I run Plex on my unRAID server. Last night I noticed one of the drives containing media on my server had a very high number of reads and was “spun up” when nothing should have been accessing it. Plex showed no activity under the status monitor, so I looked at a utility plugin on unRAID called “Active Streams” that monitors what is being streamed off the server. It showed a large number of active streams going to a client outside my network. All of streams appear to be “library / database files” that are part of plex, plus one single actual movie file running and it was located on the spun up drive with all the reads. I could not spin down the single drive, until I (via unRAID) halted the stream, and then the drive would spin down. If I “halted” everything, the connection to Plex files always immediately restarted, and after about 10 or 15 minutes the movie stream re-started.
Attached is a screenshot of the “active streams” showing what was running on unRAID with the Plex references.
A websearch of the client ID for the stream (left hand column) is an IP owned by a company called Lincode, who is a cloud hosting provider out of NJ and the IP is in Atlanta.
When you stop the streams and they re-start, the client IP changes 3-5 times in front of your eyes. I’ve checked at least two of the IP’s that appear and they were both connected to Amazon / Amazon web services in Ireland.
When I log into Plex, no streaming actually shows up in the app, even when the movie was being streamed, so this is behind a back door somewhere.
When I turned off “make Plex available outside my network” the above streaming continued.
When I turned off plex all together, the above streaming stopped.
So at the moment unless someone can tell me this is somehow normal Plex behavior I don’t even want to run Plex in my house because turning off the firewall accessibility didnt solve the problem.
I haven’t tried changing the port for outside the network access, but given the above statement would that even work? I did not manually set up any port forwarding in my router. It was all done by Plex.
This seems like some media sharing service (like kodi) is scanning my collection and playing videos. I dont use kodi or anything like it. As I type this I recall that there is a kodi app installed on my Shield and possible on a Smart TV. I’ve never set them up or used Kodi, but in the off chance they have somehow connected I will uninstall them (if i can) tonight. If that was the issue I’d be disappointed to find out it was able to do this behind the scenes.
The rotating IP’s at the start sounds like someone who is spoofing their IP and that is also very concerning.
Has anyone seen this behavior before? Any suggestions about what to do?
@hthighway said:
Linode and Amazon are where the Plex service servers are hosted. These provide you with codec and authentication againts Plex.tv to name a few
That alone is a huge help and brings some peace of mind. In fact that answers all but one.
Why is a movie file running with a large number of hard drive reads and a client address at Linode. IE from here it looks like that movie is being streamed to Linode.
Given Linode (which is a ping only) is frequent, it can look like it’s streaming but isn’t. To be certain, here are things to check:
A. When you are seeing the HD reads, is your Butler (scheduled tasks) running and do you have “Deep Analysis” enabled in Scheduled Tasks? If so, this is why the large read quantity.
B. Since you have command line access to it and can see the connections, you can verify if someone is actually streaming.
Get your PlexOnlineToken from the Preferences.xml file.
Now use that in your browser to query the open connections:
@ChuckPA said:
Given Linode (which is a ping only) is frequent, it can look like it’s streaming but isn’t. To be certain, here are things to check:
A. When you are seeing the HD reads, is your Butler (scheduled tasks) running and do you have “Deep Analysis” enabled in Scheduled Tasks? If so, this is why the large read quantity.
B. Since you have command line access to it and can see the connections, you can verify if someone is actually streaming.
Get your PlexOnlineToken from the Preferences.xml file.
Now use that in your browser to query the open connections:
@ChuckPA said:
Given Linode (which is a ping only) is frequent, it can look like it’s streaming but isn’t. To be certain, here are things to check:
A. When you are seeing the HD reads, is your Butler (scheduled tasks) running and do you have “Deep Analysis” enabled in Scheduled Tasks? If so, this is why the large read quantity.
B. Since you have command line access to it and can see the connections, you can verify if someone is actually streaming.
Get your PlexOnlineToken from the Preferences.xml file.
Now use that in your browser to query the open connections:
Your browser will respond with active connections. What you see here is my idle server.
1 192.168.0.13:59780 - processing - GET /connections
2 192.168.0.13:59784 - waiting for request
3 192.168.0.13:59790 - waiting for request
4 192.168.0.13:59794 - waiting for request
5 192.168.0.13:59798 - waiting for request
6 - internal
7 192.168.0.13:59800 - waiting for request
8 192.168.0.13:59782 - waiting for request
9 192.168.0.13:59786 - waiting for request
10 192.168.0.13:59792 - waiting for request
11 192.168.0.13:59796 - waiting for request
12 - internal
Thanks, I’ll look into this tonight.
OK so “Perform extensive media analysis during maintenance” is checked. What is that doing exactly and is it important?
Is that what you were talking about?
This was an extended time on one single file as to compared to a scan that was progressively going through the library. So what was it doing?
I’ll keep an eye out for a video file running again and then run the steps you suggested to see what is happening.
What it’s doing is, one by one, it’s reading each of your media files and analyzing them very thoroughly. PMS is profiling the file, determining the minimum and maximum needed. It will use this data if you’re remote streaming and need to manage bandwidth utilization. It will be better able to know when it has to adjust to live within any limits or issues which occur for remote.
if you don’t care about upload streaming bandwidth, you can turn it off.
