AP123 13 Posted June 11, 2023 Posted June 11, 2023 Hey everyone, Hoping to get some insight here. I was able to fix my emby system running on my RPI after the recent security issues. My emby is all up to date, all passwords changed and running smoothly. However, this morning I noticed a movie was playing from my main login account, my admin account. I wasn't playing the movie. I killed it and it started up again in a browser. So I killed all remote connections and rebooted my password. Not sure how, but is it possible someone got my password again and was using my admin account? I'm fairly new to all of this so any help would be great.
Carlo 4561 Posted June 11, 2023 Posted June 11, 2023 If you look at your log file it should have the IP address of the machine/device playing the media. Most likely it was an abandoned playback from something you did earlier. But certainly, check to see what IP address the playback came from. Carlo
AP123 13 Posted June 12, 2023 Author Posted June 12, 2023 2 hours ago, Carlo said: If you look at your log file it should have the IP address of the machine/device playing the media. Most likely it was an abandoned playback from something you did earlier. But certainly, check to see what IP address the playback came from. Carlo Appreciate the input but I can confirm 100% it wasn’t something abandoned by me. The file started playing at 1030am today and I was nowhere near a pc or laptop at all today. So it 100% was external access of my admin account.
AP123 13 Posted June 12, 2023 Author Posted June 12, 2023 Found the ip. 174.44.99.17 was running my admin account. If anyone on the emby team can respond that would be great.
Carlo 4561 Posted June 12, 2023 Posted June 12, 2023 That IP is on Optimum Online (Cablevision Systems) in the Hopewell Junction, NY area a little north of you. Make sure to change your password to something unique. Make sure you require a password even on the local network. Consider setting up a different UserID for admin use while changing your current account to be a normal user. You could then setup your admin account to only work from specific clients such as Emby Theater for Desktop.
AP123 13 Posted June 12, 2023 Author Posted June 12, 2023 5 hours ago, Carlo said: That IP is on Optimum Online (Cablevision Systems) in the Hopewell Junction, NY area a little north of you. Make sure to change your password to something unique. Make sure you require a password even on the local network. Consider setting up a different UserID for admin use while changing your current account to be a normal user. You could then setup your admin account to only work from specific clients such as Emby Theater for Desktop. Thanks but none of this explains how my info was compromised after fixing the last security issue. I appreciate the response but clearly there is a larger issue here
ebr 16177 Posted June 12, 2023 Posted June 12, 2023 8 hours ago, AP123 said: Thanks but none of this explains how my info was compromised after fixing the last security issue. I appreciate the response but clearly there is a larger issue here Did you change all your emby passwords after May 25?
AP123 13 Posted June 12, 2023 Author Posted June 12, 2023 (edited) 9 minutes ago, ebr said: Did you change all your emby passwords after May 25? Yes all the protocols were followed. I wouldn’t have made a post if it were something that simple sir. Edited June 12, 2023 by AP123
AP123 13 Posted June 13, 2023 Author Posted June 13, 2023 The lack of responsiveness here is disappointing. I’m flagging something that could potentially be an issue just after emby suffering a massive security breach and the only response I get is someone asking me if I remembered to change my password. This is ridiculous.
Mibok 158 Posted June 13, 2023 Posted June 13, 2023 Could be possible that you server is the one compromised... I would nuke the serve install. Reinstall the SO and config everything from zero. or at least from a backup.
Guest Posted June 13, 2023 Posted June 13, 2023 If your Emby Server instance was compromised via the security incident described in the banner at the top of every page then that was a platform by which the entire operating environment could have been compromised. Someone with administrative access to Emby Server could install a malicious plugin which, if the Emby Server instance is running in a user security context with other privileges in the operating system, could be used to install more malicious software such as a trojan, key logger, whatever the attacker so pleased. They could conceivably chain it with operating system vulnerabilities in order to achieve privilege escalation. If I had been victim of the attack described in the security bulletin I would at a minimum be reinstalling the operating system, not even restoring from backup, since the vulnerability existed for years. I would probably also be carefully examining for evidence of compromise any systems to which the affected system is connected. Even if you have performed the remediation steps described in the bulletin you may still be under attack via payloads delivered through the Emby Server vulnerability.
