Was Plex hacked or is it just full of adware/spam?

General Discussions
1

Ever since I installed PLEX on my linux system, I get constant sshd errors. Seems it is trying to connect to suspicious sites like:
mail.post.ir
www.delangiz22.ir
qwnaz.ir
bank.lv
ttm2011.tk
mehran30m.tk

I see all this in my ssh logs, but it stops whenever I disable plexmediaserver (systemctl stop plexmediaserver). It was much worse earlier today , checking /var/logs I can see sometimes over 30 attempts was made at once to a particular site (see attachment)

plexfdUp
plexfdUp959Ă—521 50.2 KB

Has anyone else scanned Plex and what it does to your system after installation? I downloaded Plex directly thru dnf/yum.

2

Which app package did you install? doing a quick search for dnf/yum, I see at LEAST two different plex options. I don’t know which (if either) is an official one. Maybe just get the package from Media Server Downloads | Plex Media Server for Windows, Mac, Linux, FreeBSD and More

Edit: Those URL’s are very sketchy looking. Wonder if it’s a fake scam Plex install.

3

Those are not official packages from Plex.

4

Guess i can’t close this, as it takes 3 months. But I got everything resolved. It wasn’t plex, rather what was needed for the configuration of plex in Linux, and it wasn’t secured in the guide I used. I was able to disable everything and enable 1 by 1, after securing everything. I even added SSL today (LetsEncrypt) but made sure that was secured as well (HTTP, httpd, swapping default ports, etc)

5

There is no need to handle certificates manually for Plex. It does everything for you automatically.

There is no need for setting up a webserver for operating Plex.

6

so www.downloads.plex.tv/repo/rpm is not the official plex packages? I see we are on www.forums.plex.tv, so is this not the official forums for plex?? Where are the official ones? Also, how familiar are you with Linux?

$ sudo tee /etc/yum.repos.d/plex.repo<<EOF
[Plexrepo]
name=plexrepo
baseurl=https://downloads.plex.tv/repo/rpm/\$basearch/
enabled=1
gpgkey=https://downloads.plex.tv/plex-keys/PlexSign.key
gpgcheck=1
EOF

7

do you work for plex? There are a lot of uses for apache that I can recommend to the plex team that can help other people with more complex setups than normal. If you do you work for them, let me know so I can paste some here. I figure most people here are just running plex alone, not a million other services nor a complex remote server.

If you just google plex and apache, you will learn a lot of the critical need some have for using a webserver, particularly apache with plex. One such way is as a reverse proxy to access when you setup plex on a remote server that you have never seen physically in your life and never will, instead of ssh. We can also change the port thru apache, and use webstats and other apache plugins to gather realtime statistics of use and connections including IP addresses and countries, words searched in plex, etc, stuff plex doesn’t have natively. Sorry, I am a network engineer and some for most of my life, so I am a little more advanced in my applications. I’m sure 99% of the people you help and get plex just want to watch videos, and care less about resource usage, country of connections, IP’s, detecting rogue users, etc they just want to watch content lol. BTW, Plex uses boost webserver natively.

8

@mr_s536

May I be of help here ? I do the package installation & support here at Plex.

From what I can see of the auth log you shared, it looks like something is already in your machine but won’t claim that 100% just yet.

I would also like you to verify:

  1. SSH is DISABLED
    -OR-
  2. If you need to use it, you change the port to something wildly away from 22.

This won’t stop anything already in the machine but will make getting into it harder.

Since you’re a network engineer, what’s the net config?

  1. Local server? remote server ?
  2. Distro? Version?
  3. Accessing the server via ?

As FYI, I don’t reverse proxy my server.
Instead, I run a pfsense firewall rule which only allows specific friends through by DDNS FQDN.

9

Does every friend have to have a ddns client running for that to work? Wouldn’t that limit mobile access?

10

@_base04

A DDNS is not required IF

  1. They live in a location where their IP rarely, if ever, changes (some of my friends are like this) and I just hard pin the IP address.
  2. They already have their own FQDN attached to their IP.
  3. They are willing to install the Wireguard VPN client and connect to my VPN.
    – Only their traffic to me comes over the VPN.
    – All other traffic is out their regular mobile data provider

Point #3 very nicely solves all mobile problems :sunglasses:

1 Like
11

Point 3 really is nice. What do you do if somebody doesn’t want to use/can’t use wireguard but still wants to be mobile? Do you just deny?

12

I just deny them.

“Beggars can’t be choosers”.

“Either comply with my requests, which I will help setup, or go pay for content elsewhere”

This is MY server. Nobody helped me build or sustain it.
(E5-2690v4, 256GB, 2x 10GbE NIC, 144TB HDD, 11 more support SSDs, and all the LAN infrastructure)

Family is family… but I won’t be used.

2 Likes
13

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.