I just checked with nmap -p 32400 192.168.0.18
There was nothing added to the log.
1 Like
Bingo, that solves that riddle.
Feb 19, 2022 15:17:34.334 [0x7f1b635b4b38] ERROR - [EventSourceClient/mediaserver] Retrying in 600 seconds.
Feb 19, 2022 15:17:34.992 [0x7f1b635b4b38] DEBUG - CERT: incomplete TLS handshake from [::ffff:49.191.206.32]:52190: sslv3 alert bad certificate
Feb 19, 2022 15:17:41.021 [0x7f1b62d63b38] DEBUG - NetworkServiceBrowser: Parsing SSDP schema for http://192.168.0.44:9080
Feb 19, 2022 15:17:41.021 [0x7f1b62d63b38] DEBUG - HTTP requesting GET http://192.168.0.44:9080
Feb 19, 2022 15:17:41.028 [0x7f1b62d63b38] DEBUG - HTTP/1.1 (0.0s) 200 response from GET http://192.168.0.44:9080 (reused)
Feb 19, 2022 15:17:41.028 [0x7f1b62d63b38] ERROR - XML: Entity: line 1:
Feb 19, 2022 15:17:41.028 [0x7f1b62d63b38] ERROR - XML: parser
Feb 19, 2022 15:17:41.028 [0x7f1b62d63b38] ERROR - XML: error :
Feb 19, 2022 15:17:41.028 [0x7f1b62d63b38] ERROR - XML: Start tag expected, '<' not found
Feb 19, 2022 15:17:41.028 [0x7f1b62d63b38] ERROR - XML: status=ok
Feb 19, 2022 15:17:41.028 [0x7f1b62d63b38] ERROR - XML: ^
Feb 19, 2022 15:17:41.028 [0x7f1b62d63b38] ERROR - Error parsing content.
Feb 19, 2022 15:17:41.028 [0x7f1b62d63b38] ERROR - Error parsing XML: Error parsing file.
Feb 19, 2022 15:17:41.028 [0x7f1b62d63b38] ERROR - SSDP: Error parsing device schema for http://192.168.0.44:9080
Feb 19, 2022 15:17:43.623 [0x7f1b63591b38] DEBUG - CERT: incomplete TLS handshake from [::ffff:192.168.0.13]:60182: stream truncated
Feb 19, 2022 15:17:43.624 [0x7f1b63591b38] DEBUG - Request: [192.168.0.13:60184 (Subnet)] GET / (29 live) Signed-in
Feb 19, 2022 15:17:43.624 [0x7f1b63591b38] DEBUG - Completed: [192.168.0.13:60184] 401 GET / (29 live) 0ms 371 bytes
Feb 19, 2022 15:17:43.630 [0x7f1b63591b38] DEBUG - Request: [192.168.0.13:60186 (Subnet)] OPTIONS / (29 live) Signed-in
Feb 19, 2022 15:17:43.630 [0x7f1b63591b38] DEBUG - Completed: [192.168.0.13:60186] 401 OPTIONS / (29 live) 0ms 371 bytes
Feb 19, 2022 15:17:43.633 [0x7f1b63591b38] DEBUG - Request: [192.168.0.13:60188 (Subnet)] OPTIONS / (29 live) Signed-in
Feb 19, 2022 15:17:43.633 [0x7f1b63591b38] DEBUG - Completed: [192.168.0.13:60188] 401 OPTIONS / (29 live) 0ms 371 bytes
Feb 19, 2022 15:17:43.635 [0x7f1b63591b38] DEBUG - CERT: incomplete TLS handshake from [::ffff:192.168.0.13]:60190: wrong version number
Feb 19, 2022 15:17:43.635 [0x7f1b635b4b38] DEBUG - CERT: incomplete TLS handshake from [::ffff:192.168.0.13]:60192: wrong version number
Feb 19, 2022 15:17:43.636 [0x7f1b635b4b38] DEBUG - CERT: incomplete TLS handshake from [::ffff:192.168.0.13]:60194: wrong version number
Feb 19, 2022 15:17:43.636 [0x7f1b635b4b38] DEBUG - Request: [192.168.0.13:60196 (WAN)] HELP (32 live) Signed-in
Feb 19, 2022 15:17:43.636 [0x7f1b635b4b38] ERROR - Error parsing HTTP request: ELP
Feb 19, 2022 15:17:43.636 [0x7f1b635b4b38] DEBUG - Completed: [192.168.0.13:60196] 400 HELP (32 live) 0ms 265 bytes
Feb 19, 2022 15:17:43.637 [0x7f1b635b4b38] DEBUG - CERT: incomplete TLS handshake from [::ffff:192.168.0.13]:60198: version too low
Feb 19, 2022 15:17:45.157 [0x7f1b63591b38] DEBUG - CERT: incomplete TLS handshake from [::ffff:192.168.0.40]:34826: sslv3 alert certificate unknown
Feb 19, 2022 15:17:49.646 [0x7f1b635b4b38] DEBUG - Request: [192.168.0.13:60200 (WAN)] (34 live) TLS Signed-in
Feb 19, 2022 15:17:49.646 [0x7f1b635b4b38] ERROR - Error parsing HTTP request:
The cert violations wonāt be seen because DEBUG logging was disabled.
2 Likes
This seems to back it as some kind of nmap
!!!
I assume youāre already taking steps to reset your Plex passwords and invalidate tokens?
Is ~flow the only regular user on that system?
Whatever tool is behind this, itās automated. It requested prefs, changed logging, and started testing for directories within seconds.
