Help: Access by strangers

[mrmorrison 22]

Greetings to everyone.
For a couple of days I have been having strange accesses (or access attempts) with actually existing users but with IPs coming from Singapore or Taiwan.
What's happening? Should I worry? Do I have to do something?

 

Edit: sorry for the image size

 

Edited April 10, 2025 by mrmorrison

[Luke 42078]

Hi, were these successful logins or  just attempts?

 

[mrmorrison 22]

On the first screen there are failed attempts. In the second screen (user: "toretto") they are all successful logins and all with different devices. I proceeded to disable the "toretto" user for remote access. But why is this happening?

[Neminem 1519]

Did you at some point have these unticked, under your user settings.

If these are unticked half you security is wide open for password guessing.

Edited April 10, 2025 by Neminem
Adding

[rbjtech 5284]

Unless passwords used were unique to emby, then previous security breeches of other systems mean passwords are available for all to use.  (pwned)

I would ensure you change the passwords to something unique - at least 12 chars and as above, ensure you lock down the Emby system as much as it allows.

[mrmorrison 22]

I think I understood: the user "toretto" (I don't remember why) was the only user without a password. Then they were able to log in. When I deactivated that user, they tried all the others but these all have a password so the logins were not successful.
My question now is this: how did they get to my server?

[Neminem 1519]

It might be a bot scanning IP addresses for known ports.

And found your Emby server wide open, and had fun.

[darkassassin07 652]

Anyone can scan public IP addresses for open ports and find servers running there.

 

One way to help mitigate this to by using a reverse proxy in front of Emby, that only recognizes a specific domain name and rejects all other connections.

 

You can also setup tools like fail2ban that will monitor for ip addresses repeatedly failing login attempts, then block those IPs automatically.

[Sliced_Bread 1]

3 hours ago, Neminem said:

Did you at some point have these unticked, under your user settings.

If these are unticked half you security is wide open for password guessing.

Bingo!

I never use passwords for any of my users but I set them all as hidden and have all ports on my router closed using nordvpn meshnet for people to connect to my emby server. Having open ports without a reverse proxy is not a great idea and using nordvpn meshnet is free for up to 10 connections to your emby server. Someone needs to add an emby server on a vps with all users unhidden as a honeypot and just hide and password the admin account and add gay porn with new movie release covers to hide it until they try and watch a movie.

It's nothing to worry about long as you have your admin account password protected and never give your other accounts admin privilege your perfectly fine, they get to watch free movies until you catch them is all.  

[Luke 42078]

2 hours ago, Neminem said:

It might be a bot scanning IP addresses for known ports.

And found your Emby server wide open, and had fun.

Yes this is the likely answer.  Here's three things that can help:

• Use different router port numbers than the defaults
• Have passwords for your users and hide them from login screens on devices that they haven't logged into before
• Setup SSL on your server.

[mrmorrison 22]

Thanks everyone for the valuable information  

[Sliced_Bread 1]

Although, if they actually were looking to hack your emby server for your premiere key changing your password to your admin account to whatever you wanted could not stop a hacker from getting it.

[Sliced_Bread 1]

Emby does have a flaw in security that can and does in fact allow smart hackers to take advantage. When you first install emby server you will get the this is new install with the "wizrd" startup page up top. That wizard link pasted after any emby server ip will do a reset to emby forcing it to start over giving you full login to admin showing the premiere key on the HOST ip network. What is able to be done is run a vulnerability scan on the ip hosting that emby server scan everything on that network and any device you get access to run in a browser and paste the wizard link after the internal ip hosting emby to gain access to the premiere key. I don't hack anymore but just saying! You can change some things if you wanted, cheers!

[Sliced_Bread 1]

I don't blame emby for this, after all THIS IS A HOME media server right ? meaning home. Close your ports on your routers and this can't happen! Good luck kids...

[Sliced_Bread 1]

There is another Xploit for emby that only a handful of people know about, I can't post it. After you fix this Xploit I will pm LUKE the next one to fix 

[Sliced_Bread 1]

ADD me to the emby team, i will ziplock this shit up tighter than a ziplock bag 

[darkassassin07 652]

1 hour ago, Sliced_Bread said:

Emby does have a flaw in security that can and does in fact allow smart hackers to take advantage. When you first install emby server you will get the this is new install with the "wizrd" startup page up top. That wizard link pasted after any emby server ip will do a reset to emby forcing it to start over giving you full login to admin showing the premiere key on the HOST ip network.

 

Spun up a test server to check this out.

Once the server setup wizard has been completed, you can re-visit the endpoint:

/web/index.html?start=wizard#!/wizard/wizardstart.html

To restart the setup wizard and wipeout the existing admin account.

 

This however can ONLY be done while you are already logged in as an administrator. If the browser is logged in as a regular user or is not logged in at all; Emby correctly responds with HTTP 403 (forbidden), the page fails to load and will not let you progress into the actual setup wizard.

 

 

Conclusion: this is not a security flaw/concern at all.

Edited April 10, 2025 by darkassassin07

[Sliced_Bread 1]

Make a video of it and post it on rumble ? show us all 

[darkassassin07 652]

... Why?

Anyone can test it themselves.

Logout of your Emby server and visit

[server ip]/web/index.html?start=wizard#!/wizard/wizardstart.html

 

The page doesn't load and the response is in the logs.

[Sliced_Bread 1]

I'm trying to help just so you no.

[Sliced_Bread 1]

Oh they fixed it after i pmd the guy tryen sell his tv thing 

some tv guide thing, selling a epg 

Edited April 10, 2025 by Sliced_Bread

[darkassassin07 652]

That's fine. You brought up what you believed to be a security concern, I've tested it and explained why it's not an issue. As well as how you can verify that yourself.

 

What's next? You seemed to have another one.

Edited April 10, 2025 by darkassassin07

[Sliced_Bread 1]

Yes i have another one i will bring to the light. The one i just said about has been patched is good. I use to chat with some freaky dude who sold epg or something i cant remember but i told him to report it and he obviously did. lets keep this emby server secured !

[Gilgamesh_48 1240]

3 hours ago, Luke said:

Yes this is the likely answer.  Here's three things that can help:

• Use different router port numbers than the defaults
• Have passwords for your users and hide them from login screens on devices that they haven't logged into before
• Setup SSL on your server.

or use the solution I do and allow no external access at all. I do understand that people like to "share" with friends and family BUT any time you allow external access you set yourself up for hackers and other nefarious people to have fun at your expense. 

I know it is a minority view but I think all streaming should be local. Besides, in my case, there are very very very few people I like well enough to want to allow access to MY server and they all have their own servers.