I have noticed today that I had some streaming from my plex server, the person was using chrome and it was not reporting a username as one of my Friends or that it was from myself.
I did notice though it was affecting my watched items and the watched progress was moving along with the active stream.
I quickly changed my master plex password and shutdown my server for 5 minutes and restarted it.
I never noticed the user come back.
Through logging in my router I noticed multiple connections to my plex server on my plex port, most were from the IP I was behind but had one from 4 connections from 2 IP’s in and Israeli subnet.
I thought my password change did the trick but then noticed at a later time and only for about 5 seconds a user was logged in watching a movie that was not in my friends list.
From my router logs I noticed the only unapproved connection to my plex server was coming from Ireland.
I googled the guys plex username and found a twitter account based in the UK.
I have since turned on a GEO-block on my router blocking all connections except from my country.
Is anybody aware of current backdoors and vulnerabilities within plex that would allow for this backdoor access.
Again main password was changed after the first noticed occurrence and it happened again.
Ideally I would not like to use this geo filter and correct the issue through changes to my plex server config.
This is getting crazy, there is some sort of back door into my server I have people hitting it constantly always from an ip address from the U.K. I have installed plexpy and am starting to monitor more closely and have some details I will send to you in a PM shortly.
They seem to be able to trick my server to think its local traffic, as to hide their plex account from my view.
So plexpy reports it as local.
I have had one particular guy where after adding 127.0.0.1/255.255.255.255 to my list of networks allowed without auth it flashed his plex username across my screen.
Is adding that local host subnet to my settings going to be the fix for this you think or is there something else I should look at?
Further to this the guy I caught on the server this morning was using a Roku unit, where all the previous users were using plex web. So whatever this exploit is they are able to port it to other plex clients like the Roku.
Have you gone into the devices section and removed all previously authorized (yet undesired) devices?
If you have some listings in the “networks allowed without auth” I’d suggest removing all of them & turn on force encryption if it isn’t already.
While you’re at it maybe disable remote access or change ports until things get sorted out. If you ever had remote access enabled prior to HTTPS/SSL encryption you may wanna clean the whole thing. (all caches/authorizations)
I look their devices did not show in the list, but I do have a bunch of very old entries for different web browsers, Can I clear all entries at once some how or do I have to do each one at a time. I have 2 years worth of IE and Chrome devices filling my list.
@NateDawg1169 said:
I look their devices did not show in the list, but I do have a bunch of very old entries for different web browsers, Can I clear all entries at once some how or do I have to do each one at a time. I have 2 years worth of IE and Chrome devices filling my list.
There is probably a way though I don’t know how myself.
@NateDawg1169 said:
I look their devices did not show in the list, but I do have a bunch of very old entries for different web browsers, Can I clear all entries at once some how or do I have to do each one at a time. I have 2 years worth of IE and Chrome devices filling my list.
You could reset your password and put a check next to “Sign out all devices when resetting your password”
There would seem to be some sort of exploit being used if you are not forcing authentication on your local subnet. As the un-authorized users were appearing as local users (not displaying their username in activity) and it was affecting my watch count. Some googling reveals some methods that are being referred to as “plex driveby”
By only allowing my localhost (ie my server) un-authenticated access I have not noticed a breach since.
I will report back for those that are interested if anything changes, but the fix appears to be to force authentication for everyone.
