is an option to automatically convert all new content. I don't think it converts straight away, but creates a scheduled task, which you can change how often it converts

Given the latest events, isn't it about time the development team took this a little more seriously and stopped kicking it down the road? All internet facing systems in 2023 should have the option for MFA.

I would be happy to test as well.

And this is very much appreciated. I look forward to this being ready one day, as it would be really great to have. I just wanted some clarity as of where we are today because many seem to try, without knowing that it is not quite ready yet. If you need some testing done, I would be happy to help anytime. Thanks a lot for everything Cheers

If you're referring to hardware acceleration, then alder lake support has been added in the 4.8 beta channel.

But it's just this sort of thing that are 'easy wins' for Emby. If the admin account is the only user - then I guess there is not a lot emby can do here but suggest a high entropy password, but if there are multiple users, then when remote access is enabled, it should prompt to say do you wish to disable remote access (only) on the privileged account (recommended). Any emby admin is then restricted to LAN side only.

Yes but the priority of the layers is important. Zero point having MFA with HTTP - as any competent attacker will just inject 'Authenticated=Yes' into the HTTP response for example. Same with password complexity, little point having a highly complex / high entropy password if you can just snoop it on the wire. HTTPS is now a 'basic' requirement - my firm belief is emby should not allow remote access over http any longer - it is irresponsible and putting the users home network at risk. Users are not even warned of this ...

Many people appear to be missing the entire point of 2FA for emby, believing it's magically going to stop the bad guys - the simple answer is it's not, not even close. If you are naive enough to use the same password for multiple systems, then 2FA is going to get you some more protection when (not if) your password is available from a data breech. But the real risk to emby is not it's data or media, it's simply an 'entry point' into your home network that is now available and for the bad guys to wait for an 'emby toolset' vulnerability. It could be the emby web server, ffmpeg, it's database etc - if one of those gets compromised and remote code is executable from the internet - then bang, the attacker has access to whatever network your emby server is on. For those with experience on cyber security/networks - yes there are all sorts of extra protections available - Reverse Proxies, VPN's, Isolated DMZ networks, IPS etc - these would all sit 'in front' of the emby web service - which should sit 'inside' a reasonable protected perimeter 'defence'. So going back to the question - is 2FA going to add protection - my personal belief is it's not a priority - especially when HTTPS is not enforced, password strength is not enforced, brute force lockouts are not enforced etc. These are things which could be done with relative ease - and provide better basic security out the box. Once the basics are done - THEN maybe think about 2FA for the Admin account .. Just my 2p.

Yes please allow live

If this would mean being forced to always go through their servers like Plex does, this is an absolute no-go for me. Everyone has to make sure their server is secure when exposed to WWW and there are plenty of tutorials on how to get SSL working with Emby. Just my 2cents though...

I would also like to see this implemented with separate enable disable options for external and internal connections I would also like this to support yubikey 2fa through nfc on the mobile app and not just the code generator apps

Like most of the mainstream streaming services, Emby already has 2FA of sorts - Login and Device restrictions. By default, any login can play on any device - but if you turn this off (per user) then the DEVICE itself (which is assigned a unique ID) becomes the 2FA... For Prime (and probably Netlix) you have to Authorise the device it plays on, Emby is no different in concept, but you have to De-Authorise instead if you want 2FA. For the Web admin itself - then simply turn off internet access for your admin users .. ..and then if you really do want to Administer Emby remotely (ie not on the LAN) then VPN onto your LAN (via 2FA..).

100% Agree! I don't want my server tied into a cloud service even for authentication. Custom domain & locally managed users are the reason I moved to Emby from Plex!

I think he was saying, if you are a regular user and not one that can perform administrative functions, is it necessary for the request to have 2FA? I could be wrong. Your statement is unclear to me. Is it for any/all people logging in or is it just for people who are/can do administrative functions?