Plex Server scans for wallets?

gary_parker · February 21, 2022, 9:47pm

I’m using plaintext on my LAN, but also to connect to servers I run on another network over the internet. Not ideal, I know, but it seemed I had no other choice when the cert problem arose (besides buying new hardware).

Volts · February 21, 2022, 9:48pm

… in addition to Let’s Encrypt
… for remote clients

(That’s a great guide.)

Want to take this to another thread?

—-

Plex folks, remove the recommendation to disable secure connections for the busted TVs? It’s still available if people insist, but it shouldn’t be the recommendation from Plex. The warning language doesn’t really inform what the risks are. I’ve seen “I don’t care if my ISP knows I’m watching Buffy” from a bunch of people.

gary_parker · February 21, 2022, 9:48pm

Thanks, I’ll have a look at that tomorrow.

dane22 · February 21, 2022, 10:41pm

Confirmed

martinr92 · February 22, 2022, 7:02pm

I enabled the notification for new device logins in PMS in the iOS app. Today I received 3 notifications.

But I didn’t sign in using Chrome.
Also there is no Chrome device listed in the “Devices List” in the WebGUI.
How is this possible? Had someone again access to my server?
You know that I changed the password only a few days ago and have 2FA enabled.

The latest posts were focusing on how they accessed to files after a valid sign in. There seems to be some work on it and hopefully fixes soon.
But how did they get the valid token / server access?
I think that his question is not finally answered, or?

pommesmatte · February 22, 2022, 7:55pm

Could it possibly be, that those findings in here are somehow also related to the current Deadbolt attack whamming against Asustor NAS devices?

There are indicators that next to the use of EZ connect the usage of Plex (with and without remote access) may play a role.

gary_parker · February 22, 2022, 8:23pm

Could it be logging the browser user-agent when it’s used to access the api with the stolen token, rather than actually registering as a player?

dane22 · February 22, 2022, 8:24pm

Did you also force a sign out of all connected devices?
Ref: Plex Server scans for wallets? - #108 by Ridley

martinr92 · February 22, 2022, 8:55pm

Maybe someone of the Plex Team can explain, when a notification is sent?

Yes, I did.

martinr92 · February 23, 2022, 5:11pm

Was this maintenance related with this topic here?
Has anyone details or can simply confirm?

gary_parker · February 24, 2022, 3:34pm

Sorry for replying in-thread, but @SwiftPanda16 doesn’t seem to have DMs enabled. I ran through the ZeroSSL instructions for my servers and added the certs and all is good. Unfortunately I can’t easily auto-renew them as the same hardware also has LetsEncrypt certs on them for other services on 443 and 80. I’ve set them up to use email verification for now, but I’ll see if I can script something to automate it with CNAME records in the future.

Now I just need to get my friends to add the certs to their servers, too…

gary_parker · February 24, 2022, 3:36pm

Any updates on this @ChuckPa?

dane22 · February 24, 2022, 4:25pm

Still work in progress.

martinr92 · March 1, 2022, 8:30pm

Looks like there is some progress…

dane22 · March 1, 2022, 9:36pm

Indeed, next time we can hopefully track it

anon5074910 · March 1, 2022, 9:39pm

What would be the best string to grep for? Have been checking a few things daily but would be great to have something concrete to check for.

dane22 · March 1, 2022, 9:44pm

Since they tried to disable logging, I would go for:

PUT /:/prefs?sendCrashReports=0&PushNotificationsEnabled=0&logDebug=0&LogVerbose=0

In addition, I would also look for

boost::filesystem::status: Permission denied

phucyall · March 1, 2022, 11:25pm

If someone is still experiencing these logs and is able to put something like nginx as a reverse proxy I think it would be super useful to have raw requests logged. It’s clearly some sort of an attack and the part that’s unclear is if they are stealing tokens or if there is some way to bypass having a valid token.

dane22 · March 1, 2022, 11:27pm

That is doubtful, since the part of the logs we saw showed token access, but as the server owner

gary_parker · March 6, 2022, 10:26am

I think something hokey was going on on one of my server’s last night. I followed @SwiftPanda16’s guide on setting up ZeroSSL certs on my servers, disabled insecure connections and turned on notification of new client connections.

Then this morning at 03:25 UK time (when I was tucked up in bed) I got notification of a new login with my account using chrome browser on a server I host remotely. Strangely, this login appears to have come from my home broadband’s IP address.

Looking in the logs, there are many entries at all times of the day (ie. not just when I would expect to see genuine user activity) for connections from this IP address with the token associated with my user name. Why would it suddenly alert one of those as a new login? Do the servers I run use my token to communicate between themselves?

Happy to provide logs if necessary (debug logging has been enabled on all my servers since this started).

edit Been doing more digging in the logs. At the same time as I see the “new” login with my token I also see a load of traffic from a Chinese IP address (111.7.100.17) that doesn’t appear anywhere else in my logs

Topic		Replies	Views
Plex media server.exe is trying to access your login info in Firefox? Plex Media Server server-windows	37	637	June 7, 2022
Action required: Important notice of a potential data breach General Discussions	413	6020	December 14, 2022
Plex Content Not Authorized Plex Media Server server-windows	39	761	September 22, 2023
Can Plex staff and potenially Big Brother access my files now? General Discussions	67	8477	December 20, 2019
Has Plex been hacked again? (oct 2017) -- Authentication Server errors. General Discussions	77	1045	January 8, 2020

Plex Server scans for wallets?

Related topics