Those all look like directories. I wonder if this thing is adding them to a Library so it can test for contents.
What kind of VPS? You installed Plex yourself, or it comes ābundledā by the provider?
Do you have any thoughts about how your credentials or a token might have been accessed?
Do you use other software that integrates with Plex?
So Iām using the apt source on my linux server:
cat /etc/apt/sources.list.d/plexmediaserver.list
deb https://downloads.plex.tv/repo/deb public main
So we now have two major questions:
- How did the attacker get a token?
- How did he access to files/folders on the server?
Because he seems first read the /etc/passwd file. Then he knowns all users on the system and brute-forces for each user the home directory folders for crypto wallets.
I would really, really like to hear that you guys have been doing something obviously stupid. (Thatās not an insult at all! Iāll sleep better if this requires leaked credentials or tokens.)
@martinr92 did you see authenticated access in your logs too?
The crypto pirates are really active. Jerks.
I didnāt had debug logs enabled. It seems that PMS only prints this information then into the log file.
Also I changed the password now and I had already 2FA enabled.
1 Like
Did you disable it yourself? In @flowās log it was obviously disabled by the attacker.
It might not have been the first time they accessed your server.
To be honest, I donāt know.
I just know, that they are disabled > 7 days. So during the last āattackā they were already disabled.
It may be, that I had disabled them years ago.
It could also be that the attacker visited me already in the past (> 7 days).
@martinr92 / @flow - quick question: you say that the folders mentioned in your logs donāt currently exist, but have they ever existed in the past on your machines? Has any cryptocoin software ever been installed in the past on these machines?
From my side:
This folder never existed.
I analyzed the logs also more on my side.
/home has 19 folders, but only 16 have been tried to access.
This is because, only 16 users have its own home directory. The other 3 folders have been manually created by myself (with similar, but custom permissions).
So the attacker was not simply scanning the /home directory (because then I would see 19 folders in my the logs).
Instead he was reading a file that contains all OS users and its home directories (like /etc/passwd).
Then he tried to access for each user the same folders:
.mozilla/firefox
.config/opera/databases/chrome-extension_hnjalnkldgigidggphhmacmimbdlafdo_0
.config/google-chrome
.config/BraveSoftware/Brave-Browser
bitcoin
.dogecoin
.litecoin
.dashcore
.electrum/wallets
.walletwasabi/client/wallets
.local/share/Daedalus/mainnet/wallets
.local/share/Coinomi/wallets
.ethereum/keystore
.config/Jaxx/Local Storage
.config/com.liberty.jaxx/IndexedDB/file__0.indexeddb.leveldb
snap/bitpay/current/.bitpay/app/Local Storage/leveldb
.config/atomic/Local Storage/leveldb
.config/Exodus/exodus.wallet
.electron-cash/wallets
I have so many OS users on the server, because every service/application has itās own user on this server. This allows me to control, who has access to what on the server (e.g. with file system permissions).
So hopefully on Monday some security expert from Plex is taking care of this cases here.
Because, who reads daily all logs? I donāt do that. Right now, we donāt know how many servers have been already attacked. And we donāt know, what else has been retrieved/stolen from the server.
Iām a software developer and Linux expert. But there are many people out there who have not that much background knowledge.
Hopefully we find a solution soon.
Otherwise (for security reason) I need to shut down my Plex Server.
5 Likes
This is the biggest question IMO which needs to be answered from this thread. Initially when it started I was convinced it was a simple case of / or /root being added to a library. That has been fully ruled out now and the fact a token has potentially been stolen/intercepted is very worrying.
Quick check on the IP above has it registered in Lebanon but who knows for sure!
For now Iāll be checking daily to ensure Enable Plex Media Server debug logging has not been disabled, checking my logs for messages indicated in this thread and I may also temporary disable remote access and remove my port mapping to plex. That should (I hope) protect from this as only local access should get to my plex server.
1 Like
Thanks for the responses, I just wanted to establish this as it wasnāt clear from your previous posts.
This clearly looks like some form of RCE vulnerability to me. I think it would be sensible to set a cronjob to look at the plex logs regularly for incriminating entries such as have been seen so far in this thread 
(As an aside: it would be really useful to be able to send plex logs to a remote syslog server in situations such as these)
I havenāt historically been a big fan of using a traffic director or reverse proxy for Plex, for various reasons.
Iām considering implementing one now, for the additional logging capabilities.
ā-
Plex - please make disabling logging require a server restart. That would significantly reduce the ability of a malicious entity to hide its activity.
2 Likes
My syslogs (and some other logs) are already sent to a remote server (using Loki and Grafana) for monitoring reasons.
Iām now extending this configuration so that it will also work with the PMS logs.
Then I can configure alerts and know, when it happened again.
But if the attacker can still simply disable the debug log :-/
2 Likes
Did you recently change any of your clients to access the server via http, rather than https, as a result of the certificate expiry issues with some clients? If you did thereās a chance your token is being passed in plaintext and could have been captured
Has there been any indication of Remote Code Execution?
It seems like we know that authentication passwords or tokens were used to gain access to the servers.
Then Plex was reconfigured to scan known crypto wallet directories for files.
We donāt know what else. We donāt know if it was reconnaissance only, or if Plex was manipulated into exfiltrating files.
Right?
This ā 100%. Always wondered why it was not required, seems very odd to me.
That was not the case. We know this, because adding a new location or library would cause a scan that is logged always into the Plex Media Scanner.log log file. Since no entries where found there it was no scan.
