This is just to inform everyone that your Plex Media Servers may need locking down, I’ll start by saying I’m a security consultant so obviously this is my top priority.
I currently have my server published on port 32400 as standard with secure connections required and password authentication required for any network. However last night I noticed an unknown user called ‘SlyPlexPrime’ accessing media from my server, after further investigation it turns out this is an application for devices like Roku etc… that appears to leach off of other users servers.
I can only guess that the program has a database of plex media servers with this port exposed to the internet in addition to the unique ID’s for video files and is somehow using file inclusion to gain access without credentials.
I have now restricted access to specific addresses to stop the issue but will keep you all posted as to how this progresses.
If the Plex team could investigate this ASAP or alternatively could this Plex member come forward and explain?
(I also have a screenshot of the session if required.)
Here are some example links of people selling these boxes:
I do have started noticing strange ips connected to my plex mostly US based, when ever an unknown IP connects I have scripted my firewall to block the /24.
I am thinking of blocking everything except allowed IPs but that would make it difficult for my friends to connect, but seecurity is also very important to me so Ill find a way to block and restrict connections to trusted, one quick way would be to block everything but countries, and issue VPN account to trusted friends. I already use VPN home when ever I’m away.
I experienced the same last weekend, the solution for me was to add “127.0.0.1/255.255.255.255”. To my allowed networks without auth in the network settings configuration of my plex server.
This will only allow my plex server access to the library without providing valid credentials. I had noticed all who were able to access my library without being in my friends before I made this change were appearing as local users and affecting my own accounts watched status.
Further to the above setting I also am enforcing secured connections and translating to another port for external access.
I havent seen any unauthorized access since th initial change above, I am using plex.py to monitor activity now, as well as my sonicwall connection monitor to be certain I no longer have unauthorized access to my server.
Jun 02, 2016 19:29:24 [0x7f0c00bff700] DEBUG - Request: [198.233.154.xx:3682] OPTIONS / (6 live) TLS GZIP
Jun 02, 2016 19:29:24 [0x7f0c0a7fe700] DEBUG - Completed: [198.233.154.xx:3682] OPTIONS / (6 live) TLS GZIP 0ms 516 bytes 200
Jun 02, 2016 19:29:25 [0x7f0c00bff700] DEBUG - Request: [198.233.154.xx:3712] GET / (9 live) TLS GZIP
Jun 02, 2016 19:29:25 [0x7f0c0afff700] DEBUG - Completed: [198.233.154.xx:3712] GET / (9 live) TLS GZIP 3ms 1186 bytes 200
Jun 02, 2016 19:29:26 [0x7f0c047fc700] DEBUG - Request: [198.233.154.xx:1425] GET /:/websockets/notifications (10 live) TLS GZIP
Jun 02, 2016 19:04:27 [0x7f9c3a3ff700] DEBUG - Request: [198.233.154.xx:2725] GET /:/websockets/notifications (12 live) TLS GZIP
Jun 02, 2016 19:04:35 [0x7f9c3dfff700] DEBUG - Request: [198.233.154.xx:3675] GET / (16 live) TLS GZIP
Jun 02, 2016 19:04:35 [0x7f9c4b7fe700] DEBUG - Completed: [198.233.154.xx:3675] GET / (16 live) TLS GZIP 1ms 1186 bytes 200
Jun 02, 2016 19:04:36 [0x7f9c3cfff700] DEBUG - Request: [198.233.154.xx:3685] GET /:/websockets/notifications (16 live) TLS GZIP
I do get quite many such requests… + a few failed logins. Seams like sniffing traffic. but still unwanted . This could be avoided if plex allowed us to change port away from 32400.
I’ve assinged a static public ip to my plex to avoid nat, i have set up a port redirect on 32400 from another port, but still I find it odd that Plex does not allow to change its port.
I’ve assinged a static public ip to my plex to avoid nat, i have set up a port redirect on 32400 from another port, but still I find it odd that Plex does not allow to change its port.
It is only the local network tcp port that cannot be changed. The public port can be whatever you choose so long as it does not clash with something else and that is forwarded to local port 32400.
In your log above were the requests from 198.233.154.x from the hacker or is that your own public IP or one you or friends you shared with were coming through?
port forwarding on router from port 32400 wan to 32400 internal server port
All network addresses including internal forced to require login to connect and access any of Plex
Plex media server secure connections set to always (rather than the default ‘preferred’)
I’ve just ordered a netgear R7000 with tomato installed so I can rep some harsh iptables in conjunction with a VPN server so I can still access with mobile devices as a full solution.
But if anyone has any further instances, insights, comments or updates I would be keen to hear them.
I would also like to thank the Plex team for looking into this and I will provide logs of it if it continues to happen.
P.s. I identified the device as it was visible in the activity monitor of the Plex media server web page, which is how I identified it as a roku device (of which I have none). I’ll try and provide further logs when I have some free time to sift through it all. Thanks all
@Morton024 said:
But if anyone has any further instances, insights, comments or updates I would be keen to hear them.
I would change the WAN port to something other than 32400
In your user profile I would put a check next to REQUIRE EMAIL ADDRESS WHEN SIGNING IN as your email address is not generally know, unlike your user name which can be seen here.
And finally look into updating your password to something that is hard to brute force attack.
I’ve assinged a static public ip to my plex to avoid nat, i have set up a port redirect on 32400 from another port, but still I find it odd that Plex does not allow to change its port.
It is only the local network tcp port that cannot be changed. The public port can be whatever you choose so long as it does not clash with something else and that is forwarded to local port 32400.
In your log above were the requests from 198.233.154.x from the hacker or is that your own public IP or one you or friends you shared with were coming through?
My IP is in an other /8, I have now friends how is currently in that IP geolocation.
When ever i change the public port on plex it comes up as Not available outside your network even if fw has been updated to allow tcp4_out.
@Night said:
When ever i change the public port on plex it comes up as Not available outside your network even if fw has been updated to allow tcp4_out.
There should be no difference - unless the router does not allow public and private ports to be different.
If it is 32500, for example as the public port then the port forward in the router would be 32500 public/wan port forwarded to 32400 local/private port of the local tcp ip of the plex media server. Some routers also have a field called source port on the port forward and that would need to be set to Any. The remote access settings page with show advanced for the Plex Media Server would need to have manually specify public port ticked and 32500 entered in the box.
@Morton024 said:
But if anyone has any further instances, insights, comments or updates I would be keen to hear them.
I would change the WAN port to something other than 32400
In your user profile I would put a check next to REQUIRE EMAIL ADDRESS WHEN SIGNING IN as your email address is not generally know, unlike your user name which can be seen here.
And finally look into updating your password to something that is hard to brute force attack.
I will be changing the default WAN port as soon as the new router arrives in the meantime external access is de-comissioned
Good recommendation to use email address only however this would only be useful if my account had been brute forced which my router would have alerted me of or alternatively I imagine the Plex website admins would have noticed a ridiculous number of requests against the login page and hopefully they use CAPTCHA in conjunction with other features to mitigate that.
My password is complex as mentioned I’m a security consultant aka penetration test / ethical hacker so bruteforcing is definitely not the issue
in the meantime external access is de-comissioned 
