Sorry if I am missing something but what is scary about a misconfiguration and the scanner skipping over files it 1) doesn’t have access to and 2) doesn’t know what to do with because it’s not a media file
Yes, you can.
yes. it’s just a text file
Silly question:
If they don’t exist, how did they get into the server logs?
Did you install any Plug-ins ?
1 Like
Thats the big question here and the reason why I opened this thread. I have absolutely no idea.
I have now the debug logs enabled. I check them now every day and see if this appears again and send you the logs.
There are no plugins installed (or is there any special folder I should check?)
“Keine Plugins installiert” (German) → “No Plugins installed”
Since you never stated the OS you are running, plugin’s can exists in two places
/var/lib/plexmediaserver/Library/Application Support/Plex Media Server/Plug-ins
/usr/lib/plexmediaserver/Resources/Plug-ins-XXXXX
So please show us an ls -la of above directories
I would also like to see the checksums
cd /usr/lib/plexmediaserver
ls -la
md5sum * */* Resources/Plug-ins*/*/*/*/*
It’s Linux Debian 10.
I sent you all details in our private conversation.
Got it… thank you.
did the root cause of this get determined?
No. There was nothing in the presented information which allowed any definitive determination to be made.
I personally scanned all the code (server and players) looking for /root. The only place I found any such a reference, including partial match, was in an API query which was asking for /root_path (which is used for library sections).
If you look at the database schema, you will find a field named root_path. That’s the field the API queries for.
I further examined the use of $HOME the username’s home directory on Linux.
If PMS were run as root user, $HOME would have been /root. However, this is not the case because, as root, there are no permission restrictions. The logs clearly showed “Permission Denied”. This confirms PMS was not running as the ‘root’ user.
There is clearly information missing but what’s actually missing still eludes us.
2 Likes
On my existing server, I attempted to create a library section pointing to /root.
The results are:
- Initial scan was blocked because /root default permission is
700
Feb 18, 2022 18:12:28.126 [0x7f1b4efe2b38] ERROR - Failed to create iterator to "/root": Permission denied
- However, changing
/rootto755, created this.
Feb 18, 2022 18:21:15.098 [0x7f1b62d63b38] ERROR - XML: Start tag expected, '<' not found^@
Feb 18, 2022 18:21:15.098 [0x7f1b62d63b38] ERROR - XML: status=ok^@
Feb 18, 2022 18:21:15.098 [0x7f1b62d63b38] ERROR - XML: ^^@
Feb 18, 2022 18:21:15.098 [0x7f1b62d63b38] ERROR - Error parsing content.
Feb 18, 2022 18:21:15.098 [0x7f1b62d63b38] ERROR - Error parsing XML: Error parsing file.
Feb 18, 2022 18:21:15.098 [0x7f1b62d63b38] ERROR - SSDP: Error parsing device schema for http://192.168.0.44:9080
Feb 18, 2022 18:21:45.456 [0x7f1b51f12b38] ERROR - Error opening file '"/root/.viminfo"' - Permission denied (13)
Feb 18, 2022 18:21:45.456 [0x7f1b51f12b38] ERROR - Error opening file '"/root/.bash_history"' - Permission denied (13)
Feb 18, 2022 18:21:45.456 [0x7f1b51f12b38] ERROR - Error opening file '"/root/.bash_history"' - Permission denied (13)
Feb 18, 2022 18:21:45.456 [0x7f1b51f12b38] ERROR - Error opening file '"/root/.viminfo"' - Permission denied (13)
Feb 18, 2022 18:21:52.181 [0x7f1b62d63b38] ERROR - XML: Entity: line 1:^@
Feb 18, 2022 18:21:52.181 [0x7f1b62d63b38] ERROR - XML: parser^@
Feb 18, 2022 18:21:52.181 [0x7f1b62d63b38] ERROR - XML: error :^@
I think this might explain the missing information ?
If so, this resolves to my initial suspicion – configuration error.
Any of you can easily confirm this.
But what caused something to search specifically for crypto wallets if the user didn’t have crypto wallets? The error makes sense but how does someone recreate random searches for wallets that fail?
It didn’t search for a crypto wallet.
It was performing a readdir() and happened to stumbled across it hidden in the list of “dot” files. Those types of directories usually have a default permission of 700 which would block plex:plex from reading them (security) … resulting in the errors in the logs.
