iOS notifications about unknown devices accessing my Plex server

Plex Media Server
, ,
1

Hi,

Last week I got a couple of notifications from Plex iOS app about new devices accessing my Plex server, which said “MY_USERNAME used a new device to access MY_SERVER: Chrome (Chrome)”.

However, Authorized devices in Plex showed nothing unfamiliar and no Chrome. I assumed it was a bug and ignored it. But on Monday notifications appeared again.

While checking the server logs I noticed at least 3 unknown IP addresses that had connected. I’m not sure what they did but I see many GET requests, in particular for specific .js files.

Here’s an example from the log:

Oct 03, 2022 22:36:12.205 [0x14b6dd7e9b38] DEBUG - Request: [111.7.96.164:30210 (WAN)] GET /web/js/chunk-230-78228cca8bc14d9498e9-plex-4.87.2.25887-d04a1ad.js (33 live) #122 TLS GZIP Signed-in
Oct 03, 2022 22:36:12.205 [0x14b6dd7e9b38] DEBUG - [Req#122] Final path: "/usr/lib/plexmediaserver/Resources/Plug-ins-420892357/WebClient.bundle/Contents/Resources/js/chunk-230-78228cca8bc14d9498e9-plex-4.87.2.25887-d04a1ad.js"
Oct 03, 2022 22:36:12.205 [0x14b6dd7e9b38] DEBUG - Content-Length of /usr/lib/plexmediaserver/Resources/Plug-ins-420892357/WebClient.bundle/Contents/Resources/js/chunk-230-78228cca8bc14d9498e9-plex-4.87.2.25887-d04a1ad.js is 4611 (of total: 4611).
Oct 03, 2022 22:36:12.206 [0x14b6deb0ab38] DEBUG - Completed: [111.7.96.164:30210] 200 GET /web/js/chunk-230-78228cca8bc14d9498e9-plex-4.87.2.25887-d04a1ad.js (33 live) TLS GZIP 0ms 4611 bytes (pipelined: 1)
Oct 03, 2022 22:36:12.208 [0x14b6dd1c1b38] DEBUG - Request: [111.7.96.164:30186 (WAN)] GET /web/js/chunk-469-2645ecd79e2c67e39a98-plex-4.87.2.25887-d04a1ad.js (33 live) #121 TLS GZIP Signed-in
Oct 03, 2022 22:36:12.208 [0x14b6dd1c1b38] DEBUG - [Req#121] Final path: "/usr/lib/plexmediaserver/Resources/Plug-ins-420892357/WebClient.bundle/Contents/Resources/js/chunk-469-2645ecd79e2c67e39a98-plex-4.87.2.25887-d04a1ad.js"
Oct 03, 2022 22:36:12.208 [0x14b6dd1c1b38] DEBUG - Content-Length of /usr/lib/plexmediaserver/Resources/Plug-ins-420892357/WebClient.bundle/Contents/Resources/js/chunk-469-2645ecd79e2c67e39a98-plex-4.87.2.25887-d04a1ad.js is 19541 (of total: 19541).
Oct 03, 2022 22:36:12.209 [0x14b6ded0db38] DEBUG - Completed: [111.7.96.164:30186] 200 GET /web/js/chunk-469-2645ecd79e2c67e39a98-plex-4.87.2.25887-d04a1ad.js (33 live) TLS GZIP 0ms 19541 bytes (pipelined: 1)

I’d appreciate if someone more knowledgeable can confirm that no harm was done. Did they actually gain access to my server, as the notifications say?

FYI: The .js files mentioned in the log do exist, although I’ve no idea what they’re used for. Server runs in Docker. Remote access was turned on. I’ve since disabled access from the internet, changed password and enabled 2FA.

Server Version#: 1.29.1.6260
Player Version#: 4.87.2

2

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.