Think my server got breached


Guest

Recommended Posts

Title says it all. Dynamix Active Streams showed me today two IP addresses I did not know of. They were browsing Plex appdata-related files.

 

These are the two IP addresses: 110.70.56.151, 139.162.115.125. The first points to Incheon in South Korea, while the second one points to Japan.

 

I live in South Korea, but in Gyeonggi-do. These two IP addresses are not related in any way to me.

 

Attached are the screenshots of Dynamix File Stream, as well as diagnostics.

 

I am curious as to know how they got in. The only forwarded ports on my router (at this current time of writing) is an OpenVPN port, and I have made sure these ports are secured. The other ports, like 80 and 443, were once opened to host my websites, but they have now been closed.

 

Briefly scanning the logs, I think they haven't managed to gain access to SSH, which is expectable given I have not forwarded any other ports other than OpenVPN.

 

Ideas?

IP-addresses-1.png

IP-addresses-2.png

derrickserver-diagnostics-20180202-1632.zip

Edited by Guest
Link to comment

Are you using Plex?

 

It is normal for Plex to open a HTTPS session to their server when viewing media content. The IP addresses you see in Active Streams are the Plex proxy addresses.

 

To be clear: content exchange is always directly between your own Plex server and your own client, the Plex site never receives your content.

 

Link to comment
11 hours ago, bonienl said:

...

 

10 hours ago, SiNtEnEl said:

...

 

Thanks so much, guys! I should've guessed... I just panicked because I knew for sure Plex didn't have their servers in Incheon. (Datacenter costs are sky-high here.) Guess I should've checked whether they used a proxy.

 

Thanks again!

Link to comment

Here is a related discussion on the Plex forum:
  https://forums.plex.tv/discussion/220681/plex-media-server-connecting-to-remote-ip 

 

According to that thread, here is the list of Plex pubsub servers:
  https://plex.tv/services/pubsub/servers 

One of the IPs you mentioned is listed there, and the thread gives reasons why others might not be listed. It isn't clear to me if their relay service uses those same IPs or different ones.

 

I would prefer it if they setup dns names for these, such as "pubsub1.plex.tv" so it would be obvious that these random IPs are related to Plex.  But it is what it is.


In short... if you use Plex, it is normal for Dynamix Active Streams to report IP addresses you don't recognize. Installing the PlexPy docker is the probably best way to keep an eye on which users are accessing Plex. The real problem would be if you see any users you don't recognize, you'd want to "unfriend" them immediately and change your Plex password.

Edited by ljm42
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.