Server security compromised?

April 6, 2019

I had started my own thread on this very issue. I will STOP replying to that one and follow this one since I too was compromised by the SAME 3 accounts.

I never use Emby beyond my home, but I more than likely did NOT have a password setup.

Edited April 6, 2019 by rms8

April 6, 2019

Stop Emby running.

You can go into /Emby-Server/config/users and delete all of those user folders found there.

Edit the system.xml file and find the tag named "IsStartupWizardCompleted" and change it to false.

If you then start Emby and open it in a browser, it should run through the install wizard and set up a new user.

Make sure you set a password for the user and turn off remote access.

I have just performed this on my test server and it worked fine, retaining the libraries I had previously setup.

It may be worth upgrading to the latest beta of Emby server, as it has some additional security built-in.

Should I also disable auto port mapping?

April 6, 2019

Should I also disable auto port mapping?

Yes.

April 6, 2019

@@CBers

"Stop Emby running.
You can go into /Emby-Server/config/users and delete all of those user folders found there.
Edit the system.xml file and find the tag named "IsStartupWizardCompleted" and change it to false.
If you then start Emby and open it in a browser, it should run through the install wizard and set up a new user.
Make sure you set a password for the user and turn off remote access.
I have just performed this on my test server and it worked fine, retaining the libraries I had previously setup.
It may be worth upgrading to the latest beta of Emby server, as it has some additional security built-in."

@@ebr

@@Luke

I deleted everything out of the Users folder, but at the end of the setup wizard when it wants you to log in, it showed two of those malicious accounts plus the new one I created via the wizard. But the Wizard never asked me to create a password or if I wanted administrator rights.....If I deleted everything in that Users folder, how did it recreate two of those malicious accounts?

So I still cannot get in since I do not have a password for my new account.

UPDATE:

I deleted the "authentication.db" and "users.db" (located in MediaBrowser-Server --> data). Then ran the setup wizard again. This time the malicious accounts did NOT get recreated.

I was able to set a password by first checking certain boxes which then gave me the ability to set a password.

Edited April 6, 2019 by rms8

April 6, 2019

QUESTION:

The Server is a separate PC which is only that, the media server.

I access it via 3 individual HTPC's (EMC) located in different rooms.

In the past (b4 the hacked issue arose) when turning on the HTPC it would auto start WMC. I then would click EMC and it would put me straight in. I did not have to choose an account nor enter a password.

Going forward, how should I setup these HTPC's? Should I give each an individual account and password? If so, does that mean everytime I want to watch a movie I have to now use a keyboard so I can enter a password? Is it too unsafe to have the HTPC auto login?

BTW, each HTPC is only on & running when being used.

THANKS

Edited April 6, 2019 by rms8

April 6, 2019

Once Emby has local passwords, then you only need to enter them once in your client, but make sure you tick the 'Remember Password' option. The local password is then stored hashed for re-use, without needing to type it in again. There is also an option to use Pin codes instead (easier for remote controls to enter) - but they can only be set once you have set a local password.

Depending on your usage of the HTPC's - I would setup one 'User' account (non-Admin) for all 3 HTPC's - so that the watched status is synced and setup a separate 'Admin' account (the first one) which is used by PC Access only. If you do your 'admin' on one of the HTPC's - then it complicates it a bit, but ideally, your Admin account should not be the one you watch day-day media with. (imo)

If you are not using remote access, then the key thing here is to turn it off - Goto 'Expert > Advanced and untick the 'Allow remote connections' and also ensure that 'Enable automatic port mapping' is not enabled either . Once that is done (and you've clicked Save and re-started), then you will have a stand alone local LAN version of Emby without any external connectivity potential (from within Emby itself).

Edited April 6, 2019 by rbjtech

April 6, 2019

Once Emby has local passwords, then you only need to enter them once in your client, but make sure you tick the 'Remember Password' option. The local password is then stored hashed for re-use, without needing to type it in again. There is also an option to use Pin codes instead (easier for remote controls to enter) - but they can only be set once you have set a local password.

Depending on your usage of the HTPC's - I would setup one 'User' account (non-Admin) for all 3 HTPC's - so that the watched status is synced and setup a separate 'Admin' account (the first one) which is used by PC Access only. If you do your 'admin' on one of the HTPC's - then it complicates it a bit, but ideally, your Admin account should not be the one you watch day-day media with. (imo)

If you are not using remote access, then the key thing here is to turn it off - Goto 'Expert > Advanced and untick the 'Allow remote connections' and also ensure that 'Enable automatic port mapping' is not enabled either . Once that is done (and you've clicked Save and re-started), then you will have a stand alone local LAN version of Emby without any external connectivity potential (from within Emby itself).

When you said "...but make sure you tick the 'Remember Password' option." , do you mean login to the Server via the account associated with the HTPC and then click remember.....or, start the HTPC, click the account, enter the password, then remember/save it from there (HTPC) ?

April 6, 2019

HOLY CRAP !!!!

Those are the SAME accounts which hacked my Server!!!!!!!!!!!!

