Server admin access compromised, users added remotely

[AndyBak 17]

Well it seems someone has been up to no good and somehow managed to connect to my server remotely with the admin account and then granted access to two users with existing Emby accounts (NickTheMoon / patty7196). Not happy, not happy at all so:-

 

1) How the hell has this happened? 

• I've saved all my current logs

 

2) What do I need to prevent this going forward?

• Currently disabled remote connections
• Changed admin password
• Blocked dodgy users from seeing content but not deleted accounts yet in case needed for investigation

 

Very concerning to say the least so any help with figuring out what has happened most appreciated,

 

Thanks

Andy

[Luke 42077]

I would delete those users rather than restrict their content access. Did you have a strong password setup prior to this?

[AndyBak 17]

Accounts deleted, regarding password I'm pretty certain it was one generated by Safari but it's been so long since I've had to actually use it as saved in Keychain so I could be wrong.

[PrincessClevage 175]

Accounts deleted, regarding password I'm pretty certain it was one generated by Safari but it's been so long since I've had to actually use it as saved in Keychain so I could be wrong.

if you give me your i.p address and leave emby open for remote users I bet I can tell you your password inside a week. EMby needs a lockout time period after xyz failed attempts (usually 3) or brute force is easier to achieve

[AndyBak 17]

if you give me your i.p address and leave emby open for remote users I bet I can tell you your password inside a week. EMby needs a lockout time period after xyz failed attempts (usually 3) or brute force is easier to achieve

 

Surely that would be something easy to implement? X failed logins then automatically email admin, Y failed logins and the block requesting IP.

[PrincessClevage 175]

Surely that would be something easy to implement? X failed logins then automatically email admin, Y failed logins and the block requesting IP.

After 3failed attempts set a time out period of 10 mins would negate brute force attempts

[Luke 42077]

Yes it's simple to add, but it's not necessarily the issue here. If they broke in with brute force you'd be able to see all the failed authentication attempts in the server activity log.

 

One thing we've seen in the past is users had their entire machine compromised first and therefore their emby data was as well.

[AndyBak 17]

If my home server has been compromised (running several checks at the moment) it does make me wonder why Emby is being messed about with, that is inviting the registered users above to access it. 

[AndyBak 17]

No sign of the actual server being compromised, have now run various malware/virus scanners all reporting clear, nothing overly suspicious in the event logs and all user accounts and groups as expected. 

[dcrdev 255]

I'm not saying Emby is vulnerable, nor am I saying this breach was as the result of a security flaw in Emby (infact it probably wasn't) - but at the end of the day Emby is a public facing server component that has the potential to open up your system to intruders; it should be treated as such.

 

This is part of the problem with solutions like this - how easy it is to set up, it makes running a web server accessible to those who would otherwise not know how to set this kind of thing up. If you were a sysadmin and you set up a server without firewalls, threat detection etc... you'd be considered mad. There's absolutely no reason why that logic shouldn't apply to Emby as well - after all it is a public facing server component.

 

On the user side I can't offer much in the way of advice if your using Windows, but if you're using Linux I would look into the following:

• iptables
• fail2ban - which will intelligently detect and lock out brute force attempts based on http status.

Again @@Luke I know this probably has nothing to do with Emby at all, but have you considered something like this:

https://www.hackerone.com/product/bounty

 

^The Nextcloud guys use it and it seems quite successful for them.

Edited May 22, 2018 by dcrdev

[mastrmind11 722]

wail2ban is fail2ban for Windows.  https://github.com/glasnt/wail2ban

 

Everyone should be looking into this, regardless of experience or know how.  Literally anything sitting on the edge of your LAN that's exposed to the outside world of script kiddies is at risk.

[CBers 7450]

wail2ban is fail2ban for Windows. https://github.com/glasnt/wail2ban

 

 

Does that still work, as it's been archived by the owner, meaning no further development.

[mastrmind11 722]

Does that still work, as it's been archived by the owner, meaning no further development.

No clue, not a windows guy, but assuming it worked previously, there's not much that needs to change over time right?   In any case, there are other tools out there that do the same thing, so the point still remains.

[Luke 42077]

Yes that hackerone looks interesting.

[Guest asrequested]

This is why I've chosen to add pfsense in front of my USG. I'm still trying to get the VPN port forwarding to work. But once that's done. I'll re-enable IPS on the USG and look at other measures with pfsense.

[AndyBak 17]

Either a very freaky coincidence or the plot thickens, just had an Emby connect invitation from a user (ccjames8) that hasn't been online for over 2 years based on his profile. I don't share my media with anyone and wouldn't be expecting invitations from anyone else.

[Guest asrequested]

I've had a few random invites, over the years. I've never accepted.

[Luke 42077]

I think what happens pretty frequently is people send invites based on a username in their local emby server. They do this without really realizing the difference between the local login system and the Emby Connect login system.

 

So for instance, they have a local user named Luke, they send an invite to Luke, and that ends up going to me because I have the Emby Connect account called Luke.

 

I may just eliminate the choice of email/username and force them to enter an email address.

[Guest asrequested]

Using the email for a connect invite, is a good idea.

[Jdiesel 1431]

Make sense. There is nothing stopping someone from scanning the forums for usernames then sending out requests to those usernames hoping that someone will accept. 

[ebr 16169]

Make sense. There is nothing stopping someone from scanning the forums for usernames then sending out requests to those usernames hoping that someone will accept. 

 

That does not create any sort of vulnerability for the person who accepts it...

 

When you get one of these you don't recognize, you can safely just delete it.

[Guest asrequested]

I love the smell of anonymous VPN and IPS, in the evening

[Jdiesel 1431]

That does not create any sort of vulnerability for the person who accepts it...

 

When you get one of these you don't recognize, you can safely just delete it.

 

Yeah you are correct. For some reason I was thinking that someone could request access to a server but it that isn't the case, the server admin needs to initiate the request for a user to join the server.