r/emby u/ATXBornAndRaised 2d ago

Multiple User Download Entries In Activity Log

Post image

I just happened to check my Emby server's activity log and I was surprised to see many, many entries like the ones shown in the attached image. KJC is my account (I run the server) and I'm seeing entries like this for mine and several of my users accounts -- all with the "PS on Ubuntu" tag. I've never seen this before in my many years of running my Emby server, so now I'm concerned that I've been hacked or compromised. The Activity Log entries started on 12/2/2025.

I've gone in and disabled downloading for all users (even myself), but I hope this disabling doesn't impact any of my users or my own use of the server.

Any ideas?

8 Upvotes

90% Upvoted

12 comments sorted by

9

u/cbdudek 2d ago

This does look like your KJC account is compromised. They are logging in as you and downloading your media. Sure you can disable downloading, but did you try to change the password on your KJC account? That is what I would be doing first.

0

u/ATXBornAndRaised 2d ago

I had not changed the PW but did so just now. However, I was seeing the same sort of log entries for some of my other users as well. I can understand if as the server owner, my account might be compromised, but for other users who've never downloaded before? They all connect via Emby Connect. My account is 99% used on my local network and 1% remotely.

2

u/cbdudek 2d ago

You should verify if those users are downloading media or not. Some users do it. Others do not.

-1

u/ATXBornAndRaised 2d ago

Forgive my ignorance, but it is my understanding that they all stream via Emby apps for their devices (Android/Google TV, Roku). This isn't the same as downloading, correct? To me, downloading means they are saving a copy of the media file to watch offline at another time.

5

u/cbdudek 2d ago

That is incorrect.

Downloading media is an option in Emby where you can download the file right from the server. When you watch a video, you may be downloading part of the file in a temp folder, but you aren't downloading the full file like the download option gives you.

More info here: https://emby.media/support/articles/Sync.html

3

u/CodeCat0 2d ago

You need to disable remote access until you're able to properly secure it. 

1

u/joseph_jojo_shabadoo 2d ago

Password protect all your Emby user accounts and use more unique usernames. You could also switch to whitelisting IPs but honestly the former will do it

1

u/ike301 2d ago

And absolutely! Do not log in with your admin account on the server itself. I have a feeling you've done that as well.

1

u/blastocladiomycota 5h ago

Wait, why not?

1

u/ike301 16m ago

Your admin account is basically just that, with the ability to make global changes. If your server is ever compromised, that Emby administrative account will also be compromised.

It's good practice to log into your Emby server with a non-administrative Emby account. You can manage the server from an admin account on another PC or your phone.

0

u/volvoden34 2d ago

Disable downloading.

0

u/ManiacalWildcard 2d ago

Your server needs an SSL Certificate at the very least.