guynamedbilly 18 Posted November 12, 2023 Posted November 12, 2023 I saw a log on my Emby server today that said I had played a tv episode for nearly two minutes this afternoon. This didn't happen. No one was actually watching anything. This was just a user, not an admin account. The IP address the user logged in from was from my local ISP, so I think it's an error of some sort rather than some malicious activity, but I changed that user's password also just in case. Is it possible this activity report was completely an error? I didn't see any failed logins. I don't see any major security concerns on the server otherwise. Malwarebytes has been blocking a lot of outside connections to the Emby server.
Luke 42081 Posted November 13, 2023 Posted November 13, 2023 Quote Is it possible this activity report was completely an error? Hi, unlikely, but maybe the log message needs to be reworded to make the activity more clear. Can you please provide an example? thanks.
guynamedbilly 18 Posted November 13, 2023 Author Posted November 13, 2023 Sureembyserver.txt Specifically, the strange activity is on 11-11-2023 around 1500 hours. It reports that the user played a Mario episode for nearly 2 minutes.
Luke 42081 Posted November 13, 2023 Posted November 13, 2023 So it appears they paused something and walked away from it, and just left it in that state indefinitely instead of hitting the stop button. Emby apps will continue to report playback when this happens, so that's why you're seeing this behavior. This will be changing in the near future though.
guynamedbilly 18 Posted November 13, 2023 Author Posted November 13, 2023 Well, the thing is I know that user wasn't using Emby at the time because that's the profile I use, and also the server dashboard reported it was Firefox that was accessing it, while all of my devices I use that profile on use an Emby app. I never use that profile on Firefox. I think and hope it was a reporting error somehow, otherwise the action may be nefarious. I was just remembering the activity that was happening around the same time last year.
Luke 42081 Posted November 13, 2023 Posted November 13, 2023 There was definitely a video request at 2023-11-11 15:12:32.755 coming from Firefox.
guynamedbilly 18 Posted November 13, 2023 Author Posted November 13, 2023 I don't know what to think about it. I looked in the history on Firefox on all my devices and there was no entry for the server on that day. The event logs for the server show nothing significant at that time. I looked in the logs for the firewall and there were a few attempted Remote File Inclusion and Cross-site Scripting attacks at that time from that IP address. I wonder if someone at the ISP was attempting something weird. Anyways, I've changed all the user passwords for that server now and will just continue to monitor. Thanks for looking at it.
rbjtech 5284 Posted November 13, 2023 Posted November 13, 2023 btw @LukeThe remote host in these logs is not being sanitised properly FYI ... Log Level Time Stamp Log Level Source Message Info 2023-11-11 15:02:58 Info Server http/1.1 POST http://emby_remote_ip/emby/Users/authenticatebyname?X-Emby-Client=Emby%20Web&X-Emby-Device-Name=Firefox&X-Emby-Device-Id=70f46c2a-8978-4a49-aa79-7ef459c724df&X-Emby-Client-Version=4.7.14.0&X-Emby-Language=en-us. Accept=*/*, Connection=keep-alive, Host=8.9.3.5, User-Agent=Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0, Accept-Encoding=gzip, deflate, Accept-Language=en-US,en;q=0.5, Cache-Control=no-cache, no-store, Referer=http://68.119.123.205/web/index.html IP above has been changed but it's clearly in the above log (Host=a.b.c.d) ...
Luke 42081 Posted November 14, 2023 Posted November 14, 2023 7 hours ago, rbjtech said: btw @LukeThe remote host in these logs is not being sanitised properly FYI ... Log Level Time Stamp Log Level Source Message Info 2023-11-11 15:02:58 Info Server http/1.1 POST http://emby_remote_ip/emby/Users/authenticatebyname?X-Emby-Client=Emby%20Web&X-Emby-Device-Name=Firefox&X-Emby-Device-Id=70f46c2a-8978-4a49-aa79-7ef459c724df&X-Emby-Client-Version=4.7.14.0&X-Emby-Language=en-us. Accept=*/*, Connection=keep-alive, Host=8.9.3.5, User-Agent=Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0, Accept-Encoding=gzip, deflate, Accept-Language=en-US,en;q=0.5, Cache-Control=no-cache, no-store, Referer=http://68.119.123.205/web/index.html IP above has been changed but it's clearly in the above log (Host=a.b.c.d) ... Yea that's in the Host header. The 4.8 server sanitizes this. 1
Luke 42081 Posted November 14, 2023 Posted November 14, 2023 16 hours ago, guynamedbilly said: I don't know what to think about it. I looked in the history on Firefox on all my devices and there was no entry for the server on that day. The event logs for the server show nothing significant at that time. I looked in the logs for the firewall and there were a few attempted Remote File Inclusion and Cross-site Scripting attacks at that time from that IP address. I wonder if someone at the ISP was attempting something weird. Anyways, I've changed all the user passwords for that server now and will just continue to monitor. Thanks for looking at it. Please let us know what you find. Thanks.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now