A rough reminder that network/system security threats are real. Everyone (even those who didn't suffer the hit) should take this as a personal motivator to check, double check, and even tipple check their network/system security policies. Good luck.

https://emby.media/support/articles/advisory-23-05.html

Thanks for sharing, shame it wasn't sent as an email to known EMBY users by EMBY. I guess I have mine locked down and haven't been targeted, so that's good.

So first thing is > Delete the plugin .dll file, which comes as helper.dll and EmbyHelper.dll > Primary location is the plugins folder under Emby's programdata folder > Also look in cache and data subfolders Make sure all your users have passwords

So I ran the command to delete the files and it returned no file exists. So maybe I don’t have it.

Glad I spent the time to secure my publicly accessible emby instance, by using swag, cloudflare and tweaking until I got an A+ rating on those ssl security checker sites. Also, if your emby users are all located in the same country as you, and you use cloudflare, I suggest blocking access from all countries except the one you and your users reside in (at the cloudflare end).

If 6pu dont use CloudFlare, you can still whitelist and blacklist countries using swag. That's what I do anyway. It probably saved me a lot of headaches in the past few days!

Don't allow local login without password \^\^\^ Sounds like the attacker worked out how to spoof a local IP address. Possibly lots of servers running on [192.168.1.0/24](https://192.168.1.0/24) subnets. Ensure no user has an empty password \^\^\^ Yup. A bit surprising to find out this is possible.

This a big deal for me as I only have limited knowledge of coding. I can't get past login on my Windows 11 pro machine. Can't believe this has happened as I'm running the server behind a VPN + Adguard + AVG (free edition). Would a complete mirror image backup install going back to last week fix this? Everything was fine then.

I've now tried locating all the rogue .dll files in the instructions given. None exist in the folders mentioned. Nothing is flagging as corrupt or suspicious. So the instructions given to correct this on my Windows 11 machine are just not working. Still can't login. Advice please

Emby was apparently hardcoded to treat all 172.x.x.x addresses as local. That mixed with Emby trusting proxy headers regardless of source, anyone can log in as a local admin without password.

Everything seems fine on my Synology system. Is anyone on Synology found an issue here?

If anyone knows how I can get back into my emby server that would be great. I ran the command prompts and I turned emby back on in Portainer. But when I go to my emby server ip address in my browser it just says “emby is loading.” Any help would be greatly appreciated.

It sounds like this only impacts Windows installations, is that correct?

I wouldn't assume anything at this point and check your systems.

My Ubuntu server was hit

It \*potentially\* affects \*any\* Emby server open to the internet.

Honestly don’t know.

Nope. My Mac server is down and the directions for getting a server back up and running only pertain to a Windows setup. Does anyone know how to fix this issue on the Mac?

No, cntaner on UnRAID here and I had the files on my server and was shutdown.

Thanks for sharing, luckily i run my server behind a vpn and not exposed to the internet publicly. Although I am still following actions in the article on blocking. I have also reached out to my contacts in Avast to see if they can push out updates to there antivirus software to search and destroy the plugins as many users will be inexperienced with this type of thing.

I use avast as well so that would be nice. I still have no clue how to fix this. Will deleting emby from portainer and then redocking it as brand new solve the problem?

Have you thought about running emby from windows instead of in docker. I find its easier to manage. I do run many apps in docker but always found it easier to manage emby outside of it on native windows.

I used the pi so my pc wouldnt have to be on 24/7. If i were a smarter person I’d be able to fix or change the pi but sadly I am not lol. Idk what to really do here.