Feb 15, 2022 02:11:21.543 [0x7f200a167b38] ERROR - Couldn't check for the existence of file "/root/.mozilla/firefox": boost::filesystem::status: Permission denied: "/root/.mozilla/firefox"
Feb 15, 2022 02:11:24.640 [0x7f200a167b38] ERROR - Couldn't check for the existence of file "/root/.config/opera/databases/chrome-extension_hnjalnkldgigidggphhmacmimbdlafdo_0": boost::filesystem::status: Permission denied: "/root/.config/opera/databases/chrome-extension_hnjalnkldgigidggphhmacmimbdlafdo_0"
Feb 15, 2022 02:11:27.737 [0x7f200a167b38] ERROR - Couldn't check for the existence of file "/root/.config/google-chrome": boost::filesystem::status: Permission denied: "/root/.config/google-chrome"
Feb 15, 2022 02:11:30.833 [0x7f200a167b38] ERROR - Couldn't check for the existence of file "/root/.config/BraveSoftware/Brave-Browser": boost::filesystem::status: Permission denied: "/root/.config/BraveSoftware/Brave-Browser"
Feb 15, 2022 02:11:33.928 [0x7f200a167b38] ERROR - Couldn't check for the existence of file "/root/.bitcoin": boost::filesystem::status: Permission denied: "/root/.bitcoin"
Feb 15, 2022 02:11:37.024 [0x7f200a167b38] ERROR - Couldn't check for the existence of file "/root/.dogecoin": boost::filesystem::status: Permission denied: "/root/.dogecoin"
Feb 15, 2022 02:11:40.120 [0x7f200a167b38] ERROR - Couldn't check for the existence of file "/root/.litecoin": boost::filesystem::status: Permission denied: "/root/.litecoin"
Feb 15, 2022 02:11:43.217 [0x7f200a167b38] ERROR - Couldn't check for the existence of file "/root/.dashcore": boost::filesystem::status: Permission denied: "/root/.dashcore"
Feb 15, 2022 02:11:46.311 [0x7f200a167b38] ERROR - Couldn't check for the existence of file "/root/.electrum/wallets": boost::filesystem::status: Permission denied: "/root/.electrum/wallets"
Feb 15, 2022 02:11:49.421 [0x7f200a167b38] ERROR - Couldn't check for the existence of file "/root/.walletwasabi/client/wallets": boost::filesystem::status: Permission denied: "/root/.walletwasabi/client/wallets"
Feb 15, 2022 02:11:52.520 [0x7f200a167b38] ERROR - Couldn't check for the existence of file "/root/.local/share/Daedalus/mainnet/wallets": boost::filesystem::status: Permission denied: "/root/.local/share/Daedalus/mainnet/wallets"
Feb 15, 2022 02:11:55.614 [0x7f200a167b38] ERROR - Couldn't check for the existence of file "/root/.local/share/Coinomi/wallets": boost::filesystem::status: Permission denied: "/root/.local/share/Coinomi/wallets"
Feb 15, 2022 02:11:58.716 [0x7f200a167b38] ERROR - Couldn't check for the existence of file "/root/.ethereum/keystore": boost::filesystem::status: Permission denied: "/root/.ethereum/keystore"
Feb 15, 2022 02:12:01.811 [0x7f200a167b38] ERROR - Couldn't check for the existence of file "/root/.config/Jaxx/Local Storage": boost::filesystem::status: Permission denied: "/root/.config/Jaxx/Local Storage"
Feb 15, 2022 02:12:04.905 [0x7f200a167b38] ERROR - Couldn't check for the existence of file "/root/.config/com.liberty.jaxx/IndexedDB/file__0.indexeddb.leveldb": boost::filesystem::status: Permission denied: "/root/.config/com.liberty.jaxx/IndexedDB/file__0.indexeddb.leveldb"
Feb 15, 2022 02:12:07.999 [0x7f200a167b38] ERROR - Couldn't check for the existence of file "/root/snap/bitpay/current/.bitpay/app/Local Storage/leveldb": boost::filesystem::status: Permission denied: "/root/snap/bitpay/current/.bitpay/app/Local Storage/leveldb"
Feb 15, 2022 02:12:11.093 [0x7f200a167b38] ERROR - Couldn't check for the existence of file "/root/.config/atomic/Local Storage/leveldb": boost::filesystem::status: Permission denied: "/root/.config/atomic/Local Storage/leveldb"
Feb 15, 2022 02:12:14.200 [0x7f200a167b38] ERROR - Couldn't check for the existence of file "/root/.config/Exodus/exodus.wallet": boost::filesystem::status: Permission denied: "/root/.config/Exodus/exodus.wallet"
Feb 15, 2022 02:12:17.300 [0x7f200a167b38] ERROR - Couldn't check for the existence of file "/root/.electron-cash/wallets": boost::filesystem::status: Permission denied: "/root/.electron-cash/wallets"
In the absence of any information to the contrary, and as demonstrated by my recreation,
- It would not look in
/rootunless so directed. - When user
plex:plexencountered files it couldn’t read, it printed that to the logs.
In this user’s case, I think the user specified /home as the directory. The logs show multiple /home/xxxxx directories being scanned for media.
