Plex Server scans for wallets?

Another test – Why is scanning /root so slow?

Using an ARMv8 (TS-128A NAS w/ 1GB of RAM and a single HDD), conducted the following test.

[/tmp/a/plex/qa] # cd /share/faketv
[/share/faketv] # ls -la
total 782512
drwxrwxrwx  2 admin administrators      4096 2022-02-19 12:03 ./
drwxrwxrwx 60 admin administrators      4096 2022-02-16 11:30 ../
-rw-r--r--  1 admin administrators 801280000 2022-02-19 12:03 tv.tar
[/share/faketv] # time tar xf tv.tar 

real	0m55.660s
user	0m6.308s
sys	0m41.330s
[/share/faketv] # time find ./tv -print | wc -l
437230

real	1m4.541s
user	0m2.907s
sys	0m12.231s
[/share/faketv] # 

Is it possible that it’s not part of the library scan or plugins?

One thing that comes to mind is a DVR post-processing script. Admittedly, I don’t use Plex DVR so I’m not familiar with how it works. Is it possible that there is malicious code in a script? Do post-processing scripts log to the server logs?

Is there any other setting that allows a user to input something to be run by the Plex Media Server?

Edit: What about another application calling the Plex Media Scanner from the command line? I know there’s are some 3rd party apps that manage library scanning.

That’s wrong. If the user (here plex) has not access to the folder, you get for every call in this directory a permission denied and not a file not found. You can test this by:

sudo su -s /bin/bash plex
plex@dl08:/home/debian$ whoami
plex
plex@dl08:/home/debian$ cat /root/fileNotExists
cat: /root/fileNotExists: Permission denied

Regarding the “scan” performance:
I don’t think that PMS is performing here a classic folder scan (because it has no access to it). So a scan wold complete in a few milliseconds, because it doesn’t know what to search for (it doesn’t know, whats in the folder).

That brings me to my current theory:
What if there is a Zero-Day Exploit in the PMS? E.g. if the open port 32400 has a security issue. Then someone could access to the server using a malicious URL. Something like this:
http://ip:32400/maliciousURL?file=/root/.mozilla/firefox
PMS then tries to read the file, but is unable to access it. A permission denied message is logged. Then a few seconds later, the “attacker” sends the next request (with a different file in the URL).

And yes: It’s only a theory. Since I have no debug logs, I can not prove this.

Thanks for you, every one here in this thread and the Engineering Team for taking this case serious.

For the attack to work via the URL, the attacker would have to know how to perform the full fetch AND have authorized access to the system else they would receive a HTTP 401 return.

Researching with token now.

I don’t understand what you mean with “the full fetch”. Sorry, I’m not native English speaker.

The only thing a “attacker” needs to know is a URL that he can use. E.g. the transcode URL that is used by the mobile apps or the sync/download URL. Or he was able to trick out the URL that is used for loading the TV-Show poster.

To download a file, the file must first be indexed by Plex. Plex does not index non-media files.

The file is downloaded using its Indexed ID number.

PMS does this to prevent such brute-force attacks by path name.

So what do you have on your system which is causing this?

If it were PMS, doesn’t it seem logical that everyone would see the problem?

So far, nobody else has reported such messages.

Thats good to know.

I just saw that such a case existed in the past:

Another info:
I checked the SQLite DB and found the table activities. I don’t know when exactly a new record is created. But just wanna let you know, that there were no entries during this time.

image1149×435 74.6 KB

SELECT id, type, title, subtitle, started_at, finished_at, DATETIME(started_at, 'unixepoch', 'localtime') as START_DATE
FROM activities
WHERE started_at >  1644793200
AND started_at < 1644966000
ORDER BY started_at

The activity at 4am makes sense to me, because there started the maintenance window (4-6am every day).

Also in the media_parts table:

image1044×479 31.4 KB

SELECT *
FROM media_parts
WHERE file LIKE '/root%'

Nothing is found for the /root folder.

If you know any other table that I should check, just let me know.

What about JBOPS, Tautulli, Plex requests (and successors) etc?

If you examine the whole media_parts table, this is the only place the path name is stored.

