Potential Bot Attack or Hack using the Home Videos and photos library option

[ThegnSkar 3]

First of all, I know I brought this on myself through bad security practices. I made some assumptions that were incorrect. However, there may be some larger issues at play as well.

Here's what happened. I gave a trusted person permission to manage the server in their account so that they could help me with Metadata updates. I had associated their account with their emby connect, and set it so that their username would not appear on remote devices, so I thought it was fine. However, what I didn't remember was that I never made them an individual password before associating their emby account. Somehow, someone was able to access the list of users and then login to their account manually, since I hadn't set up an individual password for that specific username. Clearly my fault there, but here's what happened after that. They gave themselves permission to add libraries, and then added a "Home Videos and Photos" library. They were then able to see my whole device to select what folders to pull from, and started downloading whatever pictures and videos they could find. I discovered what happened by viewing the activity log, but only after they'd downloaded a fair number of personal pictures and videos. 

So here are my questions. Why were they able to find even the users that I had set to hidden? Also, I looked at more logs, and earlier in the day they had used the same exploit to log in, but the IP Address listed was the address associated with that user. Were they able to access a list of IP addresses that my server was already familiar with? I don't know how they got that info in order to spoof it. 

Further question, is there likely to be a person actually viewing the videos they stole? Or is this an automated bot just downloading whatever it can?

Is this exploit of the Home Videos library option a known issue? 

One more piece of info, the device that was listed as downloading the most content was listed as a python script. Is that a common thing?

[Abobader 3464]

Hello ThegnSkar,

** This is an auto reply **

Please wait for someone from staff support or our members to reply to you.

It's recommended to provide more info, as it explain in this thread:

Thank you.

Emby Team

[visproduction 315]

Thegn,

First it is odd that you discovered a new home video and photos library.  What motiviation would give a interloper reason to create something new?  Perhaps the person was just testing admin rights.  Are you sure it was not the person you gave rights to, trying to help you out?

As far as downloading personal photos and home videos,  unless you have unusual compromising videos and are very wealthy, I doubt anyone was trying to grab your personal images and videos, other than perhaps just downloading everything to maybe get some collection of regular recordings of cable content.  I can't imagine what anyone could do or even be interested with all my family images and videos.

As far as finding where this person came from, your router may have logs for the last 10 days or so, or which IP addess connected to your server.  That could well be a VPN IP address which gets you nowhere.  At most you may find that someone in Bali or Singapore accessed your server and you don't normally have anyone you know at that location.  You could look up the host, but they won't give out info on users even if the one IP belonged to the end user, so all you would know is someone in that area logged in.

You are correct, assign strong passwords and tell your users not to share it with anyone, from now on.

[Luke 42077]

Hi, I don't think this relates specifically to home videos.

Quote

So here are my questions. Why were they able to find even the users that I had set to hidden?

You gave that other user admin rights, correct? So once they got in as that user, they can anything at that point.

[ThegnSkar 3]

The motivation was that it gave them the ability to access files that I hadn't given emby access to previously. As to it being the person in question, I spoke with them directly and confirmed it was not them. 

I still would like to know why the usernames and ip addresses of my users were available to the attacker. I am 100% certain that someone spoofed one of my user's IP addresses, which begs the question as to how they knew what address to impersonate.

 

[Luke 42077]

44 minutes ago, ThegnSkar said:

The motivation was that it gave them the ability to access files that I hadn't given emby access to previously. As to it being the person in question, I spoke with them directly and confirmed it was not them. 

I still would like to know why the usernames and ip addresses of my users were available to the attacker. I am 100% certain that someone spoofed one of my user's IP addresses, which begs the question as to how they knew what address to impersonate.

 

Again once they get in as an admin, they can see all of this information. Also, how exactly did you hide the users from login screens? What options did you configure?

[ThegnSkar 3]

I should clarify. They spoofed one of my users' IP addresses BEFORE stumbling upon the account that I had given admin rights to. Here's how I know that. In the devices section, a login was registered to an IP address matching one of my users within one minute of approximately 15 failed login attempts to other accounts that were better secured. Later, when I asked the user whose IP address it was about it, they showed that they hadn't used the device in a month, and when they logged in themselves on it, the exact same IP address registered another login on the same device. The first login occurred with the 15ish failed logins approximately 10 hours prior to successfully accessing the account with admin rights and going on their download spree. 

And that's another thing. I gave admin rights to someone for the very first time ever less than 24 hours before getting hit by this attack. Is there some way that the attacker would be alerted that I now had an alternate admin? Never had this issue with malicious logins until I issued admin rights then BOOM within 24 hours somebody was fishing around for a loophole. 

