Help! ALL my users logged in to the server simultaneously

[AndreiP 33]

Hi,

Please help! 

A very strange situation has occurred on my server: I just noticed in the activities section that ALL my users logged in to the server from the Edge browser simultaneously. There are also some failed logins in the admin account. I'm attaching screenshots. I'm very worried because I understand that this is impossible, so it seems as if some automated software has managed to hack all the passwords at once... 
I checked the connection IP address that appears: it's the same and from the Netherlands (?). My users are not located in this country. 
I attach the log files, please check. 

My server it's not a remote one: it's located in my apartment. 

Shoul I change the passwords for all my users?

 

embyserver.txt

Edited August 22, 2025 by AndreiP

[Q-Droid 989]

Shut it down, disable the remote access (port  forwarding) on your router, scan your server and other computers for malware and then you can begin to work on figuring out how this might have happened.

 

[AndreiP 33]

Hi, 

Q-Droid. Thank you for your reply. 

The only computer I use is the Windows PC with the Emby server installed. My users connect to the server remotely. 

I will do a virus scan on my PC. Thank you. 

[Luke 42077]

Do the users mentioned in the log have passwords? Are they configured to be shown on login screens?

Quote

if some automated software

The best ways to protect against this are to have passwords, hide your users from login screens, users a different router port other than the defaults, and setup SSL.

[Neminem 1518]

Also for good measure check your router and disable upnp.

If that plugin is enabled in Emby, and uninstall it.

Change your admin user to a new admin account without remote access enabled.

The new admin account should not indicate that its an admin account.

also enable all the below, since that would be shown to anyone coming across emby login page.

 

[AndreiP 33]

Hi Luke, 

All my users use Emby connect. And I have this configuration for show/hide on login screens. 

 

[Neminem 1518]

But if your have messed up with your network setup.

And set the whole internet to be local, then you are in trouble.

[AndreiP 33]

Neminem, 
I should enable all that as the screenshot in your post for all my users and for the admin account also? 

[Neminem 1518]

I would if you do not need it.

How is your network setup ?

[AndreiP 33]

5 minutes ago, Neminem said:

I would if you do not need it.

How is your network setup ?

My Emby server is on my Windows PC. It's connected to my home Modem/router. I just installed my Emby server on the PC and it works. I didn't do another configuration. 

My users connect it remotelly with Emby connect. 

Edited August 22, 2025 by AndreiP

[Q-Droid 989]

2 minutes ago, AndreiP said:

Neminem, 
I should enable all that as the screenshot in your post for all my users and for the admin account also? 

Focus on stopping the intrusion and isolating the network and systems before you spend time making changes to setup options. Make a note of what those settings are now for future reference but first and foremost make sure your environment is not actively compromised.

I don't know how inbound Emby Connect sessions are logged and the server log you uploaded has entries that might have originated from python scripting. That would explain the speed but not the successful authentication.

 

[AndreiP 33]

Thank you, Q-Droid. 

I hope this helps: all my users log in with Emby Connect and all have separate passwords. They don't use the Edge browser to connect to the server and are not physically located in the Netherlands. 

I'm assuming what happened was an external connection to my Emby server.

I need help understanding how this could have happened and what I should do to prevent it.
Please check the logs for those who know how to find a solution.

[Neminem 1518]

Have you ever posted pictures of you external IP address anywhere ?

If not then it might be a script kiddy scanning the internet for port 8096 and found yours open.

But what puzzles me is password is correct for your users with Emby connect, are there any indication of unauthorized attempts ?

Might not be from today.

I would reach out to those users and have them change passwords, to some thing stronger.

Your uses might have been pawned, by reusing passwords, but still that's a lot of right guesses.

[Q-Droid 989]

If everything comes back clean after you isolate and scan then go to Emby Server settings -> Users. Change the view to table and enable all fields. If any of your users don't have a password that is a problem. If they always use Emby Connect you can consider changing all of their local passwords to long random strings. You can also disable their ability to change password on your server which shouldn't matter because they use Connect.

If they do have local passwords then figuring out how they authenticated is still a priority.

 

 

Edited August 22, 2025 by Q-Droid

[AndreiP 33]

13 minutes ago, Neminem said:

Have you ever posted pictures of you external IP address anywhere ?

 

No, it's sure. 

 

Quote

Emby Server settings -> Users. Change the view to table and enable all fields

Q-Droid, my users use Emby connect. But I see no password on the user column except the admin account. It's normal? 
I thought using Emby connect automatically meant the user had a password.

 

Quote

You can also disable their ability to change password on your server which shouldn't matter because they use Connect.

Yes, it was always like that.  

Edited August 22, 2025 by AndreiP

[Neminem 1518]

1 minute ago, AndreiP said:

Q-Droid, my users use Emby connect. But I see no password on the user column except the admin account. It's normal? 
I thought using Emby connect automatically meant the user had a password.

Ok so if some script kiddy found your IP and usernames from login screens, then there is no Password.

Because they did not use emby connect. 

[AndreiP 33]

Thank you, Neminem. 
If I understgand well, I should change as you post it for all my users? 

 

 

Edited August 22, 2025 by AndreiP

[Q-Droid 989]

Aha! Yes, somehow they figured out your user names and logged in without password. 

So at least you have one action item to correct this but don't know yet how they got the names.

You can use these commands from Windows Powershell to quickly generate random strings for passwords. You can choose with or without symbols and change the length of "30" to anything you want. The "-" is part of the join command, not a bullet.

-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 30 | % {[char]$_})

-join ((33..126) | Get-Random -Count 30 | % {[char]$_})

 

Edited August 22, 2025 by Q-Droid

[Neminem 1518]

But if you use windows then use something like this.

Password Generator - LastPass

Use it in incognito mode with a VPN connection

[Q-Droid 989]

1 minute ago, Neminem said:

But if you use windows then use something like this.

Password Generator - LastPass

Use it in incognito mode with a VPN connection

Powershell = Windows.  

[Neminem 1518]

you are so right @Q-Droid missed that

[AndreiP 33]

Thank you very much for your posts! 

1. So, the first thing to do is to put this in my users' profile settings (as Neminem wrote it)

2. The second thing is to set a password for all users, even if they use Emby Connect.

Please confirm.

[Q-Droid 989]

1 minute ago, Neminem said:

you are so right @Q-Droid missed that

NP. I edited for clarity.

[Q-Droid 989]

2 minutes ago, AndreiP said:

Thank you very much for your posts! 

1. So, the first thing to do is to put this in my users' profile settings (as Neminem wrote it)

2. The second thing is to set a password for all users, even if they use Emby Connect.

Please confirm.

Yes, that is correct. Were they set to show names on local and remote networks? If so then you might have all the answers you needed and fixing this should get you on track to securing your server.

 

[Neminem 1518]

7 minutes ago, AndreiP said:

The second thing is to set a password for all users, even if they use Emby Connect.

Thats you main concern, give them all a proper password.

Just so they are not wide open.

7 minutes ago, AndreiP said:

So, the first thing to do is to put this in my users' profile settings (as Neminem wrote it)

That's second.

But really good to have, to avoided something like this.

Edit :

Do it all ASAP, while you are in you user profiles just remember to push save at the bottom.

Before changing tabs to passwords

Edited August 22, 2025 by Neminem