How did my Plex server get infected with ransomware?

finbarqs

Diamond Member
Feb 16, 2005
4,057
2
81
It's very odd. I NEVER use it as a workstation. Nobody's even browsing the web. But somehow, that PC got a ransomeware, and now all my Plex Media is encrypted. Which sucks, because I didn't backup my 16TB of media :( -- it was hard but oh well. My fault.

What I don't understand is how the hell did the system get a ransomeware when nobody uses the system. I do RDC with my main system to update the plex server every once in a while, but nothing else. I don't have a password though... Are there people just accessing IP's and seeing if a terminal service or RDC is open on the PC? The only thing I can think of is random people accessing the system, and just using it as a PC and then downloading weird shit... (Which I did see some weird software... had no idea how it got on there... then I did notice a bunch of extra users in my users folder... but they're not in my "Manage Another Account" area)

Anyways, anyone heard of this?
 

XavierMace

Diamond Member
Apr 20, 2013
4,307
450
126
You have a computer that's accessible from the internet with no password on it. That's pretty much asking to be taken over.
 

Gunbuster

Diamond Member
Oct 9, 1999
6,852
22
81
You sure the infection is not on another PC that has write access to the share or it mapped in as a drive?
 

PliotronX

Diamond Member
Oct 17, 1999
8,883
107
106
You have a computer that's accessible from the internet with no password on it. That's pretty much asking to be taken over.
I am by no means a PMS expert but what component is this vulnerable? It's not making sense because the only portion that really isn't password-protected is perhaps the streaming/client itself which should not have write access to the PMS. I am genuinely curious :cool:

edit- ah!

What this does, is stop local users using being able login to your Plex Library without an account. By default Plex will let any local network user in with master access meaning any of the restrictions you make later on will not take affect for users on your local network.
 
Last edited:

finbarqs

Diamond Member
Feb 16, 2005
4,057
2
81
Yeah I figure since I'm on a dynamic address, I'd be okay. but I guess now that I have a password on it... I should be better off... I mean, I'm smart about not getting ransom ware, but shit... I'm guessing someone took control of my plex server, ran a bunch of software, and boom. Got a ransom virus that infected all my media. Now I put a password on my plex, but too little too late... 90% is already encrypted with the xbtl file or whatever it's called...
 

Ketchup

Elite Member
Sep 1, 2002
14,545
236
106
You have a computer that's accessible from the internet with no password on it. That's pretty much asking to be taken over.

A little over the top, but not by much. Especially today. I can't believe today's ransomware!

But I think in today's world, we can easily forget that if our computers are on, they are probably on the internet 100% of the time. Dial-up was a painful memory, but it was only connected when we wanted it to be. In today's world, steps must be taken if you DON'T want to stay connected 24/7, or at least not be vulnerable to attacks like this.

Samsung software has it's shortcomings, but it lets me share my library with anything supporting its app while I keep my server off the Internet 24/7.

If you haven't already, I highly suggest checking all computers/phones/tablets in the house for any types of malware.
 

AnonymouseUser

Diamond Member
May 14, 2003
9,943
107
106
I am by no means a PMS expert but what component is this vulnerable? It's not making sense because the only portion that really isn't password-protected is perhaps the streaming/client itself which should not have write access to the PMS. I am genuinely curious :cool:

edit- ah!


Plex has nothing to do with encrypting your data. It's the OS.
 

PliotronX

Diamond Member
Oct 17, 1999
8,883
107
106
Plex has nothing to do with encrypting your data. It's the OS.
True, but I was wondering what XavierMace meant by having no password and being wide open, implying perhaps if there is a vulnerability caused by a default setting within PMS. Is it more likely that PMS was sharing out via SMB that was damaged by another internet connected machine?
 

AnonymouseUser

Diamond Member
May 14, 2003
9,943
107
106
Is it more likely that PMS was sharing out via SMB that was damaged by another internet connected machine?

That's what I'm leaning towards, a network share with guest full read/write permissions being the vector of attack from a local machine, but a Windows machine in DMZ with no firewall would certainly be a possibility as well.

finbarqs, you best have backups of important files from all local machines, and start running anti-virus on them if this was a local attack.
 

PliotronX

Diamond Member
Oct 17, 1999
8,883
107
106
It's very odd. I NEVER use it as a workstation. Nobody's even browsing the web. But somehow, that PC got a ransomeware, and now all my Plex Media is encrypted. Which sucks, because I didn't backup my 16TB of media :( -- it was hard but oh well. My fault.