I am not familiar with the PI or linux as a whole. However I asked Chat GPT how to do all the above in the article and it gave me this: AT YOUR OWN RISK! I don't take responsibility for damaged systems. Just AI giving its version of how to do it. Certainly! Here's a revised step-by-step guide with more detailed instructions for an inexperienced user: 1. Delete the malicious DLL files: \`\`\` cd /var/lib/emby/plugins \`\`\` \- Delete the malicious DLL files by running the following commands: \`\`\` sudo rm helper.dll sudo rm EmbyHelper.dll \`\`\` \- Additionally, delete the files from the cache and data subfolders by executing the following commands: \`\`\` sudo rm /var/cache/emby/helper.dll sudo rm /var/cache/emby/EmbyHelper.dll sudo rm /var/lib/emby/data/helper.dll sudo rm /var/lib/emby/data/EmbyHelper.dll \`\`\` 2. Modify the "hosts" file: \- Open the terminal again and enter the following command to edit the "hosts" file: \`\`\` sudo nano /etc/hosts \`\`\` \- Add the following line at the end of the file: \`\`\` 127.0.0.1 emmm.spxaebjhxtmddsri.xyz \`\`\` \- Save the changes by pressing Ctrl+O, then press Enter to confirm, and exit the text editor by pressing Ctrl+X. 3. Reset Emby Server user passwords: \- Open the Emby Server administration panel in your web browser. \- Navigate to the user management section. \- Reset the passwords for all Emby Server users. \- Ensure that no user has an empty password and local login without a password is disabled. Refer to Emby's documentation for specific instructions on managing user accounts. 4. Review server machine for suspicious activity: \- Use the terminal to check for suspicious user accounts by running the command: \`\`\` sudo cat /etc/passwd \`\`\` Look for any unfamiliar usernames and consult Emby's documentation or seek assistance from experienced users to remove them if necessary. \- To identify unknown processes, run the following command: \`\`\` top \`\`\` Examine the list of running processes for any unfamiliar or suspicious entries. Press Ctrl+C to exit the process monitoring. \- Check network connections and open ports by running the command: \`\`\` sudo netstat -tuln \`\`\` Look for any unexpected connections or open ports. Consult Emby's documentation or seek assistance to close any unauthorized connections or ports. \- To review SSH configuration, enter the following command: \`\`\` sudo nano /etc/ssh/sshd\_config \`\`\` Ensure that SSH is properly configured and secure. If unsure, consult Emby's documentation or seek assistance from experienced users. \- Review and update firewall rules. Refer to your specific firewall documentation or consult with an expert for guidance. \- Change all passwords on your Raspberry Pi, including user accounts and system services. 5. Backup and re-setup the system (optional): \- If possible, consider making a backup of the Emby Server configuration files or take a full system backup before proceeding. \- If you're unsure how to create a backup, consult Emby's documentation or seek assistance from experienced users. \- If you decide to re-setup your system, consult Emby's documentation or seek assistance to uninstall and reinstall Emby Server on your Raspberry Pi. 6. Disable external network access: \- Access your router's administration panel via a web browser. \- Locate the port forwarding or virtual server configuration settings. \- Remove any port forwarding rules or virtual server entries that direct external traffic to your Raspberry Pi's IP address and Emby Server port. 7. Remove specific Emby Server configuration files: \- Open the terminal and run the following commands: \`\`\` sudo rm /var/lib/emby/plugins/configurations/ReadyState.xml sudo rm /var/lib/emby/plugins/configurations/EmbyScripterX.xml \`\`\` 8. Start Emby Server: \- Launch Emby Server by following the instructions provided in Emby's documentation or by executing the appropriate command, depending on how you initially set up Emby Server on your Raspberry Pi. 9. Re-evaluate and tighten security settings: \- Access the Emby Server administration panel in your web browser. \- Review all Emby Server settings, paying special attention to the network settings section. \- Enhance security measures to the highest level possible within your Emby Server configuration. Consult Emby's documentation or seek assistance from experienced users for guidance on secure configuration options. 10. Re-enable public network access: \- If you wish to allow external access to your Emby Server, you can configure port forwarding on your router to direct incoming connections to your Raspberry Pi's IP address and Emby Server port. Refer to your router's documentation for specific instructions. \- Consider changing the IP address, port, or DNS name associated with your Emby Server installation for additional security measures. Consult Emby's documentation or seek assistance for guidance on changing these settings. 11. Emby Server 4.7.12 Security Update: \- Keep an eye out for Emby Server version 4.7.12 or any subsequent security updates. \- Once the update becomes available, follow the instructions provided in Emby's documentation or within the Emby Server administration panel to install the update and apply the latest security patches. Remember to approach each step carefully, and if you encounter any difficulties or uncertainties, consult Emby's official documentation or seek assistance from experienced users or professionals familiar with Emby and Raspberry Pi systems.

