Received an alert that I used a new device to access Plex, seems to be a driveby

Server Version#:1.21.0.3616-d87012962
Player Version#: N/A

I received an alert in my Plex app saying a new device (Chrome) had connected to my server. Seeing as it was the middle of the workday and nobody that uses my server uses Chrome to watch movies, I had to check to make sure my credentials weren’t compromised. I use individual, randomized passwords for all sites so my main concern was Plex got breached.

Looking at the logs, someone from India had connected, downloaded some javascript files (about 12 MB worth) with 200 response codes, then there were some 401’s, then that’s it.

Is that what it looks like when someone connects and gets pushed to plex.tv for the free streaming, like in this thread: Plex Server Web Client Displays Content (Not Mine) Prior to Login
Why did I get a new device alert for that? It didn’t appear that anybody logged in, but all of the get requests in the debug log end in ‘signed in’. I’m fairly certain the alert had my username on it.

Here are the related log entries:
Nov 30, 2020 11:47:43.126 [8488] DEBUG - Request: [124.156.62.15:53222 (WAN)] GET / (6 live) Signed-in
Nov 30, 2020 11:47:43.127 [7764] DEBUG - Completed: [124.156.62.15:53222] 401 GET / (6 live) 0ms 371 bytes
Nov 30, 2020 11:47:44.387 [8488] DEBUG - Request: [124.156.62.15:45688 (WAN)] GET / (7 live) GZIP Signed-in
Nov 30, 2020 11:47:44.390 [7764] DEBUG - Completed: [124.156.62.15:45688] 401 GET / (7 live) GZIP 0ms 435 bytes
Nov 30, 2020 11:47:44.848 [20996] DEBUG - Request: [124.156.62.15:45700 (WAN)] GET /web/index.html (8 live) GZIP Signed-in
Nov 30, 2020 11:47:44.849 [20996] DEBUG - Final path: “C:\Program Files (x86)\Plex\Plex Media Server\Resources\Plug-ins-d87012962\WebClient.bundle\Contents\Resources/index.html”
Nov 30, 2020 11:47:44.851 [20996] DEBUG - Content-Length of C:\Program Files (x86)\Plex\Plex Media Server\Resources\Plug-ins-d87012962\WebClient.bundle\Contents\Resources/index.html is 11435 (of total: 11435).
Nov 30, 2020 11:47:44.881 [7764] DEBUG - Completed: [124.156.62.15:45700] 200 GET /web/index.html (8 live) GZIP 32ms 11435 bytes (pipelined: 1)
Nov 30, 2020 11:47:45.195 [20996] DEBUG - Request: [124.156.62.15:45700 (WAN)] GET /web/chunk-2-9aec9d23ae81a4335ea6-plex-4.43.4-7bdeb4b.css (8 live) GZIP Signed-in
Nov 30, 2020 11:47:45.196 [20996] DEBUG - Final path: “C:\Program Files (x86)\Plex\Plex Media Server\Resources\Plug-ins-d87012962\WebClient.bundle\Contents\Resources/chunk-2-9aec9d23ae81a4335ea6-plex-4.43.4-7bdeb4b.css”
Nov 30, 2020 11:47:45.198 [20996] DEBUG - Content-Length of C:\Program Files (x86)\Plex\Plex Media Server\Resources\Plug-ins-d87012962\WebClient.bundle\Contents\Resources/chunk-2-9aec9d23ae81a4335ea6-plex-4.43.4-7bdeb4b.css is 1037831 (of total: 1037831).
Nov 30, 2020 11:47:45.481 [20996] DEBUG - Request: [124.156.62.15:45730 (WAN)] GET /web/js/chunk-2-9aec9d23ae81a4335ea6-plex-4.43.4-7bdeb4b.js (10 live) GZIP Signed-in
Nov 30, 2020 11:47:45.481 [20996] DEBUG - Final path: “C:\Program Files (x86)\Plex\Plex Media Server\Resources\Plug-ins-d87012962\WebClient.bundle\Contents\Resources/js/chunk-2-9aec9d23ae81a4335ea6-plex-4.43.4-7bdeb4b.js”
Nov 30, 2020 11:47:45.483 [20996] DEBUG - Content-Length of C:\Program Files (x86)\Plex\Plex Media Server\Resources\Plug-ins-d87012962\WebClient.bundle\Contents\Resources/js/chunk-2-9aec9d23ae81a4335ea6-plex-4.43.4-7bdeb4b.js is 3658690 (of total: 3658690).
Nov 30, 2020 11:47:45.490 [22204] DEBUG - Request: [124.156.62.15:45728 (WAN)] GET /web/js/chunk-4-e461ad96b29313cae0b6-plex-4.43.4-7bdeb4b.js (10 live) GZIP Signed-in
Nov 30, 2020 11:47:45.491 [22204] DEBUG - Final path: “C:\Program Files (x86)\Plex\Plex Media Server\Resources\Plug-ins-d87012962\WebClient.bundle\Contents\Resources/js/chunk-4-e461ad96b29313cae0b6-plex-4.43.4-7bdeb4b.js”
