Jump to content

Major help needed .0xxx ransomware

wonderwond

By wonderwond
in General/Windows

 Share

Recommended Posts

wonderwond

wonderwond 2

Posted
Posted

this is the second time the .0xxx ransom ware has attacked me in a year

 

its ate all my pictures and movies, its only related to the emby server, this morning, three plugins installed out of the blue then bam was infected, not sure if that had anything to do with it or not but can anyone help me save my pictures and movies?  I've already repaired my music.

!0XXX_DECRYPTION_README.TXT

anyone else having the same issues ? or how to prevent it ?

Happy2Play

Happy2Play 9782

Posted
Posted
8 minutes ago, wonderwond said:

this morning, three plugins installed out of the blue then bam was infected

Devs will want to see the server logs for this.

wonderwond

wonderwond 2

Posted
  • Author
Posted

where do I find those??

Luke Emby Team

Luke 42080

Posted
Posted

Also, what three plugins?

wonderwond

wonderwond 2

Posted
  • Author
Posted
6 hours ago, Luke said:

Also, what three plugins?

Addic7ed 1.1.1.0

XmlTV 1.1.6.0

SubDb 1.0.7

Luke Emby Team

Luke 42080

Posted
Posted
12 minutes ago, wonderwond said:

Addic7ed 1.1.1.0

XmlTV 1.1.6.0

SubDb 1.0.7

OK as requested before, we'd have to see the server log. The xmltv plugin is included with the server, so anytime we publish updates for it, you'll get that update. So this was not a new plugin installation, it was an update of an existing one.

wonderwond

wonderwond 2

Posted
  • Author
Posted
6 minutes ago, Luke said:

OK as requested before, we'd have to see the server log. The xmltv plugin is included with the server, so anytime we publish updates for it, you'll get that update. So this was not a new plugin installation, it was an update of an existing one.

logs.zip

7 hours ago, Luke said:

Also, what three plugins?

Addic7ed 1.1.1.0

XmlTV 1.1.6.0

SubDb 1.0.7

logs.zip

Luke Emby Team

Luke 42080

Posted
Posted
8 minutes ago, wonderwond said:

logs.zipUnavailable

Addic7ed 1.1.1.0

XmlTV 1.1.6.0

SubDb 1.0.7

logs.zip 2.31 MB · 0 downloads

This is a whole folder full of log files, so obviously a lot of information so sift through. So first some questions:

  • What makes you think this is emby server related?
  • Do you think an unknown actor accessed your server, if so, do you have any idea when? 
  • Have you noticed any unrecognized ip addresses in the server activity viewer? If so, what, when, etc?
  • Do all of your users have passwords?
Luke Emby Team

Luke 42080

Posted
Posted
15 minutes ago, wonderwond said:

logs.zipUnavailable

Addic7ed 1.1.1.0

XmlTV 1.1.6.0

SubDb 1.0.7

logs.zip 2.31 MB · 1 download

And by the way, these are not newly installed plugins. They are present in every single log that you provided.

I do see where you uninstalled Addic7ed, but they were not just installed during the time of these logs.

wonderwond

wonderwond 2

Posted
  • Author
Posted
On 2/25/2024 at 5:08 PM, softworkz said:

@wonderwondThis malware is very unlikely connected to Emby in any way.

You can:

 

maybe not, but all i do know is that it only effected folders on emby, no other folder or drive was infected by it,, just emby media folders that were used

softworkz Emby Team

softworkz 5071

Posted
Posted
14 minutes ago, wonderwond said:

maybe not, but all i do know is that it only effected folders on emby, no other folder or drive was infected by it,, just emby media folders that were used

Emby does not set the permissions on your media folders, that's something that you do.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...