It's likely just a script - someone has written a piece of code which scans the internet for emby servers that have accounts with no passwords, or common passwords set. Then once it's logged in as one of those users, it creates those 3 users and deletes the original admin users. It's quite likely that a human has never logged in, it's all automated...

April 6, 2019

When you said "...but make sure you tick the 'Remember Password' option." , do you mean login to the Server via the account associated with the HTPC and then click remember.....or, start the HTPC, click the account, enter the password, then remember/save it from there (HTPC) ?

If you are using EMC, you'll need to configure the auto login user in the Advanced config pane.

April 6, 2019

If you are using EMC, you'll need to configure the auto login user in the Advanced config pane.

Would the "Advanced pane" be accessed via EMC --> configuration --> Advanced? If so, the "Advanced" option is no longer there. The last options is for "Subdued". Did I check/uncheck something on the Sever side when creating the new account?

April 7, 2019

Yes, it is the same people but the vulnerability is the fact that people have users with no passwords defined. Please be sure your users all have LOCAL passwords defined for them (Users->select user->Password).

Thanks.

I had passwords defined and I was compromised so this cannot be the case

April 7, 2019

I had passwords defined and I was compromised so this cannot be the case

How secure were those passwords? I know some of my users are too lazy to devise a secure method and reuse their passwords

https://haveibeenpwned.com/

April 7, 2019

I had passwords defined and I was compromised so this cannot be the case

There are two passwords if you use emby connect. The emby connect password then a different user password on the server. You had both set?

Sent from my iPhone using Tapatalk

Edited April 7, 2019 by pir8radio

April 7, 2019

There are two passwords if you use emby connect. The emby connect password then a different user password on the server. You had both set?

Sent from my iPhone using Tapatalk

For my users that I've invited via emby connect, I'm not able to set a local password. The screen is blank, is that normal?

April 7, 2019

For my users that I've invited via emby connect, I'm not able to set a local password. The screen is blank, is that normal?

You should create a local user account, then link it to emby connect. Not simply send an invite.

April 7, 2019

You should create a local user account, then link it to emby connect. Not simply send an invite.

That answers why then - thanks

April 7, 2019

You should create a local user account, then link it to emby connect. Not simply send an invite.

Why is sending an invite an option then if there is no way to make that user secure? Sounds like this needs to be looked at.

Edited April 7, 2019 by darkassassin07

April 7, 2019

Why is sending an invite an option then if there is no way to make that user secure? Sounds like this needs to be looked at.

Well Connect users are the same as forum users it is controlled here, not your local server.

April 7, 2019

So is it bad to have my local HTPC auto-login then? The Server is a separate machine which I have now set a complex password and made the account hidden. The HTPC also has a complex password, but if I make it auto login in to the server, doesn't that defeat the purpose of the complex password for the HTPC ?

April 7, 2019

If no remote users are in use, don’t allow remote users to connect (untick) and remove upnp in your router and I’m sure no way anyone can remotely access yr Emby system then. Assuming your router is not set to allow remote administration from the internet, and suitably kept up to date so any known exploits are fixed on it. You can safely allow your pc to login then locally in your lan.

April 7, 2019

Would the "Advanced pane" be accessed via EMC --> configuration --> Advanced? If so, the "Advanced" option is no longer there. The last options is for "Subdued". Did I check/uncheck something on the Sever side when creating the new account?

Only Admin users can see that option.

April 7, 2019

I had passwords defined and I was compromised so this cannot be the case

I understand that you believe that but, more than likely, the very first user you created (during setup) was an admin and had no password. We have made that impossible to do with the next release.

April 8, 2019

Wouldn't using the device feature to limit what device a user can login with also help with security? This being in addition of using passwords

April 8, 2019

Wouldn't using the device feature to limit what device a user can login with also help with security? This being in addition of using passwords

But something like a browser isn't affected by the device limit.

A whitelist could be an idea, but that seems like overkill. The same users that would make use of a whitelist, are probably the ones that could also set up stricter security outside of Emby through firewalls, proxies, VPN, etc.

April 8, 2019

As an nginx user, I would love to enhance emby security more by having separate app and web URL's.

I would love to password protect the emby browser access with htaccess, but I cant as the apps break.

All my other apps i host are html access - and all users are challenged for a separate user/password.

Its a shame I cant do that for emby also.

Summary of enhancement to make me (and maybe others) happy:

1 url for use on apps only (roku, appletv, Android etc etc)

1 url for web access (browser access

Sign In

Server security compromised?

Recommended Posts

rms8 14

rms8 14

CBers 7450

rms8 14

rms8 14

rbjtech 5284

rms8 14

jon_ 27

ebr 16169

rms8 14

laxus 0

Pog22 52

pir8radio 1312

feerlessleadr 173

Guest asrequested

feerlessleadr 173

darkassassin07 652

Happy2Play 9780

rms8 14

vaise 340

ebr 16169

ebr 16169

davedick 19

BAlGaInTl 288

vaise 340

Create an account or sign in to comment

Create an account

Sign in

Activity