rbjtech 5284 Posted June 13, 2023 Posted June 13, 2023 (edited) 4 hours ago, andrewds said: If your Emby Server instance was compromised via the security incident described in the banner at the top of every page then that was a platform by which the entire operating environment could have been compromised. Someone with administrative access to Emby Server could install a malicious plugin which, if the Emby Server instance is running in a user security context with other privileges in the operating system, could be used to install more malicious software such as a trojan, key logger, whatever the attacker so pleased. They could conceivably chain it with operating system vulnerabilities in order to achieve privilege escalation. If I had been victim of the attack described in the security bulletin I would at a minimum be reinstalling the operating system, not even restoring from backup, since the vulnerability existed for years. I would probably also be carefully examining for evidence of compromise any systems to which the affected system is connected. Even if you have performed the remediation steps described in the bulletin you may still be under attack via payloads delivered through the Emby Server vulnerability. To expand on this - you also need to look at the how any potential unwanted connection is getting to your server in the first place. To get an outside connection to your server, your server (or any other device) needs the following - 1. A way to forward it's request attempt from your Public IP address to the end device. This is what the 'Port Forward' settings do on your router - there is a very outdated protocol called uPNP which does this for you and it takes instructions from devices within your LAN to open up public facing ports. Of course, the concept was great but is ultimately flawed, as it has no security nor control on what can request such ports to be opened. Emby will attempt to make use of this (if available) and open the ports for remote use. BUT of course, any other compromised service can also do the same. This has been a security issue for many many years, and most modern routers will have this 'service' disabled - meaning any local attempt to open ports will not suceed. So, ensure uPNP is turned OFF on your router - and while you are there, also change the Router password. If it was already off - and you have MANUALLY set the port forward then that is good and you have closed down one less area for concern. I would also change the Router password as a matter of course. Also CHECK what other ports are being forwarded - if there are any there that you are not aware of - then take a note of them and disable/remove them. The less ports that are 'OPEN' - the less attack surface you have - if only 8096 is open, then only 8096 can be used. 2. A device needs to be LISTENING to accept an incoming connection request. The emby web server is listening on 8096 and 8920 by default - so only those ports will get a response. You can check what ports Windows is listening on by running the command (as admin) netstat -I | find "LISTENING" This may take a while to run as it probes all the ports. You should see the emby ports there - as well as other default windows ports such as file sharing (TCP 135/445). If there is anything there which rings alarm bells - then investigate. 3. Firewalls These need to open to either the ports or the listening application. Edited June 13, 2023 by rbjtech 1
ebr 16177 Posted June 13, 2023 Posted June 13, 2023 Hi. I'm afraid there is just no way for us to know exactly what happened (or when it happened) on your particular machine but I haven't seen any real evidence of something new. Also, the behavior you describe (someone watching a movie) doesn't sound at all like what was going on with the recent incident. They were not interested in actual media consumption it doesn't appear. Can you be 100% certain this wasn't one of your family or friends who may have somehow accidentally connected through that account (like via Emby Connect)? On 6/11/2023 at 11:49 PM, Carlo said: That IP is on Optimum Online (Cablevision Systems) in the Hopewell Junction, NY area a little north of you Does anyone with access to your server live in that area?
AP123 13 Posted June 13, 2023 Author Posted June 13, 2023 2 minutes ago, ebr said: Hi. I'm afraid there is just no way for us to know exactly what happened (or when it happened) on your particular machine but I haven't seen any real evidence of something new. Also, the behavior you describe (someone watching a movie) doesn't sound at all like what was going on with the recent incident. They were not interested in actual media consumption it doesn't appear. Can you be 100% certain this wasn't one of your family or friends who may have somehow accidentally connected through that account (like via Emby Connect)? Does anyone with access to your server live in that area? No. I also read the previous responses about security. If all those responses are accurate, I feel like they should have been stated with all the previous security update steps. Most people were under the impression that following the steps given would have resolved the issue. It seems that perhaps more needed to be done beyond what we were advised. Some people didn’t do a full wipe and full reinstall as we were told it wouldn’t be entirely necessary.
