Did I get hacked? Someone playing my files?

Hi,

I’ve recently setup PMS in a Docker on my Synology NAS, all is running smoothly, is accessibly remotely (WAN) as well as locally (LAN) no problem. Transcode when needs to for remote access, works great.

When I play a movie, it tells me I did, and on what device like this (Family Room is my Apple TV):

5:52 PM datadad started playing Zootopia on Family Room.

However this entry concerns me, and I’ve never seen it before:

5:18 PM Unknown started playing Deadpool on My PleXBMC Client.

I don’t have XBMC installed on anything, and don’t have a Linux machine - other than whatever is running in my Docker for PMS to work (which is from here: https://registry.hub.docker.com/u/linuxserver/plex/).

Is it possible that someone is remotely accessing my PMS and I don’t even know it? How is this possible, could it be this docker image/OS is a back door? Here are the logs, and I’ll highlight the bits that prove it’s not me (see below)

Is this “800ca699-f28f-4f30-b1db-9d77b4aa774a” something that can be converted into something that might shed light into who/what this is?

Any help would be much appreicated!

(The docker logs below are on a different timezone to what PMS logs (via webGUI) above are and is why the times look different, but as you can see the minute shows it’s the same time. 5:18 PM vs 7:18AM)

May 25, 2016 07:18:35 [0x7ff8327ff700] DEBUG - [Now] Device is KODI (My PleXBMC Client).
May 25, 2016 07:18:35 [0x7ff8327ff700] ERROR - Unable to find client profile for device; platform=KODI, platformVersion=Linux/RPi, device=PleXBMC, model=unknown
May 25, 2016 07:18:35 [0x7ff8327ff700] DEBUG - [Now] Updated play state for /library/metadata/1.
May 25, 2016 07:18:35 [0x7ff845bfe700] DEBUG - Completed: [172.17.0.1:46750] GET /:/timeline?duration=6486000&guid=com.plexapp.plugins.library&key=/library/metadata/1&ratingKey=1&state=paused&time=9000 (11 live) GZIP 7ms 158 bytes 200
May 25, 2016 07:18:38 [0x7ff8317fd700] DEBUG - Request: [172.17.0.1:46754] GET /:/timeline?duration=6486000&guid=com.plexapp.plugins.library&key=/library/metadata/1&ratingKey=1&state=playing&time=2397000 (11 live) GZIP
May 25, 2016 07:18:38 [0x7ff8317fd700] DEBUG - Client [800ca699-f28f-4f30-b1db-9d77b4aa774a] reporting timeline state playing, progress of 2397000/6486000ms for guid=com.plexapp.plugins.library, ratingKey=1 url=, key=/library/metadata/1, containerKey=, metadataId=1
May 25, 2016 07:18:38 [0x7ff8317fd700] DEBUG - Play progress on 1 ‘Deadpool’ - got played 2397000 ms by account 1!
May 25, 2016 07:18:38 [0x7ff8317fd700] DEBUG - [Now] Device is KODI (My PleXBMC Client).
May 25, 2016 07:18:38 [0x7ff8317fd700] ERROR - Unable to find client profile for device; platform=KODI, platformVersion=Linux/RPi, device=PleXBMC, model=unknown

NOTE: no one was playing anything at the time stamp of the “unknown” user playing Deadpool.

@datadad I’d recommend you close off the port on your router to shutdown access over the internet for now and then ensure you configure remote access properly.

What is likely happening is that requests are getting forwarded from a local address that you’ve added to the list of networks that don’t require authentication - this results in all queries over the WAN not requiring any sort of authentication.

You can also remove the 172.17.0.1 subnet from this list as it appears this is where the requests are originating from.

I’d also recommend that you rather use the official Synology packages for Plex.

The Docker you linked provides methods to remove authentication without ANY warning that this is a very bad idea.

You should never be setting the PLEX_DISABLE_SECURITY variable as well as setting PLEX_ALLOWED_NETWORKS to entire subnets when you are unsure about the network setup: https://github.com/timhaak/docker-plex#environment-varaibles

Thanks @drzoidberg33 for your suggestions.

Because of this incident I’ve uninstalled Plex via Docker, and installed Plex via Synology’s Package Centre which I understand is a Plex official install.

I’ve also only got port “32400” enabled in my Synology firewall + port forwarded from my router to the Synology. The others (https://support.plex.tv/hc/en-us/articles/201543147-What-network-ports-do-I-need-to-allow-through-my-firewall-) I’ve disabled.

In process of re-scanning everything again for my library. Can see remote access is green and accessible in Plex’s webGUI. Hope this prevents this happening again.

Many thanks!

One last thing @drzoidberg33 …

With the “List of networks that are allowed without auth” option I still have “127.0.0.1/255.255.255.255” which is as per https://support.plex.tv/hc/en-us/articles/200430283-Network. Is this best left as is, or should I make this blank? I assume as per the documentation it should have the “127.0.0.1/255.255.255.255”, but given what’s just happened just wanted to be 100% sure.

127.0.0.1/255.255.255.255
is, in fact, the more safer option than to leave that field blank. The ‘network mask’ 255.255.255.255 makes it so, that authentication is required for every computer except the server itself.

Thanks @OttoKerner I’ll leave as is then!

@datadad I’m curious about the source IP: 172.17.0.1. Is this your default gateway (router) IP? If you have remote access enabled, and you hit your PMS remotely, do the logs show the source as this IP?

@gbooker02 the IP 172.17.0.1 is actually the IP address of Docker. I’ve only just started using Docker and recently attempted to understand how the networking side of it all works, but from my understanding is Docker (app) has an IP (that one) and then routes traffic via various ports you assign through to docker containers. So Plex was (I’ve uninstalled it) it’s own container, and it’s IP address was 172.17.0.1:32400. Then you have the Synology IP, for example could be 192.168.0.101. So this would look like this:

192.168.0.101:32400 -> 172.17.0.1:32400

Adding my router into the mix it’ll be:

<external ip>/<router>192.168.0.1:32400-> 192.168.0.101:32400 -> 172.17.0.1:32400

I’ve got Plex installed via Synology’s native package centre now, and when I remotely access my Plex, it does show my IP address of my iPhone (external IP). Does this answer your question?

EDIT: corrected the above to include external and internal IP of my router

Yes that answers my question. While it makes some sense, I would contend that a docker container should be seeing the real source IP address, but that’s a different discussion. So, essentially when it was in the container, it saw every request as coming on its local lan and allowing no auth on it’s local lan meant that every request was allowed without authentication.