Server Version#: Current Synology release
Player Version#: Not applicable
So for the last couple days my UTM Router/Firewall appliance has been flagging my Synology Diskstation as the source of DNS queries to a Botnet C&C Server. (C2/Generic-A) It was blocking access so that gave me time to try to sort things out… then earlier today when I opened a web client to the NAS it also launched an exploit attack on the PC I was connecting from (also caught by AV/AM). At that point I put a bit more effort into trying to figure out what was going on. Since the PLEX media server is the only component of the NAS that has internet access I started by disabling the forwarder in the router and shutting down the Plex server. Since then the malware activities have stopped so while I’m not yet 100% sure it seems possible it is the source of the activity.
The AV options available for the Synology are pretty much useless, so do I just nuke Plex and reinstall (it takes forever to rebuild my library db) or is there a way to reinstall without wiping the db? (or some other method)
Do you know what specific domains or addresses are being flagged? These kinds of firewall alerts often come down to overzealous ranges in the definitions, which might be triggering on widely-used cloud service providers (AWS, Linode, etc) or on the consumer ISPs you and your friends likely run servers on.
Without more information about what it’s warning about, I can’t really give any useful advice on how to proceed.
The C2/Generic-A warning is not an isolated incident. Sophos on my Mac has been flagging Plex since May 6th, 2021. Latest messages points to https://ia601405.us.archive.org
Today’s warning:
Malicious traffic detected
An application connected to a malicious computer over the internet
C2/Generic-A
/Applications/Plex Media Server.app/Contents/MacOS/Plex Script Host
Thursday, July 8, 2021 3:28 AM
Here’s the first warning:
An application connected to a malicious computer over the internet
C2/Generic-AMore Info
/Applications/Plex Media Server.app/Contents/MacOS/Plex Script Host
Thursday, May 6, 2021 3:36 PM
My firewall is flagging the same host as Khatarlan… ia601405.us.archive.org. I actually didn’t worry too much about it (Sophos can be overzealous, I’m running their UTM9 VMWare appliance) until I had the exploit attempt against one of my Windows machines when I connected to the NAS web site. That made me more concerned. I’ve not had any activity since I shut down the Plex server (and the number of firewall violations dropped from 900/hr to less than 50/hr).
Looking at Khatarlan’s post I’m guessing there’s a python script that’s managed to get added to your app (wish I knew how since that’s the hole that needs plugging and it’s quite possible I left something vulnerable somehow). Is there a way to clean up scripts or find newly added scripts on your web server?
We’ve seen that one before.
Plex is connecting to a specific service hosted under archive.org (I believe it’s https://coverartarchive.org which is hosting media under archive.org). However… archive.org is also storing lots of other stuff, completely ignoring if that content is malicious, benign or something in between. Therefore many security apps are considering every connection to archive.org to be a security violation and block it.
At least that’s how I remember the explanation from the last time this popped up.
I don’t remember if they made exceptions in their rules when this happened in the past or if users created exceptions for themselves (not having one of those at hand at the moment).
If anyone knows specific URLs that are being hit, or can identify a specific Plex Script Host process and its args, I might be able to confirm a bit more, but a mis-flag on Cover Art Archive (because IA is also sometimes used by malware authors) seems like the most likely cause.