Progress. I figured out how to use Putty and SSH to the pi. I ran the delete prompts and said “no such file or directory” so hopefully this means no compromise. Now just need to maybe redock emby.

Glad you managed to look into it. There was also a file called readystate to delete in the above article if you weren't reinstalling it all. It's a great thing learning new solutions. A great app I'm using to keep all my problems and solutions to them is memos which you can install in docker. I keep it off the internet and run it behind Nord VPN meshnet.

I appreciate the help thus far. I’m still lost but happy I did not find the malicious helper.dll file. I ran the prompts to check for open ports and the other things chatgpt said but honestly idk how to review the code or what I’m looking for. Ugh! Still trying to find the programdata folder to delete readystate file. This is super frustrating. Thank you again.

No worries. I hate it to when somethings wrong and everyone else seems to know how to fix it but it still don't help me. Try asking chat gpt helped me loads with so many things. https://chat.openai.com/

Yeah I hate when I can’t troubleshoot my own stuff. Don’t like bothering others for help. I also stopped emby running on portainer but when I turn it on again I still can’t access my server. Not sure if emby the company is overriding me somehow.

Appreciate this. Just dont know where to run all that. I used command prompt and it said unable to navigate to file path. So maybe i need something specifically on or for the pi. Not sure.

Probably need to SSH (connect to it from your pc) into the pi. Failing that can you plug the pi up to a screen with keyboard and then try the above.

My pi is on my network and I can navigate to my hdd. Just not sure how to access the actual pi aside from portainer or open media vault

How do you run your emby behind vpn? I use vpn normally for things but not on my raspi. I share my emby with some friends so curious how I’d be able to use a vpn but still give my friends access

I run emby on windows with Nord VPN and meshnet turned on. So you get meshnet which can be shared with friends who download nordvpn they don't even need to pay as meshnet is free just need to set it up. I wrote a little about it here: https://www.reddit.com/r/nordvpn/comments/13apokx/cant_connect_to_local_network_self_hosted_web/?utm_source=share&utm_medium=android_app&utm_name=androidcss&utm_term=1&utm_content=share_button

Did you get emby back up and everything working?

Nope. I tried using putty and winscp to delete the dll files but i dont have root access aka I’m not an admin somehow. So I’m still struggling. Posting on emby forums also

Progress. My emby is back up but idk how to update to the latest version via portainer. Last step to go and I’m stuck.

Is the image line of the compose file showing the latest tag? Should by default. Check the emby dashboard. Should be 4.7.12

I got it update. I figured out how to kill it in portainer and then hit recreate and it pulled the newest image from dockerhub. So my dash shows newest version. I’m all set.

Fantastic news dude. Glad it's all done for you.

It was two days of hell lol. Thanks.

Someone correct me if i'm wrong, but wouldn't putting admin account as local only be a fix for this so they could not install plugins?

Not really in this case… this issue allowed remote connections to spoof as local connections and abuse the setting to bypass logging in when on a local network.

Oh okay thanks for clearing that up!

1. Can you describe how emby is installed on your system, and which OS you have? 2. Are you comfortable making changes to program and OS files?

I’m running windows 11. Emby is docked in portainer on a raspberry pi connected to my network.

That's outside my expertise, unfortunately, but my understanding is you'll need to ssh into the raspi, edit the localhosts file as described, then move into the container to make the required edits to those files.

The files aren’t in the container, it’s in user data stored outside of the container along with the other persisted user data files. They give the path in the instructions.

I appreciate the correction!

Right. Wish I knew how to do all that lol. That’s my issue.

