rbjtech 5284 Posted June 13, 2023 Posted June 13, 2023 2 minutes ago, AP123 said: Somehow pwned. Absolutely wild. Also doesn’t explain how they had my external access ip address. This all sucks. So they had your previous 'emby' ip address and username from the vulnerability (now closed) - and may have just re-used that A piece of info missing from the suggestions, is to change the account names as well. Using 'Admin', etc is always a bad idea - change that to be something as random as the password itself. That way, they need to guess both the username and the password, not just the password. The bit I don't get is why would a bad actor openly use this information to watch one of your movies - that just doesn't make sense at all ... 1
AP123 13 Posted June 13, 2023 Author Posted June 13, 2023 13 minutes ago, rbjtech said: So they had your previous 'emby' ip address and username from the vulnerability (now closed) - and may have just re-used that A piece of info missing from the suggestions, is to change the account names as well. Using 'Admin', etc is always a bad idea - change that to be something as random as the password itself. That way, they need to guess both the username and the password, not just the password. The bit I don't get is why would a bad actor openly use this information to watch one of your movies - that just doesn't make sense at all ... Yeah my admin account isn’t “admin” it’s something else. I can’t figure out why either. Just very odd. 1
Guest Posted June 13, 2023 Posted June 13, 2023 Have you verified that there is not some other malware still persisting in your environment? Do you use a wireless keyboard whereby passwords could be intercepted? Do you have a home video surveillance system and does that system have a camera pointed towards the keyboard? Do you have an especially loud keyboard and are you professionally an agent of an organization that would make you a target of audio surveillance and keystroke analysis?
pwhodges 2012 Posted June 13, 2023 Posted June 13, 2023 (edited) Have you now blocked all access from that IP in your router? If it's a bad actor, that should stop it (you may have to do two or three if they try moving around). If it's a forgotten friend/family device, you'll get a complaint soon enough, I guess. Paul Edited June 13, 2023 by pwhodges
AP123 13 Posted June 13, 2023 Author Posted June 13, 2023 33 minutes ago, pwhodges said: Have you now blocked all access from that IP in your router? If it's a bad actor, that should stop it (you may have to do two or three if they try moving around). If it's a forgotten friend/family device, you'll get a complaint soon enough, I guess. Paul I haven’t but I will. Googling how to do that. Thanks. Also not sure what a “bad actor” is lol. Seen the phrase a few times now.
AP123 13 Posted June 13, 2023 Author Posted June 13, 2023 43 minutes ago, pwhodges said: Have you now blocked all access from that IP in your router? If it's a bad actor, that should stop it (you may have to do two or three if they try moving around). If it's a forgotten friend/family device, you'll get a complaint soon enough, I guess. Paul Apparently my router, Netgear R7000 doesn’t allow blocking by IP address according to their forums
darkassassin07 652 Posted June 13, 2023 Posted June 13, 2023 16 minutes ago, AP123 said: Also not sure what a “bad actor” is lol. Seen the phrase a few times now. In this context; It's just a term for someone accessing (or at least trying to access) systems they shouldn't be. Usually with malicious intentions. Hacker, Attacker, Bad Actor, Intruder; all the same thing really. Someone without authorization trying to get in anyway. 1
darkassassin07 652 Posted June 13, 2023 Posted June 13, 2023 14 minutes ago, AP123 said: Apparently my router, Netgear R7000 doesn’t allow blocking by IP address according to their forums You could use iptables (or Window's firewall) to block those IPs directly on the device your port forwarding points at. Better than nothing, if you can't do it at the router. 1
AP123 13 Posted June 13, 2023 Author Posted June 13, 2023 8 minutes ago, darkassassin07 said: In this context; It's just a term for someone accessing (or at least trying to access) systems they shouldn't be. Usually with malicious intentions. Hacker, Attacker, Bad Actor, Intruder; all the same thing really. Someone without authorization trying to get in anyway. That’s what I assume but appreciate the clarity
AP123 13 Posted June 13, 2023 Author Posted June 13, 2023 6 minutes ago, darkassassin07 said: You could use iptables (or Window's firewall) to block those IPs directly on the device your port forwarding points at. Better than nothing, if you can't do it at the router. I’ll try this from my main pc. Thanks.
pwhodges 2012 Posted June 13, 2023 Posted June 13, 2023 1 hour ago, AP123 said: I haven’t but I will. Googling how to do that. Thanks. Also not sure what a “bad actor” is lol. Seen the phrase a few times now. In this context, not someone who is poor on stage but someone who takes malicious actions. Paul 1
Mibok 158 Posted June 14, 2023 Posted June 14, 2023 Also... do you have a ssl certificate installed on your server? if you are using plain http y possible that your info was leaked by a packet sniffer (a software that inspect the data trafic on your network). 1
RanmaCanada 495 Posted June 14, 2023 Posted June 14, 2023 I'd just nuke the OS and reinstall, and then create new passwords as it's pretty obvious you have something on your system at this point.
Carlo 4561 Posted June 14, 2023 Posted June 14, 2023 We don't know what really took place. I haven't heard anyone mention looking at logs from you local machine and router firewalls. You could search for the first three sets of numbers which would find the class C network this person came from. That could show some kind of pattern.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now