1|1|3|577b5230929eb461b1efdc630dbffd7670221990|d0aeb176f1828525|/glock/tv3/Animaniacs/Season 01/Animaniacs - S01E01 - De-Zanitized.mkv||145201104|810592||2021-04-05 16:55:28||ma%3Acontainer=mkv&ma%3AdeepAnalysisVersion=6&ma%3ArequiredBandwidths=1452%2C1452%2C1452%2C1452%2C1452%2C1452%2C1452%2C1452&ma%3AvideoProfile=main&pv%3Achapters=%7B%22Chapters%22%3A%7B%22Chapter%22%3A%5B%7B%22name%22%3A%22Chapter%20%201%22%2C%22start%22%3A0%2E0%2C%22end%22%3A132%2E99200000000003%7D%2C%7B%22name%22%3A%22Chapter%20%201%22%2C%22start%22%3A132%2E99200000000003%2C%22end%22%3A810%2E5920000000001%7D%5D%7D%7D&pv%3AdeepAnalysisDate=1617656128

Also in this record is the media ID number.

When PMS fetches (to play or to download), it gets this ID number from another table.

If you cannot find any reference to /root in the database???

Thank you so much for your post.
This means, that I’m not the only person who was attacked / is effected.

Did you have the debug log enabled?

Since it’s Hetzner you are also German?

Just FYI @ChuckPa, I ran the same command as @flow and had no results just for another data point.

I also changed it to

grep -ri "wallet" "/opt/appdata/plex/Library/Application Support/Plex Media Server/Logs/"

and still had no hits (note I’m not very good with grep so figured that out with a quick Google search).

Just wanted to give an example where nothing is being found.

-Shark2k

@flow

Please elaborate further?

@martinr92

There has not been anything yet posted which supports what you’ve seen.

Are you both running PMS on a remote VPS provider?

Point taken.

In the original snippet you shared, were those sequential log entries? Nothing in between them?

Since the database and filesystem are apparently clean, I like your line of thinking about an API manipulation.

But I would expect any HTTP requests to also be logged.

Is the UPnP server enabled?

@martinr92

I hope this is OK to share?

In your logs, I found the following in the middle of a block of error statements (it would be nice if DEBUG logging had been enabled)

Feb 11, 2022 16:56:10.355 [0x7f200e748b38] ERROR - Error parsing HTTP request: HELP

May I share that error block here?

The log in the first post? Theres nothing between this lines. The HTTP requests are only logged if you have enabled the debug log in PMS. I had not enabled them.

The DLNA Server is disabled.

Yes, as long as it contains no files/folder/user names of my server.

I found this (Feb 11). There is also another block of the same on Feb 9th.

Feb 11, 2022 16:19:49.166 [0x7f200e725b38] ERROR - [EventSourceClient/mediaserver] Retrying in 600 seconds.
Feb 11, 2022 16:29:49.168 [0x7f200e725b38] ERROR - [EventSourceClient/mediaserver] Retrying in 600 seconds.
Feb 11, 2022 16:39:49.172 [0x7f200e748b38] ERROR - [EventSourceClient/mediaserver] Retrying in 600 seconds.
Feb 11, 2022 16:49:49.175 [0x7f200e748b38] ERROR - [EventSourceClient/mediaserver] Retrying in 600 seconds.
Feb 11, 2022 16:56:03.182 [0x7f200e748b38] ERROR - Error parsing HTTP request: ELP
Feb 11, 2022 16:56:09.319 [0x7f200e725b38] ERROR - Error parsing HTTP request: 

