Methodman104 10 Posted May 25, 2023 Posted May 25, 2023 (edited) I read and did some of the instructions but I am lost at /hosts file: emmm.spxaebjhxtmddsri.xyz 127.0.0.1 I opened my host file and see this instead... I also did not see a helper.dll file but did see and delete the embyhelper.dll file Edited May 25, 2023 by Methodman104
CBers 7451 Posted May 25, 2023 Posted May 25, 2023 Add a new line and enter the following: 127.0.0.1 emmm.spxaebjhxtmddsri.xyz Then save and close the file. That way, it something tries to get to emmm.spxaebjhxtmddsri.xyz, it will get blocked/redirected to your computer. 1 1
CaseyP 17 Posted May 25, 2023 Posted May 25, 2023 1 minute ago, CBers said: Add a new line and enter the following: 127.0.0.1 emmm.spxaebjhxtmddsri.xyz Then save and close the file. That way, it something tries to get to emmm.spxaebjhxtmddsri.xyz, it will get blocked/redirected to your computer. The image looks like it might be notepad, and windows doesn't like/let you save over the hosts file.. So @Methodman104 after you add the line to the text file as CBers stated, you might have to save the file to a different location on your computer, for instance, the desktop. The file will then be hosts.txt instead of hosts. (You may also need to enable, "show known file extensions" in windows) You'll rename hosts.txt to hosts (the icon will go from a text document to a blank document) Then you can copy/paste/overwrite the hosts file (youll need to give admin write rights) 1 1
Methodman104 10 Posted May 25, 2023 Author Posted May 25, 2023 Thanks but it wont let me save my hosts file, it says
CBers 7451 Posted May 25, 2023 Posted May 25, 2023 You could use notepad++ instead of notepad. If it detects Admin access required, it will prompt you. 1
Methodman104 10 Posted May 25, 2023 Author Posted May 25, 2023 (edited) okay I created the new hosts file with the added text....but emby is still not starting... Edited May 25, 2023 by Methodman104
RanmaCanada 495 Posted May 25, 2023 Posted May 25, 2023 You need to remove the pound sign for it to take effect. 1
CBers 7451 Posted May 25, 2023 Posted May 25, 2023 33 minutes ago, Methodman104 said: okay I created the new hosts file with the added text....but emby is still not starting... You need to remove the # at the beginning of the line, but it still shouldn't stop Emby from starting. Any errors in the log? 1
ebr 16184 Posted May 25, 2023 Posted May 25, 2023 Hi. Did you follow the other instructions in the document? Removing those other files?
Methodman104 10 Posted May 25, 2023 Author Posted May 25, 2023 1 minute ago, CBers said: You need to remove the # at the beginning of the line, but it still shouldn't stop Emby from starting. Any errors in the log? I can't load emby to check my log files on Windows. Is there another way to view the log files?
ebr 16184 Posted May 25, 2023 Posted May 25, 2023 Just now, Methodman104 said: Is there another way to view the log files? Yes: Quote If you're having difficulty using the web interface, logs can be found at: Windows: %appdata%\Emby-Server\logs Note this is a legacy path and relevant to old installs before the introduction of programdata folder. New installs will be here. Windows: %appdata%\Emby-Server\programdata\logs 1
Methodman104 10 Posted May 25, 2023 Author Posted May 25, 2023 3 minutes ago, ebr said: Hi. Did you follow the other instructions in the document? Removing those other files? the embyhelper.dll file yes, but I could not find the other file called "helper.dll"
ebr 16184 Posted May 25, 2023 Posted May 25, 2023 What about this? Quote Go to the following folder under the emby programdata folder: programdata/plugins/configurations Find the file named ReadyState.xml and delete it. Find the file named 'EmbyScripterX.xml' and delete it (if exists) 1
Methodman104 10 Posted May 25, 2023 Author Posted May 25, 2023 1 minute ago, ebr said: Yes: which log file title should I upload? I have a few from today, but these two log files are the newest. embyserver.txtembyserver-63820604731.txt
bungee91 133 Posted May 25, 2023 Posted May 25, 2023 1 hour ago, CBers said: Add a new line and enter the following: 127.0.0.1 emmm.spxaebjhxtmddsri.xyz Then save and close the file. That way, it something tries to get to emmm.spxaebjhxtmddsri.xyz, it will get blocked/redirected to your computer. I'm well aware in Windows how to do this, but any insight on doing so with UnRAID and a Docker of Emby would be appreciated.