Nov 30, 2020 11:47:45.494 [22204] DEBUG - Content-Length of C:\Program Files (x86)\Plex\Plex Media Server\Resources\Plug-ins-d87012962\WebClient.bundle\Contents\Resources/js/chunk-4-e461ad96b29313cae0b6-plex-4.43.4-7bdeb4b.js is 1037074 (of total: 1037074).
Nov 30, 2020 11:47:46.577 [8488] DEBUG - Completed: [124.156.62.15:45700] 200 GET /web/chunk-2-9aec9d23ae81a4335ea6-plex-4.43.4-7bdeb4b.css (9 live) GZIP 1382ms 1037831 bytes (pipelined: 2)
Nov 30, 2020 11:47:47.592 [7764] DEBUG - Completed: [124.156.62.15:45728] 200 GET /web/js/chunk-4-e461ad96b29313cae0b6-plex-4.43.4-7bdeb4b.js (8 live) GZIP 2103ms 1037074 bytes (pipelined: 1)
Nov 30, 2020 11:47:48.713 [8488] DEBUG - Completed: [124.156.62.15:45730] 200 GET /web/js/chunk-2-9aec9d23ae81a4335ea6-plex-4.43.4-7bdeb4b.js (8 live) GZIP 3232ms 3658690 bytes (pipelined: 1)
Nov 30, 2020 11:47:58.720 [22204] DEBUG - Request: [124.156.62.15:45730 (WAN)] GET /web/translations/en.json (8 live) GZIP Signed-in
Nov 30, 2020 11:47:58.720 [22204] DEBUG - Final path: “C:\Program Files (x86)\Plex\Plex Media Server\Resources\Plug-ins-d87012962\WebClient.bundle\Contents\Resources/translations/en.json”
Nov 30, 2020 11:47:58.722 [22204] DEBUG - Content-Length of C:\Program Files (x86)\Plex\Plex Media Server\Resources\Plug-ins-d87012962\WebClient.bundle\Contents\Resources/translations/en.json is 2 (of total: 2).
Nov 30, 2020 11:47:58.729 [8488] DEBUG - Completed: [124.156.62.15:45730] 200 GET /web/translations/en.json (8 live) GZIP 9ms 2 bytes (pipelined: 2)
Nov 30, 2020 11:47:59.641 [8488] DEBUG - Request: [124.156.62.15:45730 (WAN)] GET /media/providers (8 live) GZIP Signed-in
Nov 30, 2020 11:47:59.643 [7764] DEBUG - Completed: [124.156.62.15:45730] 401 GET /media/providers (8 live) GZIP 0ms 357 bytes
Nov 30, 2020 11:47:59.648 [8488] DEBUG - Request: [124.156.62.15:45728 (WAN)] GET / (8 live) GZIP Signed-in
Nov 30, 2020 11:47:59.649 [7764] DEBUG - Completed: [124.156.62.15:45728] 401 GET / (8 live) GZIP 0ms 435 bytes
Nov 30, 2020 11:48:00.034 [22204] DEBUG - Request: [124.156.62.15:45700 (WAN)] GET /identity (8 live) GZIP Signed-in
Nov 30, 2020 11:48:00.038 [12600] DEBUG - Push: Sending notification tv.plex.notification.device.new to 1 users.
Nov 30, 2020 11:48:00.039 [12600] DEBUG - HTTP requesting POST https://notifications.plex.tv/api/v1/notifications
Nov 30, 2020 11:48:00.039 [7764] DEBUG - Completed: [124.156.62.15:45700] 200 GET /identity (8 live) GZIP 5ms 479 bytes (pipelined: 3)
Nov 30, 2020 11:48:01.141 [22204] DEBUG - Request: [124.156.62.15:46052 (WAN)] GET /web/index.html (9 live) GZIP Signed-in
Nov 30, 2020 11:48:01.141 [22204] DEBUG - Final path: “C:\Program Files (x86)\Plex\Plex Media Server\Resources\Plug-ins-d87012962\WebClient.bundle\Contents\Resources/index.html”
Nov 30, 2020 11:48:01.143 [22204] DEBUG - Content-Length of C:\Program Files (x86)\Plex\Plex Media Server\Resources\Plug-ins-d87012962\WebClient.bundle\Contents\Resources/index.html is 11435 (of total: 11435).
Nov 30, 2020 11:48:01.145 [7764] DEBUG - Completed: [124.156.62.15:46052] 200 GET /web/index.html (9 live) GZIP 4ms 11435 bytes (pipelined: 1)
Nov 30, 2020 11:48:03.029 [12600] DEBUG - HTTP 201 response from POST https://notifications.plex.tv/api/v1/notifications

That’s just some user accessing your local Plex Web client. If you share your server with others, it could have been one of those accounts. What you provided doesn’t show what account was used.

I was able to recreate this, it’s a bug. I put up a private window on my phone, disabled wifi, then connected to http://externalip:32400/web/index.html. I got an alert that states “New Device: shuasha used a new device to access (server name):Safari(Safari)”

It’s funny because I was actually using firefox and was NOT logged in to anything plex related. If any random person connects to your server, you now get an alert even though they’re just browsing the free stuff, and it gives the wrong user name. Also, when I first got this alert, I didn’t even have alerts enabled for new clients.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.