Jaggers 3 Posted May 27, 2023 Posted May 27, 2023 (edited) I have went through my plug-ins folder and plug-in configurations folder and found none of the stated malicious plugins like ReadyState.xml or helper.dll/EmbyHelper.dll neither did my server abruptly shutdown. Does this mean I wasn’t affected by the hack? Do I still have worry about anything else? Though, during that breach on 25th may, I did get some log4j attacks which my Norton antivirus blocked. Do you think this is part of the vulnerability? If not, what do you suggest I do? (The attacker did stopped trying after 2 days after the data breach) Edited May 27, 2023 by Jaggers
Abobader 3464 Posted May 27, 2023 Posted May 27, 2023 Hello Jaggers, ** This is an auto reply ** Please wait for someone from staff support or our members to reply to you. It's recommended to provide more info, as it explain in this thread: Thank you. Emby Team
Solution Luke 42078 Posted May 28, 2023 Solution Posted May 28, 2023 hi, looks like you're not affected. That screenshot appears to be someone trying to sign into your server. By the way, a good way to make it less likely that you'll see these kinds of attempts is to use a different public facing router port besides the defaults. If you decide to change this, make sure to update emby server network settings to make the server aware of it.
Jaggers 3 Posted May 28, 2023 Author Posted May 28, 2023 2 minutes ago, Luke said: hi, looks like you're not affected. That screenshot appears to be someone trying to sign into your server. By the way, a good way to make it less likely that you'll see these kinds of attempts is to use a different public facing router port besides the defaults. If you decide to change this, make sure to update emby server network settings to make the server aware of it. Thanks for the reply as for the “public facing router port” I’m not sure what it means. Is there some sort of tutorial for this?
Luke 42078 Posted May 28, 2023 Posted May 28, 2023 22 minutes ago, Jaggers said: Thanks for the reply as for the “public facing router port” I’m not sure what it means. Is there some sort of tutorial for this? It just means setting up the port forwarding in your router to use a different router port. Did you already setup port forwarding your router?
Jaggers 3 Posted May 28, 2023 Author Posted May 28, 2023 3 minutes ago, Luke said: It just means setting up the port forwarding in your router to use a different router port. Did you already setup port forwarding your router? So it just means changing your port lol. And yes I did setup port forwarding. Didn’t know “public facing router port” meant just changing your port from 8096 to something else. 1
ebr 16184 Posted May 28, 2023 Posted May 28, 2023 12 hours ago, Jaggers said: Didn’t know “public facing router port” meant just changing your port from 8096 to something else Well, when coming from outside there are two ports - the public facing one (the one from the outside) and the internal one (the one used by the server). So, you could keep the server using the default and only change the outside port (set in the router port forwarding). Does that make sense?
Jaggers 3 Posted May 28, 2023 Author Posted May 28, 2023 1 minute ago, ebr said: Well, when coming from outside there are two ports - the public facing one (the one from the outside) and the internal one (the one used by the server). So, you could keep the server using the default and only change the outside port (set in the router port forwarding). Does that make sense? Yes. Thanks. I’ve already done this.
justinrh 260 Posted May 28, 2023 Posted May 28, 2023 But the log4j alert is not from Emby server app, is it?
Jaggers 3 Posted May 28, 2023 Author Posted May 28, 2023 Just now, justinrh said: But the log4j alert is not from Emby server app, is it? No. I didn’t receive any “try to login” alert on my dashboard. This is from Norton.
justinrh 260 Posted May 28, 2023 Posted May 28, 2023 I understand Norton reported the alert, but what app is triggering the alert (i.e., using log4j)?
Jaggers 3 Posted May 28, 2023 Author Posted May 28, 2023 Just now, justinrh said: I understand Norton reported the alert, but what app is triggering the alert (i.e., using log4j)? There was no app. Some person is trying to enter my Emby server in a malicious way.
justinrh 260 Posted May 28, 2023 Posted May 28, 2023 Then it is the Emby server app. I'm wondering why Emby would trigger this. You are on a Windows box?
Jaggers 3 Posted May 28, 2023 Author Posted May 28, 2023 1 minute ago, justinrh said: Then it is the Emby server app. I'm wondering why Emby would trigger this. You are on a Windows box? Yes. I’m using windows.