CBers 7451 Posted May 25, 2023 Posted May 25, 2023 (edited) 10 minutes ago, Methodman104 said: which log file title should I upload? I have a few from today, but these two log files are the newest. embyserver.txt 23.23 kB · 0 downloads embyserver-63820604731.txt 23.21 kB · 1 download 2023-05-25 09:45:32.594 Error App: We have detected a malicious plugin on your system which has probably been installed without your knowledge. Please see https://emby.media/support/articles/advisory-23-05.html for more information on how to proceed. For your safety we have shutdown your Emby Server as a precautionary measure. Go through what @ebrposted above. Edited May 25, 2023 by CBers 1
visproduction 315 Posted May 25, 2023 Posted May 25, 2023 12 minutes ago, Methodman104 said: MMan, Only remove the # pound sign from the last line with the emmm.spxaeb... It looks like you removed all the # signs. The lines above are just examples. Those are supposed to keep the # sign. Removing all the # causes errors and probably slows down your system startup. The # comment feature is a typical programming step. I think people assumed you knew this. 1
MrMackey 35 Posted May 25, 2023 Posted May 25, 2023 @bungee91 I am not affected by this, but the hosts file is located at unraid in /etc/hosts there you can edit them. But keep in mind that after a reboot the settings will be lost because unraid is in RAM. I found this suggestion that you create a user script that runs on startup of the array so that the tag is always set at every reboot. #description=Add to hosts file echo "127.0.0.1 emmm.spxaebjhxtmddsri.xyz" >> /etc/hosts I have not tested this so you should check the hosts file after reboot.
bungee91 133 Posted May 25, 2023 Posted May 25, 2023 55 minutes ago, MrMackey said: @bungee91 I am not affected by this, but the hosts file is located at unraid in /etc/hosts there you can edit them. But keep in mind that after a reboot the settings will be lost because unraid is in RAM. I found this suggestion that you create a user script that runs on startup of the array so that the tag is always set at every reboot. #description=Add to hosts file echo "127.0.0.1 emmm.spxaebjhxtmddsri.xyz" >> /etc/hosts I have not tested this so you should check the hosts file after reboot. Thank you, I will try that. I'm not so sure I'm affected either, however I did find the embyhelper.dll in my plugins folder and one other. While that sounds alarming by default (and maybe it is), other parts of the instructions or log file entries I don't have. Clarity on that would be great, however either way trying to be cautious.
ebr 16184 Posted May 25, 2023 Posted May 25, 2023 11 minutes ago, bungee91 said: Thank you, I will try that. I'm not so sure I'm affected either, however I did find the embyhelper.dll in my plugins folder and one other. While that sounds alarming by default (and maybe it is), other parts of the instructions or log file entries I don't have. Clarity on that would be great, however either way trying to be cautious. If that file existed on your system then you were affected by this attack. However, other than the existence of those, we haven't determined any other changes or harm that actually was done so that may be it. It should be assumed that all of your logins were sent to that remote site though so that may have been what they were after (for use later). Just be sure to change all passwords. 1
Methodman104 10 Posted May 25, 2023 Author Posted May 25, 2023 (edited) 2 hours ago, ebr said: What about this? I just deleted those 2 files as well now. Seems to be working now but if there are any other steps I need to take please let me know. Thanks. Edited May 25, 2023 by Methodman104
bungee91 133 Posted May 25, 2023 Posted May 25, 2023 24 minutes ago, ebr said: If that file existed on your system then you were affected by this attack. However, other than the existence of those, we haven't determined any other changes or harm that actually was done so that may be it. It should be assumed that all of your logins were sent to that remote site though so that may have been what they were after (for use later). Just be sure to change all passwords. Thank you, elaboration is appreciated. One more question I am confused about. All my users use Emby Connect, with passwords set on the forum and then tied to my server. I don't believe this then requires any specific password on the server management side itself. Would I just ask them to reset/update on the forum, or no, I need to enter in a new password under their user account on the server regardless? Sorry for the confusion on that.
ebr 16184 Posted May 25, 2023 Posted May 25, 2023 34 minutes ago, bungee91 said: Would I just ask them to reset/update on the forum, or no, I need to enter in a new password under their user account on the server regardless? Even when using Connect login via the local credentials is possible. If you didn't have passwords on those local credentials then you could just enter very strong ones for all of them and your users don't even need to know them (if they always use Connect). 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now