BraveSoftware/Brave-Browser"
Feb 15, 2022 01:53:54.617 [0x7f200a167b38] ERROR - Couldn't check for the existence of file "/home/bitcoin/.bitcoin": boost::filesystem::status: Permission denied: "/home/bitcoin/.bitcoin"
Feb 15, 2022 01:53:57.711 [0x7f200a167b38] ERROR - Couldn't check for the existence of file "/home/bitcoin/.dogecoin": boost::filesystem::status: Permission denied: "/home/bitcoin/.dogecoin"
Feb 15, 2022 01:54:00.805 [0x7f200a167b38] ERROR - Couldn't check for the existence of file "/home/bitcoin/.litecoin": boost::filesystem::status: Permission denied: "/home/bitcoin/.litecoin"
Feb 15, 2022 01:54:03.901 [0x7f200a167b38] ERROR - Couldn't check for the existence of file "/home/bitcoin/.dashcore": boost::filesystem::status: Permission denied: "/home/bitcoin/.dashcore"
Feb 15, 2022 01:54:06.997 [0x7f200a167b38] ERROR - Couldn't check for the existence of file "/home/bitcoin/.electrum/wallets": boost::filesystem::status: Permission denied: "/home/bitcoin/.electrum/wallets"
Feb 15, 2022 01:54:10.091 [0x7f200a167b38] ERROR - Couldn't check for the existence of file "/home/bitcoin/.walletwasabi/client/wallets": boost::filesystem::status: Permission denied: "/home/bitcoin/.walletwasabi/client/wallets"
Feb 15, 2022 01:53:32.953 [0x7f200a167b38] ERROR - Couldn't check for the existence of file "/home/backup/.config/atomic/Local Storage/leveldb": boost::filesystem::status: Permission denied: "/home/backup/.config/atomic/Local Storage/leveldb"
Feb 15, 2022 01:53:36.046 [0x7f200a167b38] ERROR - Couldn't check for the existence of file "/home/backup/.config/Exodus/exodus.wallet": boost::filesystem::status: Permission denied: "/home/backup/.config/Exodus/exodus.wallet"
Looking at this in total. Two errors – OR – a media top level directory of / was specified which would have caused it to scan the entire host with the logs getting busy when it hit those per-user files with tightened permissions.
This is where there isn’t enough information to conclude definitively however the evidence presented does strongly imply user error.
1 Like
Sorry @ChuckPa
Please focus on what we have written in our private conversation.
It was no readdir(). We know this 100% for sure.
Plex was actively searching for Crypro Wallets.
Just the trigger is currently unknown.
Extraordinary claims require extraordinary evidence.
The simplest explanations have been given. Without better evidence this seems straightforward.
Plex scans what it is configured to scan, performing a readdir() on each directory scanned. Those log entries are expected if Plex doesn’t have access to directories it scans.
You showed the Library configurations. Did you look for symlinks within the Library directories?
Horses, not Zebras.
Thats exactly what makes me so sad, because I checked all folders together with @ChuckPa in this private conversation. We searched for symlinks and didn’t find anyone.
And again:
The folder "/root/.mozilla/firefox" doesn’t exist.
That’s why it can’t be a readdir() of /root.
The latest status is that all this information (and we collected some more in this private conversation) has been forwarded to the “engineering”.
2 Likes
Let’s look at this from yet another possible attack vector:
- What are the permissions of
/root? - Executing the following with default permissions results in
root@lizum:/home/chuck# su -s /bin/bash plex
plex@lizum:/home/chuck$ whoami
plex
plex@lizum:/home/chuck$ ls -ls /root
ls: cannot open directory '/root': Permission denied
plex@lizum:/home/chuck$
If the above is true, it is impossible for non-privileged user plex to read any further into /root.
Therefore, even if PMS did look, how did it get into /root ??
Was there a need to change the directory permissions of /root ?
/roothas 0700 as permission. Owner is alsoroot.- Same message as you:
sudo su -s /bin/bash plex
plex@dl08:/$ whoami
plex
plex@dl08:/$ ls -ls /root
ls: cannot open directory '/root': Permission denied
PMS didn’t get into /root. It was more like a brute force attack.
If that’s true, explore Occam’s rules for one moment:
-
The Linux file system is protecting as verified by the command line.
-
PMS is running as user
plex -
The time required to scan
/rootis suspicious./rootis typically not populated with a lot of files however the logs above show nearly 1 minute of elapsed time. The OP’s CPU has approximately 10,000 passmarks of performance.
– Start:Feb 15, 2022 02:11:21.543
– Finish:Feb 15, 2022 02:12:17.300
- Compare with another xeon scanning the entire media directory structure (20,000 passmarks.
[chuck@glockner ~.1997]$ time find /mnt/vol/media -print | wc -l
82346
real 0m7.720s
user 0m0.141s
sys 0m0.188s
[chuck@glockner ~.1998]$
-
What are we missing?
– Log file “Permission Denied” entries are not generated for non-existent files or directories.
– PMS would report “File Not Found” if it was looking for a file it was expecting to find. “Permission Denied” does not make any sense here. -
Given the above verification that Linux is doing its job, the log file entries which show subdirectories and files of
/root, as stated in the OP, at this point in the investigation point to one of the following:
– A third party plug-in which is hard-coded to look for personal data
– One of the other system users (who log in) having admin-level access to PMS
– A symbolic link somewhere in the media (which the OP has reported does not exist)
– The system itself is somehow compromised (an extremely remote possibility)
– A fabrication (which is not being considered at this point)
All suggestions about how to search further are welcome.
I am coordinating my efforts with those on the Engineering team who are also researching this.