visproduction 315 Posted May 29, 2023 Posted May 29, 2023 Looks to be an attack from Kursk Oblast in Russia: https://www.microsoft.com/en-us/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/ https://www.crowdstrike.com/blog/log4j2-vulnerability-analysis-and-mitigation-recommendations/
mcalbert007 2 Posted May 29, 2023 Posted May 29, 2023 hey all, i didn't want to make another post for the same thing but i'm receiving the same attack on a daily basis, It's been happening for around 2 weeks now Category: Intrusion Prevention Date & Time,Risk,Activity,Status,Recommended Action,IPS Alert Name,Default Action,Action Taken,Attacking Computer,Attacker URL,Destination Address,Source Address,Traffic Description 29/05/2023 17:53:46,High,An intrusion attempt by 95.214.55.244 was blocked.,Blocked,No Action Required,Attack: Log4j2 RCE CVE-2021-44228 2,No Action Required,No Action Required,"95.214.55.244, 37608",http:///,"DESKTOP-4IOLCPI (MYIP)",95.214.55.244,"TCP, Port 37608" Network traffic from <b>http:///</b> matches the signature of a known attack. The attack was resulted from \DEVICE\HARDDISKVOLUME4\USERS\MYNAME\APPDATA\ROAMING\EMBY-SERVER\SYSTEM\EMBYSERVER.EXE. i'm not sure what's going on with this but would really like it to stop, after the revelation about the hack thing recently, i checked my files and couldn't find any of the files mentioned in the clean up action. my server never stopped working or loading so i feel like i'm safe but i'm still a bit worried that this is continuing. I will make the suggestion made here to change the outward facing port a different one, hopefully this will end this. Is there anything else that needs or can be done to ensure my pc is safe. thanks for any help you guys can give
Jaggers 3 Posted May 29, 2023 Author Posted May 29, 2023 Just now, mcalbert007 said: hey all, i didn't want to make another post for the same thing but i'm receiving the same attack on a daily basis, It's been happening for around 2 weeks now Category: Intrusion Prevention Date & Time,Risk,Activity,Status,Recommended Action,IPS Alert Name,Default Action,Action Taken,Attacking Computer,Attacker URL,Destination Address,Source Address,Traffic Description 29/05/2023 17:53:46,High,An intrusion attempt by 95.214.55.244 was blocked.,Blocked,No Action Required,Attack: Log4j2 RCE CVE-2021-44228 2,No Action Required,No Action Required,"95.214.55.244, 37608",http:///,"DESKTOP-4IOLCPI (MYIP)",95.214.55.244,"TCP, Port 37608" Network traffic from <b>http:///</b> matches the signature of a known attack. The attack was resulted from \DEVICE\HARDDISKVOLUME4\USERS\MYNAME\APPDATA\ROAMING\EMBY-SERVER\SYSTEM\EMBYSERVER.EXE. i'm not sure what's going on with this but would really like it to stop, after the revelation about the hack thing recently, i checked my files and couldn't find any of the files mentioned in the clean up action. my server never stopped working or loading so i feel like i'm safe but i'm still a bit worried that this is continuing. I will make the suggestion made here to change the outward facing port a different one, hopefully this will end this. Is there anything else that needs or can be done to ensure my pc is safe. thanks for any help you guys can give Try changing the port. That attack stopped popping right after I changed mine. Glad I’m not the only one. 1
mcalbert007 2 Posted May 29, 2023 Posted May 29, 2023 thanks for the quick reply Jaggers, so in the settings for the server, i have local and public ports, i assume i have to change the public port ? (daft question alert) thanks again
Ninko 78 Posted May 29, 2023 Posted May 29, 2023 49 minutes ago, mcalbert007 said: thanks for the quick reply Jaggers, so in the settings for the server, i have local and public ports, i assume i have to change the public port ? (daft question alert) thanks again I assume you've forwarded the port in your router? So just forward a different port to your server and keep 8096 the same, no need to change the port in Emby. Hope that makes sense?
mcalbert007 2 Posted May 29, 2023 Posted May 29, 2023 thanks for the reply sorry but i'm not very good at this stuff on the router port forwarding page there is 2 settings, external port and internal port (i changed external port) on the emby software dashboard settings network page there is 2 settings, local http port and public https port (i changed public https port) is this correct ?
darkassassin07 652 Posted May 29, 2023 Posted May 29, 2023 33 minutes ago, mcalbert007 said: thanks for the reply sorry but i'm not very good at this stuff on the router port forwarding page there is 2 settings, external port and internal port (i changed external port) on the emby software dashboard settings network page there is 2 settings, local http port and public https port (i changed public https port) is this correct ? The only thing you should change is the external port on the router. The internal port should match embys https port. Embys http port should not be exposed to the Internet and is only used while on lan.
Ninko 78 Posted May 29, 2023 Posted May 29, 2023 (edited) 43 minutes ago, mcalbert007 said: thanks for the reply sorry but i'm not very good at this stuff on the router port forwarding page there is 2 settings, external port and internal port (i changed external port) on the emby software dashboard settings network page there is 2 settings, local http port and public https port (i changed public https port) is this correct ? Leave the ports on Emby the same, change the external port on the router and ensure the internal port on the router matches the public https port in Emby (default 8920). For example, router settings: External port: 443 (any port number you like) Internal port: 8920 Emby settings: Public https port: 8920 Edited May 29, 2023 by Ninko 1
darkassassin07 652 Posted May 29, 2023 Posted May 29, 2023 (edited) 5 minutes ago, Ninko said: ensure the internal port on the router matches the local http port in Emby. NO!! Do not EVER forward embys http port through the router. Https (embys default is 8920) or nothing. You may as well post your user+pass on the forms otherwise. Edited May 29, 2023 by darkassassin07 1
Ninko 78 Posted May 29, 2023 Posted May 29, 2023 2 minutes ago, darkassassin07 said: NO!! Do not EVER forward embys http port through the router. Https or nothing. You.may as well post your user+pass on the forms otherwise. Sorry, I've corrected the post. I was thinking about my setup, using a reverse proxy.
mcalbert007 2 Posted May 29, 2023 Posted May 29, 2023 thanks for the replies guys, so this is now what i have done... have deleted my 8096 from the router port forwarding, have changed the external port to another port and left the internal port as 8920 in the emby dashboard network settings i have turned them back to the defaults 8096 & 8920 i hope this is now correct and thanks again for the replies and the help. 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now