AP123 13 Posted June 13, 2023 Author Posted June 13, 2023 (edited) 17 minutes ago, ebr said: Hi. I'm afraid there is just no way for us to know exactly what happened (or when it happened) on your particular machine but I haven't seen any real evidence of something new. Also, the behavior you describe (someone watching a movie) doesn't sound at all like what was going on with the recent incident. They were not interested in actual media consumption it doesn't appear. Can you be 100% certain this wasn't one of your family or friends who may have somehow accidentally connected through that account (like via Emby Connect)? Does anyone with access to your server live in that area? To clarify I meant no it wasn’t any family or friends. And if it was, they would be logged in to their own profiles, not my admin account. Edited June 13, 2023 by AP123
ebr 16177 Posted June 13, 2023 Posted June 13, 2023 3 minutes ago, AP123 said: And if it was, they would be logged in to their own profiles, not my admin account I understand that would be normal but it is also possible to potentially unwittingly connect to your account. Like, using a device that you logged into previously or some weird quirk with Connect setup where maybe the wrong email was put into that field briefly, etc. Just trying to spit-ball possibilities because someone just watching a movie on your server is completely outside the scope of behavior that would most likely be a bad actor. 1
AP123 13 Posted June 13, 2023 Author Posted June 13, 2023 33 minutes ago, ebr said: I understand that would be normal but it is also possible to potentially unwittingly connect to your account. Like, using a device that you logged into previously or some weird quirk with Connect setup where maybe the wrong email was put into that field briefly, etc. Just trying to spit-ball possibilities because someone just watching a movie on your server is completely outside the scope of behavior that would most likely be a bad actor. I understand the thought process but none of that is/was possible. I have never logged in on any devices other than my own. I assure you I would have ruled all that out prior to posting. I try to not be an alarmist in these situations which is why I’m confounded as to what is going on.
darkassassin07 652 Posted June 13, 2023 Posted June 13, 2023 6 minutes ago, AP123 said: I assure you I would have ruled all that out prior to posting. Unfortunately, many if not most people don't. The Emby team can't just assume you've already covered all the bases and has to walk thru all the possibilities from least to most consequential. There could always be steps or possibilities/explanations you haven't thought of. 1
Neminem 1518 Posted June 13, 2023 Posted June 13, 2023 Did you ever give an old device to a friend / family member, that was not factory reset. If that's the case have a look at that.
AP123 13 Posted June 13, 2023 Author Posted June 13, 2023 6 minutes ago, jaycedk said: Did you ever give an old device to a friend / family member, that was not factory reset. If that's the case have a look at that. I did not. I appreciate the thought process but again I posted here because short of some security issue it is impossible for this to have happened.
rbjtech 5284 Posted June 13, 2023 Posted June 13, 2023 4 minutes ago, AP123 said: I did not. I appreciate the thought process but again I posted here because short of some security issue it is impossible for this to have happened. So to be 100% clear - the password was set after the all the actions to re-secure your server had been completed. The password you set was unique to Emby, a decent length/complexity from a password manager/generator - so the probability of anybody knowing that new password, or it appearing on a previous password breach database list you believe to be 'impossible'. Is that correct ?
AP123 13 Posted June 13, 2023 Author Posted June 13, 2023 1 minute ago, rbjtech said: So to be 100% clear - the password was set after the all the actions to re-secure your server had been completed. The password you set was unique to Emby, a decent length/complexity from a password manager/generator - so the probability of anybody knowing that new password, or it appearing on a previous password breach database list you believe to be 'impossible'. Is that correct ? Yes. It was not made by a generator but it is a nonsense word, alphanumeric with special characters, and used only for emby and nowhere else in any of my accounts. But everything else is accurate. It was made after all of the security updates were put in place. I have since changed my password again since this happened Sunday. Once I noticed the video playing I killed all remote connections and changed my admin pw.
rbjtech 5284 Posted June 13, 2023 Posted June 13, 2023 Worth checking the password at Have I Been Pwned: Pwned Passwords ..
AP123 13 Posted June 13, 2023 Author Posted June 13, 2023 4 minutes ago, rbjtech said: Worth checking the password at Have I Been Pwned: Pwned Passwords .. Somehow pwned. Absolutely wild. Also doesn’t explain how they had my external access ip address. This all sucks.
AP123 13 Posted June 13, 2023 Author Posted June 13, 2023 Doesn’t explain how they got my external access ip or my username, but I guess this is one step figured out 12 minutes ago, rbjtech said: Worth checking the password at Have I Been Pwned: Pwned Passwords ..
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now