@ChuckPA said:
What it’s doing is, one by one, it’s reading each of your media files and analyzing them very thoroughly. PMS is profiling the file, determining the minimum and maximum needed. It will use this data if you’re remote streaming and need to manage bandwidth utilization. It will be better able to know when it has to adjust to live within any limits or issues which occur for remote.
if you don’t care about upload streaming bandwidth, you can turn it off.
Does this help?
So on schedule the scheduled tasks started and the same exact media file shows up in active streams. I turned off both " Perform extensive media analysis during maintenance" and “Upgrade media analysis during maintenance” but nothing changed and the media file still shows up under the active streams section.
If nothing is active from PMS, you have something else going on. Whatever that file is (look at now playing), you’ll find out what it is. get the IP and trace it (geo lookup)
If it’s not in your home or one of those you share with, you have a bigger security problem .
Your browser will respond with active connections. What you see here is my idle server.
Thanks, I’ll look into this tonight.
I started to try and do this but not sure how to open a file to read from the a command line after telnetting in. I found the file in the Plex appdata just navigating through file explorer from my win 10 machine, but dont have the access rights to just open it from here.
User is running Plex on UNraid, which to my knowledge is Linux-based.
Plex performs server maintenance in the night. Some of these tasks require the media files being read from start to finish.
So I’d say the behavior is pretty normal.
@OttoKerner said:
User is running Plex on UNraid, which to my knowledge is Linux-based.
Plex performs server maintenance in the night. Some of these tasks require the media files being read from start to finish.
So I’d say the behavior is pretty normal.
Yes unRAID is linux based.
It seems this is part of maintenance. It seems odd that the media files are showing up as a “stream” from unRAID. If this analysis truly will go through my collection and the entire media file out to Plex’s servers it seems that’s a tremendous undertaking and use of bandwidth.
After turning off
Perform extensive media analysis during maintenance
Upgrade media analysis during maintenance
It did not immediately stop the “stream” but when I halted it myself via unRAID, it did not appear to restart on it’s own.
Are both of these just trying to make transcoding more efficient for off site use? Is there anything I’m missing about leaving them off?
Thanks again, I’m now just trying to understand the options on these settings.
@Plex-User72 said:
It seems this is part of maintenance. It seems odd that the media files are showing up as a “stream” from unRAID. If this analysis truly will go through my collection and the entire media file out to Plex’s servers it seems that’s a tremendous undertaking and use of bandwidth.
What bandwidth? The one from your disk drives to your motherboard?
Perform extensive media analysis during maintenance
@Plex-User72 said:
It seems this is part of maintenance. It seems odd that the media files are showing up as a “stream” from unRAID. If this analysis truly will go through my collection and the entire media file out to Plex’s servers it seems that’s a tremendous undertaking and use of bandwidth.
What bandwidth? The one from your disk drives to your motherboard?
Perform extensive media analysis during maintenance
Sorry it’s been a little while and now I"m resurrecting this thread. There are two concerns I have with all of this.
The way I found this issue was the video file shows up on my server as as an “active stream” to the LiNode / Plex servers. It connects the stream to the IP 45.79.210.23. See attached screenshot and you will see what I’m talking about Look for the file "The Host (2006).
The exact same files “streams” every single night. no other files, just this one. the individual drive currently has 29 million reads on it.
Does this sound like the function you were talking about?
Wow, a lot of people like your copy of the host 2006.
I would really take a look at the integrity of the file. I just can’t see someone hacking just to watch the movie, The Host.
Activate debug logging on your server and download the logs first thing in the morning.
Do not activate ‘verbose’ logging!
Then inspect them for timestamps which coincide with your storage transfer logs.
@NewPlaza said:
Wow, a lot of people like your copy of the host 2006.
I would really take a look at the integrity of the file. I just can’t see someone hacking just to watch the movie, The Host.
It is a rather “obscure” movie, a gift from a movie buff I know. It’s sort of hard to believe someone would hack the system the same time every night for a month to watch the same obscure movie
Obviously I’ve moved on from this being a “hack” but something is going on though that shouldn’t be.
If the suggested logs don’t show anything, I could remove the movie from the collection, let it get pulled from the database, re-create the file from the original media, and then add it back. Is there a way to make sure everything about it is fully purged from the Plex database?
@OttoKerner said:
Activate debug logging on your server and download the logs first thing in the morning.
Do not activate ‘verbose’ logging!
Then inspect them for timestamps which coincide with your storage transfer logs.
OK. The timing of this does coincide with the nightly “maintenance” so it’s pretty easy to narrow down the window. I’ll cut down the logs to the right time frame and post here unless something stands out to me.
@Plex-User72 said:
OK. The timing of this does coincide with the nightly “maintenance” so it’s pretty easy to narrow down the window. I’ll cut down the logs to the right time frame and post here unless something stands out to me.
I’d just remove the file to a place outside of the Plex media folders and then let another nightly maintenance pass.
Either it is now a different movie file or you won’t see any other ‘abnormalities’.
The latter would be good, because then one could inspect the offending movie file for errors. Maybe remux it into a MKV container.
In my experience this has helped with quite a few misbehaving movies already.