[Luke 42077]

OK please send me the server log from when all of this happened over PM and I'll take a look. Thanks.

[ThegnSkar 3]

The exact text of the option I had selected was "Hide this user from login screens when connected remotely"

[ThegnSkar 3]

I'm currently at work, but I will attempt to send those soon. If not, after I get back from work. Thank you for your consideration in advance.

[Q-Droid 989]

Your incident sounds a lot like this one. Maybe an evolution of the same attack.

 

 

[ThegnSkar 3]

Hmmm yes I see the similarities. Do you know of any cases like this where files were downloaded? Or any further details about the final disposition of attacks like this? I'm really just upset at the thought that someone is grabbing pictures of my family and I. I'd like to think that it's just a bot somewhere looking for passwords or something and not an actual creepy person.

4 hours ago, Q-Droid said:

Your incident sounds a lot like this one. Maybe an evolution of the same attack.

 

 

 

[Q-Droid 989]

It's safer to assume that the bad actors are trying to get everything they possibly can from your system. 

Hopefully you've severed the connection by now so that your server and network are inaccessible until you can inspect and secure everything.

If they had admin access also make sure they didn't install plugins that could cause more problems.

 

[AndreiP 33]

10 hours ago, Q-Droid said:

Your incident sounds a lot like this one. Maybe an evolution of the same attack.

 

 

Just to update: after that I did all that I mentioned in that post, it seems that's ok right now. 

In my case the person wasn't able to do anything because she wasn't able to acces to admin account that was protected by a password. Maybe, if she had accessed the admin account, she could have added, deleted, etc. media libraries.

Edited September 18, 2025 by AndreiP

[AndreiP 33]

5 hours ago, ThegnSkar said:

Hmmm yes I see the similarities. Do you know of any cases like this where files were downloaded? Or any further details about the final disposition of attacks like this? I'm really just upset at the thought that someone is grabbing pictures of my family and I. I'd like to think that it's just a bot somewhere looking for passwords or something and not an actual creepy person.

 

Btw, there is a possibility to check what files was downloaded from Emby? And, generally, just to check if something was downloaded by an user? 

[ThegnSkar 3]

Yes I saw what they downloaded. Personal and family photos was the extent of what they got before getting locked out. I'm rather creeped out by someone stealing photos of my family like that, but they didn't get anything else. 

[AndreiP 33]

On 9/18/2025 at 8:05 PM, ThegnSkar said:

Yes I saw what they downloaded. Personal and family photos was the extent of what they got before getting locked out. I'm rather creeped out by someone stealing photos of my family like that, but they didn't get anything else. 

How did you see it? ...in logs? 

Edited September 23, 2025 by AndreiP

[ThegnSkar 3]

13 hours ago, AndreiP said:

How did you see it? ...in logs? 

Yup. It notified me in the activity log what files they were downloading. 

[AndreiP 33]

I advise to disable the option to download: either way it's a load on the server.I disable it even for the admin account.

[brothom 177]

11 hours ago, AndreiP said:

I advise to disable the option to download: either way it's a load on the server.I disable it even for the admin account.

Maybe this also ties in with this FR: 

I noticed I also made some new users, based off of the wrong users but I didn't know exactly which ones so I had to scan all my users and their settings to ensure "download" was disable, "subtitle download" was disabled, "manage server" was disabled and so forth.

Being able to "bulk update/edit" would be nice in cases like this where settings might differ between users.

Edited September 24, 2025 by brothom

[muzicman0 84]

How can you even tell if a user has a password set or not?  I created a test user with no password to see (as I wanted to check all my users to make sure they had one), but I don't see a way to even tell if one is set.  All of them just have a field for 'New Password'.  Not even sure why you can create a user without a password.

[AndreiP 33]

6 minutes ago, muzicman0 said:

How can you even tell if a user has a password set or not?  I created a test user with no password to see (as I wanted to check all my users to make sure they had one), but I don't see a way to even tell if one is set.  All of them just have a field for 'New Password'.  Not even sure why you can create a user without a password.

Q-Droid wrote it before: 

...go to Emby Server settings -> Users. Change the view to table and enable all fields. If any of your users don't have a password that is a problem. 

 

[muzicman0 84]

2 minutes ago, AndreiP said:

Q-Droid wrote it before: 

...go to Emby Server settings -> Users. Change the view to table and enable all fields. If any of your users don't have a password that is a problem. 

 

Thanks.  At least now I can confirm that they have a password.  Now if we could just get 2fa.