Feb 11, 2022 16:56:09.986 [0x7f200e725b38] ERROR - Error parsing HTTP request: \80\00\00(r\FE\00\00\00\00\00\00\00\00\86\A0\00\97|\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00
Feb 11, 2022 16:56:10.160 [0x7f200e748b38] ERROR - Error parsing HTTP request: \00\00\00\00\00\00\00\00\00\00aversionbind\00\00\00
Feb 11, 2022 16:56:10.355 [0x7f200e748b38] ERROR - Error parsing HTTP request: HELP
Feb 11, 2022 16:56:10.532 [0x7f200e725b38] ERROR - Error parsing HTTP request: \00\00S\00\00O\00?G\D7\F7\BA,\EE\EA\B2`~\F3\00\FD\82{\B9Ֆ\C8w\9B\E6\C4\DB<=\DBo\EFn\00\00(\00\00\00
\00f\00\00\00e\00d\00c\00b\00a\00`\00\00\00	\00\00\00\00\00\00
Feb 11, 2022 16:56:10.703 [0x7f200e748b38] ERROR - Error parsing HTTP request: \00\00i\00\00eU\A7\E4random1random2random3random4\00\00\00/\00
\00\009\00\00\FF\00\000\00
\00,\00*\00\00\00
Feb 11, 2022 16:56:10.880 [0x7f200e725b38] ERROR - Error parsing HTTP request: \00\00\00qj\81n0\81k\A1\A2
\A4\81^0\\A0a\00P\80\00\A2eNM\A30\A0\00\A10ekrbtgteNM\A519700101000000Z\A7\B9٨0
Feb 11, 2022 16:56:11.052 [0x7f200e748b38] ERROR - Error parsing HTTP request: \00\00\00\A4\FFSMBr\00\00\00\00@\00\00\00\00\00\00\00\00\00\00\00\00\00\00@\00\00\00\00\81\00PC NETWORK PROGRAM 1.0\00MICROSOFT NETWORKS 1.03\00MICROSOFT NETWORKS 3.0\00LANMAN1.0\00LM1.2X002\00Samba\00NT LANMAN 1.0\00NT LM 0.12\00
Feb 11, 2022 16:56:11.227 [0x7f200e748b38] ERROR - Error parsing HTTP request: l\00\00\00\00\00\00\00\00\00\00
Feb 11, 2022 16:56:11.410 [0x7f200e725b38] ERROR - Error parsing HTTP request: OPTIONS sip:nm SIP/2.0
Via: SIP/2.0/TCP nm;branch=foo
From: <sip:nm@nm>;tag=root
To: <sip:nm2@nm2>
Call-ID: 50000
CSeq: 42 OPTIONS
Max-Forwards: 70
Content-Length: 0
Contact: <sip:nm@nm>
Accept: application/sdp

Feb 11, 2022 16:59:49.178 [0x7f200e748b38] ERROR - [EventSourceClient/mediaserver] Retrying in 600 seconds.

I hope someone who knows Windows/SMB better than I can explain what’s happening here.

To me , it looks like a Windows client is connecting directly to the Plex port (32400)

Here is the entry from Feb 9th.

Feb 09, 2022 14:19:07.787 [0x7f200d841b38] WARN - SLOW QUERY: It took 230.000000 ms to retrieve 50 items.
Feb 09, 2022 14:39:30.010 [0x7f200e748b38] ERROR - Error parsing HTTP request: ELP
Feb 09, 2022 14:39:36.790 [0x7f200e725b38] ERROR - Error parsing HTTP request: 

Feb 09, 2022 14:39:40.035 [0x7f200e748b38] ERROR - Error parsing HTTP request: \80\00\00(r\FE\00\00\00\00\00\00\00\00\86\A0\00\97|\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00
Feb 09, 2022 14:39:40.882 [0x7f200e725b38] ERROR - Error parsing HTTP request: \00\00\00\00\00\00\00\00\00\00aversionbind\00\00\00
Feb 09, 2022 14:39:41.713 [0x7f200e725b38] ERROR - Error parsing HTTP request: HELP
Feb 09, 2022 14:39:42.527 [0x7f200e748b38] ERROR - Error parsing HTTP request: \00\00S\00\00O\00?G\D7\F7\BA,\EE\EA\B2`~\F3\00\FD\82{\B9Ֆ\C8w\9B\E6\C4\DB<=\DBo\EFn\00\00(\00\00\00
\00f\00\00\00e\00d\00c\00b\00a\00`\00\00\00	\00\00\00\00\00\00
Feb 09, 2022 14:39:43.356 [0x7f200e748b38] ERROR - Error parsing HTTP request: \00\00i\00\00eU\A7\E4random1random2random3random4\00\00\00/\00
\00\009\00\00\FF\00\000\00
\00,\00*\00\00\00
Feb 09, 2022 14:39:44.197 [0x7f200e725b38] ERROR - Error parsing HTTP request: \00\00\00qj\81n0\81k\A1\A2
\A4\81^0\\A0a\00P\80\00\A2eNM\A30\A0\00\A10ekrbtgteNM\A519700101000000Z\A7\B9٨0
Feb 09, 2022 14:39:45.028 [0x7f200e748b38] ERROR - Error parsing HTTP request: \00\00\00\A4\FFSMBr\00\00\00\00@\00\00\00\00\00\00\00\00\00\00\00\00\00\00@\00\00\00\00\81\00PC NETWORK PROGRAM 1.0\00MICROSOFT NETWORKS 1.03\00MICROSOFT NETWORKS 3.0\00LANMAN1.0\00LM1.2X002\00Samba\00NT LANMAN 1.0\00NT LM 0.12\00
Feb 09, 2022 14:39:45.853 [0x7f200e748b38] ERROR - Error parsing HTTP request: l\00\00\00\00\00\00\00\00\00\00
Feb 09, 2022 14:39:46.670 [0x7f200e748b38] ERROR - Error parsing HTTP request: OPTIONS sip:nm SIP/2.0
Via: SIP/2.0/TCP nm;branch=foo
From: <sip:nm@nm>;tag=root
To: <sip:nm2@nm2>
Call-ID: 50000
CSeq: 42 OPTIONS
Max-Forwards: 70
Content-Length: 0
Contact: <sip:nm@nm>
Accept: application/sdp

