Track sign in on Plex

Plex Media Server
1

Server Version#: 4.127.1

Hi. I have a Plex server, and each person has their own user. I watch it locally, and the rest watch remotely. What has been happening to me these past few days is that, someone else is using my user to watch movies, remotely. If you look at the first picture, photo_1, on the left is my user remotely, and on the right is me locally (which is how it should be).
photo_1

It’s seem that someone externally of my home is accessing my Plex server. I’ve changed the password three times (logging out of all open sessions), enabled two-factor authentication (with Microsoft Authenticator), and still, it shows that someone is watching movies with my user.

I don’t use a VPN for Plex locally, and after changing the password, I only receive emails from devices that I log back into. In other words, no device logs in that isn’t mine, and they all have IPs from my area.

So, I’m feeling a bit puzzled, to be honest. I don’t know if it’s a false positive, but it’s certainly annoying, and I feel insecure. The password is 16 characters long, generated with Bitwarden, including numbers and symbols. I have paid Eset antivirus. They could be viewing my screen as a possibility to capture my password, but I would receive an email notification if someone logged in. And how they catch my Authenticar code?

I’m running out of ideas on what else I can do because it doesn’t seem like anyone is accessing my account, especially after changing the password.

I’ve also removed all authorized devices without any luck. In fact, there is two different IP connected ocasionally.
photo_2

To give you more data, I have Plex running on Docker, and on Preferences.xml I added a line with disableRemoteSecurity=0, but they are still “connecting”.

Thanks in advance!

2

My first step would be to set up a PIN for each user in your Plex home, or at least yourself. Any user that is in your Plex home can access the account of anyone else using Plex home freely unless the account has a PIN in place.

image
image728×403 40.2 KB

This is highly unlikely, and more likely that someone else’s account in your Plex home may be compromised, if that’s even what has taken place here. If you use a tool like Tautulli, you could check to see if any other users in your Plex home have logged in from any of those IP’s, but it would have had to be in place at the time.

If a users account has been compromised and they got into your account that way, you’ll want to contact Plex billing I believe, but if someone from Plex see’s this, they’ll tell you what to do.

3

Hi, thanks for your reply.

I also set a PIN, but it happens anyway.

In fact, it’s happening right now with my cousin’s user.

photo_3
photo_3765×654 79.8 KB

The right stream is the red rectangle one, because she has a Amazon Fire TV Stick, no Android TV in her home. The others are unknown to me.

Maybe it’s a false positive? A Plex malfunctioning?

4

Have Susanna change password and be certain to sign out of all devices

This looks like someone has her password/login info

As shared above, Check the Plex Home members.

Maxmind shows the IP address as here:

79.116.207.115	Spain (ES), Europe	79.116.207.0/24	-	40.4172, -3.684 (5 km)	Digi Spain	digimobil.es	Cable/DSL
5

Hi, thanks por your reply!

They might have hacked her account, but if they’ve accessed it, Plex would send you an email notification, wouldn’t it?

Anyway, in the case of my user, even after changing the password three times and enabling two-factor authentication, I still see my user playing things remotely, and it’s not me. It could be possible that they’ve obtained my password, but how do they get the two-factor code I receive on my iPhone?

In fact, right now they’re playing a movie (it’s 12:15pm in Spain). Moreover, Plex hasn’t sent me any emails about logging into the application unless it was by myself.

photo_4
photo_4819×611 61.6 KB

What happens when I remove a device from the authorized list? Shouldn’t it have to log in again? In that case, wouldn’t I receive an email for that login?

photo_5
photo_5997×289 33.4 KB

Kind regards.

6

Your server DEBUG logs will contain all the activity.

Temporarily, you can change library access rights then restart the server.

This will force a reconnect and they will stumble at the unauthorized library
-or-
If they continue to have access, then they have access to your server somehow.

Yes, notifications are sent.

If someone has your email address & password

IT IS POSSIBLE, with IMAP mail, to see and delete the email before you get it.
It’s difficult but is possible.

IF they have your Plex Token, they are immediately in as if they are you.

Seeing your DEBUG logs is of great help here to figure out what’s happening

7

In what file can I find all the activity you mentioned? I’ve downloaded the logs, but there are many files, and I haven’t found anything significant myself.

photo_6

I don’t think my email has been hacked; I’m using antivirus software, and I don’t use pirated software on my computer. I’ve become a security hypochondriac :slight_smile: But how could they have obtained my token? Would they have to access my computer? To change the token, would it suffice to change the password?

8

Upload the full .zip that your server gives you. Odds are you’ll want to look in Plex Media Server.log and all of it’s rollovers, that’s where I’d start. I’d have everyone on your Plex server reset both their email and Plex passwords as well.

I’m not sure what sort of background you have, or your knowledge of cyber security, but I’d recommend posting your logs so someone from Plex can take a look. I also happen to be an analyst in cyber security :slight_smile:

9

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.