millsii 8 Posted May 31, 2018 Posted May 31, 2018 I went to stream some music this afternoon on my phone only to be greeted with the login screen with 2 unknown users "Doom" and "Droidman68" that were password protected. Yes, I did not have passwords on my user accounts. As a result, I could not access my server, so via remote desktop I shutdown the server until I could look into it further when I go home. I did the forgot password, which gave me the pin number to remove all passwords on accounts, allowing me access back into my Emby Server again. At ~11:00am today IP address 173.186.162.227 logged into my server, and subsequently created those two user accounts and deleted all of my user accounts. Both of those accounts were Emby Connect accounts. I have now created a new hidden user with password this time and deleted those accounts. This has been a lesson in not password protecting user accounts. However, I am unsure as to how my Emby Server was located in the first place?
rjay 21 Posted May 31, 2018 Posted May 31, 2018 Identical this end, stumbled across your post will doing some looking around through my firewall logs etc. My assumption is a port scan is how they discovered it. What port did you have your Emby server punch through your firewall on?
ebr 16185 Posted May 31, 2018 Posted May 31, 2018 @@Luke any other reports of this? We've heard of it happening before but always because someone exposed their server to the internet with no password.
rjay 21 Posted May 31, 2018 Posted May 31, 2018 (edited) We've heard of it happening before but always because someone exposed their server to the internet with no password. any other similarities, IP address, usernames used? didn't realise until I deleted one of the users it was connect to an Emby connect account, @@millsii did you get the details of the Emby Connect scenario? Edited May 31, 2018 by rjay
millsii 8 Posted May 31, 2018 Author Posted May 31, 2018 any other similarities, IP address, usernames used? didn't realise until I deleted one of the users it was connect to an Emby connect account, @@millsii did you get the details of the Emby Connect scenario? Not sure I follow in regards to the Emby Connect scenario? I just took note that both of the account had the Emby Connect icon on them. I didn't observe this from the log files. We've heard of it happening before but always because someone exposed their server to the internet with no password. Yeh, that is my guess, but not sure where though Unless from a log file I have previously posted on this forum and forgot to remove the DDNS in transcoding file?
Jukari 1 Posted May 31, 2018 Posted May 31, 2018 ... this is basic security... You put a server in the wild and didn't set a password... If you've ever seen a firewall with active logging you'd see that your router firewall is warding off literally thousands of attacks by script kiddies all day long. There's scripts that hop from IP to IP looking for known port numbers like Plex, SSH, Emby, RDP, etc... My Emby server is behind 2 firewalls, in a locked off DMZ with literally every port blocked except a specified port that's not a standard Emby port. I make sure it's patched regularly with the latest Ubuntu Server patches, and latest Emby. NEVER EVER Leave an un-patched, un-password protected system in the wild especially with a default port. At this point, I would consider the system compromised. Wipe it and reload it from scratch. 1
rjay 21 Posted June 1, 2018 Posted June 1, 2018 (edited) ... this is basic security... You put a server in the wild and didn't set a password... If you've ever seen a firewall with active logging you'd see that your router firewall is warding off literally thousands of attacks by script kiddies all day long. There's scripts that hop from IP to IP looking for known port numbers like Plex, SSH, Emby, RDP, etc... My Emby server is behind 2 firewalls, in a locked off DMZ with literally every port blocked except a specified port that's not a standard Emby port. I make sure it's patched regularly with the latest Ubuntu Server patches, and latest Emby. NEVER EVER Leave an un-patched, un-password protected system in the wild especially with a default port. At this point, I would consider the system compromised. Wipe it and reload it from scratch. Not sure I follow in regards to the Emby Connect scenario? I just took note that both of the account had the Emby Connect icon on them. I didn't observe this from the log files. Yeh, that is my guess, but not sure where though Unless from a log file I have previously posted on this forum and forgot to remove the DDNS in transcoding file? As per Jukari's comments above @@millsii its unlikely they pulled your IP from a non redacted log posting (although its possible if those details are in the log) it's more likely they are just port scanning for common ports across a range of IP's and your IP came up as having a particular port open they recognised and they went from a known vulnerability. Also in regards to the Emby Connect comment what I meant was did you happen to get the emby connect username or email address that was in the field inside the settings section? I saw it but just can't remember what it was Edited June 1, 2018 by rjay
millsii 8 Posted June 1, 2018 Author Posted June 1, 2018 Also in regards to the Emby Connect comment what I meant was did you happen to get the emby connect username or email address that was in the field inside the settings section? I saw it but just can't remember what it was Ahh righto. No, sorry I didn't think to look for what their Emby Connect email addresses were. Hmmmm will just have to put it down to a learning experience I think.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now