Feb 09, 2022 15:03:56.264 [0x7f200debab38] WARN - NAT: PMP, got an error: Not Supported by gateway.

Jan 26th.

Jan 26, 2022 23:27:23.854 [0x7f97c335cb38] ERROR - Error parsing HTTP request: 

Jan 26, 2022 23:27:24.836 [0x7f97c337fb38] ERROR - Error parsing HTTP request: \80\00\00(r\FE\00\00\00\00\00\00\00\00\86\A0\00\97|\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00
Jan 26, 2022 23:27:25.089 [0x7f97c335cb38] ERROR - Error parsing HTTP request: \00\00\00\00\00\00\00\00\00\00aversionbind\00\00\00
Jan 26, 2022 23:27:25.348 [0x7f97c337fb38] ERROR - Error parsing HTTP request: HELP
Jan 26, 2022 23:27:25.609 [0x7f97c335cb38] ERROR - Error parsing HTTP request: \00\00S\00\00O\00?G\D7\F7\BA,\EE\EA\B2`~\F3\00\FD\82{\B9Ֆ\C8w\9B\E6\C4\DB<=\DBo\EFn\00\00(\00\00\00
\00f\00\00\00e\00d\00c\00b\00a\00`\00\00\00	\00\00\00\00\00\00
Jan 26, 2022 23:27:25.864 [0x7f97c337fb38] ERROR - Error parsing HTTP request: \00\00i\00\00eU\A7\E4random1random2random3random4\00\00\00/\00
\00\009\00\00\FF\00\000\00
\00,\00*\00\00\00
Jan 26, 2022 23:27:26.120 [0x7f97c335cb38] ERROR - Error parsing HTTP request: \00\00\00qj\81n0\81k\A1\A2
\A4\81^0\\A0a\00P\80\00\A2eNM\A30\A0\00\A10ekrbtgteNM\A519700101000000Z\A7\B9٨0
Jan 26, 2022 23:27:26.376 [0x7f97c337fb38] ERROR - Error parsing HTTP request: \00\00\00\A4\FFSMBr\00\00\00\00@\00\00\00\00\00\00\00\00\00\00\00\00\00\00@\00\00\00\00\81\00PC NETWORK PROGRAM 1.0\00MICROSOFT NETWORKS 1.03\00MICROSOFT NETWORKS 3.0\00LANMAN1.0\00LM1.2X002\00Samba\00NT LANMAN 1.0\00NT LM 0.12\00
Jan 26, 2022 23:27:26.629 [0x7f97c335cb38] ERROR - Error parsing HTTP request: l\00\00\00\00\00\00\00\00\00\00
Jan 26, 2022 23:27:26.889 [0x7f97c337fb38] ERROR - Error parsing HTTP request: OPTIONS sip:nm SIP/2.0
Via: SIP/2.0/TCP nm;branch=foo
From: <sip:nm@nm>;tag=root
To: <sip:nm2@nm2>
Call-ID: 50000
CSeq: 42 OPTIONS
Max-Forwards: 70
Content-Length: 0
Contact: <sip:nm@nm>
Accept: application/sdp

Jan 26, 2022 23:28:07.676 [0x7f97c337fb38] ERROR - [EventSourceClient/mediaserver] Retrying in 600 seconds.