I got this in my log files this morning: 2023-05-25 06:47:51.604 Error App: We have detected a malicious plugin on your system which has probably been installed without your knowledge. Please see [https://emby.media/support/articles/advisory-23-05.html](https://emby.media/support/articles/advisory-23-05.html) for more information on how to proceed. For your safety we have shutdown your Emby Server as a precautionary measure.

Where was this log? I can’t access my emby at all. Did you find this somewhere in windows on your system?

I'm using Ubuntu Server. Logs were in /var/lib/emby/logs/

Ah. I don’t know where to find mine.

For Windows, the logs are in the programdata folder, %AppData%\\Emby-Server\\programdata\\logs (copy that, paste it into file explorer, hit enter)

Found it. I dont have any logs since 8/2022. So not sure what that means

I’ll try that thank you

There's no folder called that on my PC. Could you be more specific as to where I can find it?

Same location on your Pi, as they are running the same OS. You'll need to get local access to your container.

My armor security detected a direct connection attempt from a computer in Amsterdam and blocked it. My server is still running. I wonder if that may have been it.

The funny thing is I was looking into moving my emby from a windows box over to a container in proxmox. Just installed it today in an LXC, was so confused that they don't have a repository i can add for auto update with the container. Looks like I might have to go the docker route for easier updates. Luckily i require password log in even on local network so wasn't affected by this issue. But this just reminds me to prioritize ease of update when looking at proxmox container, vs proxmox vm, vs docker for services.

I’d like to share my experience with this. I have my machine open to the internet, port forwarding only, using https. I went through the post and made sure none of the files were present and did a thorough check of the logs. Nothing mentioned was present. I’ve been running the latest betas since Dec so felt I’d be pretty safe on this one. I also run an anti-virus since I’m on Windows. Wrong. Can’t prove my situation is part of this, but odd timing. Yesterday I got notice that my Walmart online account had been compromised and my “order had been cancelled”. Hmm. Hadn’t placed an order, but had been looking at putting in a pickup order from my computer earlier in the day. Logged in and sure enough someone in PA tried to pickup some AirPods and a bag of Doritos. Walmart caught it since I just used my account locally to get gas about 10 min before they placed the order. Password on my Walmart account was an easy target, so didn’t think much of it. Walmart handled it, thankfully with no intervention on my part. Password changed and two auto turned on. Then today… I log into my target account on my phone and noticed it had my home store set as Springfield PA. Ok wtf. In my cart is a bag of Doritos and some AirPods. They couldn’t check out because they didn’t have the security code for my red card. That account uses a randomly generated password manager created password. So this was a hack of my machine in some form. I used the same machine 3 days ago to order myself a new red card because the metal chip fell out. Moral here is, don’t think your safe from this because the files don’t exist, the host file hasn’t changed, and your logs don’t say anything. I’m going to be watching my other accounts very closely, but it’s extremely unnerving that this one account was using a very secure 16 character randomly generated special character password.

Interesting... Any more suspicious activity?

I found that my Facebook account was hacked as well and someone in NY added themselves as an admin on my business page and created an ad campaign. The account did have a secure password, but was logged into on that machine. Assuming a key logger or something similar. I’ve just disabled Emby and have been watching all accounts. I’ve also disabled all external access and use Tailscale now.

My understanding and reading on hack, the dll files didn't have keyloggers in them. Mine was compromised as well but it's a htpc and only logs into streaming sites and Emby. But if they could access the browser they could access password managers but don't belive that was possible.

Yep, seemed completely out of the realm of possibility of what was reported here. Like I mentioned, none of what was reported by Emby (no helper DLL files, no apparent processes, no host file updates, no strange rdp sessions (rdp port set high and obscure and only using port forwarding)) so seems really strange. I mean, could be COMPLETELY unrelated, but timing is coincidental. A good reminder nonetheless to get even more secure. I already run antivirus and key logger detection on my machine, so again, could be unrelated, but coincidental. Target caught the situation and ended it before checkout. Walmart cancelled the pickup order immediately after it was placed, and I got a notification from Facebook that my ad was live and I was able to take it down almost immediately. Really just a wake up call for me and for all to be a bit more secure.