edvinmorales@hotmail.com 5 Posted Tuesday at 08:42 PM Posted Tuesday at 08:42 PM Hello guys, I think my server was hacked and they accesed every user on my emby server and they downloaded my personal pictures from the server, i am a little concern about this issue because it was family pictures and things of that nature, wondering if there is a way to deal with this type of situation of a way to delete the content from where the pictures got downloaded., i have the ip adress that seem to be invalid or mayve it was a VPN Firefox Windows 88.177.86.82
Luke 42140 Posted 21 hours ago Posted 21 hours ago Hi, do all of the users on your server have strong passwords?
edvinmorales@hotmail.com 5 Posted 11 hours ago Author Posted 11 hours ago Im sure they have an ok password but how could they navigate every user, than created a new user, update policies and than deleted that username they created, now i have blocked accces to my personal photos, but they already been downloaded
Neminem 1580 Posted 10 hours ago Posted 10 hours ago Are you and your users using Emby connect? Did you disable remote access to you admin account? Do you show users on login screen? Does any of this look similar to your case?
speechles 2059 Posted 9 hours ago Posted 9 hours ago (edited) Have you ever posted "Emby server logs" on this forum and those disclosed your private API key? If they happen across your API key in any of those server logs those could be used to allow unscrupulus people to try to gain access to your server and start messing with things.. Always make sure to submit logs that you download through the server admin interface so they will get information removed, such as API keys, IP addresses, etc.. I am suspect you may have needed help very early on and some a$$hole found your logs with the api key in it and decided he wanted to be a d!ck. Apologies. You need to read the post that I have linked above. It will explain how this happens and how to prevent it. Edited 9 hours ago by speechles 1
Neminem 1580 Posted 9 hours ago Posted 9 hours ago We need to know what happened, right now we are all guessing! We need more info about your setup and how you have configured Emby. There are so many ways this can happen and so many option admin can forget or not know about what it does, that can lead to this.
edvinmorales@hotmail.com 5 Posted 1 hour ago Author Posted 1 hour ago 7 hours ago, speechles said: Have you ever posted "Emby server logs" on this forum and those disclosed your private API key? If they happen across your API key in any of those server logs those could be used to allow unscrupulus people to try to gain access to your server and start messing with things.. Always make sure to submit logs that you download through the server admin interface so they will get information removed, such as API keys, IP addresses, etc.. I am suspect you may have needed help very early on and some a$$hole found your logs with the api key in it and decided he wanted to be a d!ck. Apologies. You need to read the post that I have linked above. It will explain how this happens and how to prevent it. Before i have posted emby server logs here, maybe somebody stealing the logs and doing all this none sense, because only somebody that know how to use emby would do what my hacked did in 10 minutes, move trough all users, create a new user and download only family pictures. instead of like movies
edvinmorales@hotmail.com 5 Posted 1 hour ago Author Posted 1 hour ago 7 hours ago, Neminem said: We need to know what happened, right now we are all guessing! We need more info about your setup and how you have configured Emby. There are so many ways this can happen and so many option admin can forget or not know about what it does, that can lead to this. So far i discovered that i had an open tunel or DMZ host open, with my internet router just because i was configuring my ports forwarding , but other than that also i think the 3rd party apps on emby have access to our API keys, logs etc, but im 100 % sure it was an EMBY member, it should be investigated on the MODERATORS END. Please, other than that my password was recently changed my IP was recently changed and I just moved to a new house so router is also less than a month new, makes me think API keys is the root cause. or somebody entered my DMZ tunnel host
edvinmorales@hotmail.com 5 Posted 1 hour ago Author Posted 1 hour ago 8 hours ago, speechles said: Have you ever posted "Emby server logs" on this forum and those disclosed your private API key? If they happen across your API key in any of those server logs those could be used to allow unscrupulus people to try to gain access to your server and start messing with things.. Always make sure to submit logs that you download through the server admin interface so they will get information removed, such as API keys, IP addresses, etc.. I am suspect you may have needed help very early on and some a$$hole found your logs with the api key in it and decided he wanted to be a d!ck. Apologies. You need to read the post that I have linked above. It will explain how this happens and how to prevent it. There is no way to find out and maybe remove that person from being able to access emby ever again? or maybe dont have people post their logs here and be sent privately to the moderators when they ask us for the logs.
speechles 2059 Posted 1 hour ago Posted 1 hour ago (edited) 11 minutes ago, edvinmorales@hotmail.com said: There is no way to find out and maybe remove that person from being able to access emby ever again? or maybe dont have people post their logs here and be sent privately to the moderators when they ask us for the logs. To revoke all the previous API keys for your administrative user you need to change the password of that exact administrative user. API Keys are tied to the user that generated them. Doing so should generate a new API key for your Emby administrator once you change password. That new API key will not match the old one they have stolen. Remove any API keys in the "Advanced" section under the API Keys tab. Once you remove all the API keys and have changed your Emby administrator password then you should restart your Emby server. Once it restarts, make sure to only share logs which you have obtained from the Emby server dashboard. If you download them through this interface all the sensitive information will be automatically redacted and replaced with placeholder text. Edited 1 hour ago by speechles
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now