Jan 28th

Jan 28, 2022 10:43:23.160 [0x7f97c335cb38] ERROR - Error parsing HTTP request: ELP
Jan 28, 2022 10:43:29.298 [0x7f97c335cb38] ERROR - Error parsing HTTP request: 

Jan 28, 2022 10:43:29.975 [0x7f97c337fb38] ERROR - Error parsing HTTP request: \80\00\00(r\FE\00\00\00\00\00\00\00\00\86\A0\00\97|\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00
Jan 28, 2022 10:43:30.147 [0x7f97c335cb38] ERROR - Error parsing HTTP request: \00\00\00\00\00\00\00\00\00\00aversionbind\00\00\00
Jan 28, 2022 10:43:30.547 [0x7f97c335cb38] ERROR - Error parsing HTTP request: HELP
Jan 28, 2022 10:43:33.655 [0x7f97c335cb38] ERROR - Error parsing HTTP request: \00\00S\00\00O\00?G\D7\F7\BA,\EE\EA\B2`~\F3\00\FD\82{\B9Ֆ\C8w\9B\E6\C4\DB<=\DBo\EFn\00\00(\00\00\00
\00f\00\00\00e\00d\00c\00b\00a\00`\00\00\00	\00\00\00\00\00\00
Jan 28, 2022 10:43:33.833 [0x7f97c337fb38] ERROR - Error parsing HTTP request: \00\00i\00\00eU\A7\E4random1random2random3random4\00\00\00/\00
\00\009\00\00\FF\00\000\00
\00,\00*\00\00\00
Jan 28, 2022 10:43:34.006 [0x7f97c335cb38] ERROR - Error parsing HTTP request: \00\00\00qj\81n0\81k\A1\A2
\A4\81^0\\A0a\00P\80\00\A2eNM\A30\A0\00\A10ekrbtgteNM\A519700101000000Z\A7\B9٨0
Jan 28, 2022 10:43:34.179 [0x7f97c337fb38] ERROR - Error parsing HTTP request: \00\00\00\A4\FFSMBr\00\00\00\00@\00\00\00\00\00\00\00\00\00\00\00\00\00\00@\00\00\00\00\81\00PC NETWORK PROGRAM 1.0\00MICROSOFT NETWORKS 1.03\00MICROSOFT NETWORKS 3.0\00LANMAN1.0\00LM1.2X002\00Samba\00NT LANMAN 1.0\00NT LM 0.12\00
Jan 28, 2022 10:43:34.351 [0x7f97c337fb38] ERROR - Error parsing HTTP request: l\00\00\00\00\00\00\00\00\00\00
Jan 28, 2022 10:43:34.522 [0x7f97c335cb38] ERROR - Error parsing HTTP request: OPTIONS sip:nm SIP/2.0
Via: SIP/2.0/TCP nm;branch=foo
From: <sip:nm@nm>;tag=root
To: <sip:nm2@nm2>
Call-ID: 50000
CSeq: 42 OPTIONS
Max-Forwards: 70
Content-Length: 0
Contact: <sip:nm@nm>
Accept: application/sdp

Jan 28, 2022 10:48:07.550 [0x7f97c335cb38] ERROR - [EventSourceClient/mediaserver] Retrying in 600 seconds.

That soup of garbage requests looks almost like nmap probing to me. Or something similar that’s trying to identify the service and discover vulnerabilities on the port.

This nmap source file contains the string “random1random2random3random4” which is in those log entries.

nmap/shortport.lua at master · nmap/nmap · GitHub

What about nmap -A X.X.X.X -vvvvvvvvv -p 32400 --script-trace?

Obviously I’m not certain it comes from nmap. I don’t see the “aversionbind” string there, for instance - some other tool is also possible. I’m guessing because it’s such a smorgasbord of different garbage. It definitely isn’t coming from any normal client - something is doing discovery.