What I don't understand is how the hell did the system get a ransomeware when nobody uses the system. I do RDC with my main system to update the plex server every once in a while, but nothing else. I don't have a password though... Are there people just accessing IP's and seeing if a terminal service or RDC is open on the PC? The only thing I can think of is random people accessing the system, and just using it as a PC and then downloading weird shit... (Which I did see some weird software... had no idea how it got on there... then I did notice a bunch of extra users in my users folder... but they're not in my "Manage Another Account" area)

Anyways, anyone heard of this?
Is that RDP port accessible via the internet? If so, it needs to be protected. Yes, script kiddies are constantly probing ports and attempting brute force attacks on just about every single public IP on the internet.. you should see the attempts on my SSH server before IDS/ABF. Was your PMS in fact within the DMZ?
 

finbarqs

Diamond Member
Feb 16, 2005
4,057
2
81
The PMS wasn't within the DMZ, but I had the standard port of 3389 open to my PMS. And on top of that, my PMS didn't carry a password. With all the extra "users" they created, it was just a matter of time before it got encrypted... So I added a password and changed the listening port.. since the only way for me to control/access my PMS is through RDP... or I can physically move my NUC, but it's a pain in the ass lol.
 

XavierMace

Diamond Member
Apr 20, 2013
4,307
450
126
My comment had nothing to do with Plex specifically. You have a Windows File Server with internet access, no password, and at least SOME inbound traffic allowed. That's bad. If you had port 3389 open on the firewall (why?), then yeah, you've basically said "Hey take over my server".
 
Last edited:
Nov 20, 2009
10,043
2,573
136
Yeah I figure since I'm on a dynamic address, I'd be okay. but I guess now that I have a password on it... I should be better off... I mean, I'm smart about not getting ransom ware, but shit... I'm guessing someone took control of my plex server, ran a bunch of software, and boom. Got a ransom virus that infected all my media. Now I put a password on my plex, but too little too late... 90% is already encrypted with the xbtl file or whatever it's called...
What puzzles me more is that it appears, to me, to almost be targeting PMS on the Internet. That being said, how does it do this? Is the vector just an open wifi connection with blind luck detection, or has Plex itself been compromised.
 

PliotronX

Diamond Member
Oct 17, 1999
8,883
107
106
The PMS wasn't within the DMZ, but I had the standard port of 3389 open to my PMS. And on top of that, my PMS didn't carry a password. With all the extra "users" they created, it was just a matter of time before it got encrypted... So I added a password and changed the listening port.. since the only way for me to control/access my PMS is through RDP... or I can physically move my NUC, but it's a pain in the ass lol.
Gah, might as well have been in the DMZ. I use RDP as well but only with NTLM over a VPN. Within Windows, it is very easy to get a VPN server going by forwarding port 1194 to SoftEther Server (freeware on a whole new level). I use the OpenVPN client with it and could not be more satisfied.

My comment had nothing to do with Plex specifically. You have a Windows File Server with internet access, no password, and at least SOME inbound traffic allowed. That's bad. If you had port 3389 open on the firewall (why?), then yeah, you've basically said "Hey take over my server".
Sorry, it was totally my fault for being confused, I had to re-read the OP. Right yeah, default port w/no password. It sounds like others were using the PC as a terminal server and possibly trying their hand at getting personal information.
 

Elixer

Lifer
May 7, 2002
10,376
762
126
It's very odd. I NEVER use it as a workstation. Nobody's even browsing the web. But somehow, that PC got a ransomeware, and now all my Plex Media is encrypted. Which sucks, because I didn't backup my 16TB of media :( -- it was hard but oh well. My fault.
All hope might not be lost... which ransomware was it?

There are decrypt keys out there for some of them.. but need to know which one.
 

Binky

Diamond Member
Oct 9, 1999
4,046
4
81
So this ransomware has nothing to do with Plex and everything to do with an exposed RDC port with no password...right?

You should really be worried if that machine had access to other data on other systems in the house.
 

master_shake_

Diamond Member
May 22, 2012
6,430
291
121
Good reason to deploy pfsense and block every incoming connection possible.

Everyday I get at least 200 incoming connections denied.

Some even go after my home server.
 

Red Squirrel

No Lifer
May 24, 2003
67,200
12,027
126
www.anyf.ca
Wait, this is connected straight to the internet with no router in between? :eek:

Yeah, I'm not really surprised you got infected there. :p You should really put computers - especially windows ones - behind a NAT/firewall. Even with Linux, you should have brute force protection on stuff like SSH, if it will be facing the internet.
 

finbarqs

Diamond Member
Feb 16, 2005
4,057
2
81
it's behind a router. it's the "redshitline@india.com" XTBL encryption. The only thing that got infected was my NAS drive. There was nothing on that PC, but everything on my NAS was encrypted.. well a good portion of it. I thought about "undeleting" files, but since it's on a NAS, that's pretty much impossible.
 

Elixer

Lifer
May 7, 2002
10,376
762
126
What file system was on the NAS?

Also, did you check event viewer for login/logoff times?

I suppose it is also possible you get hit was a flash ad that has malware in it... you sure none of your other machines are infected?
 
Last edited:

finbarqs

Diamond Member
Feb 16, 2005
4,057
2
81
yeah 100% sure none of the other systems are infected. In fact, I can see some of the files that are "partially" converted to the XBTL files, and yet the main MKV file still remains. Meaning I stopped it before it infected the whole thing. So that means this files encrypts the new file, then deletes the old file.

The NAS i have is a readynas 104. I can't, for the life of me, find the File System that it's running at. Of course, windows will say NTFS. Some of files I saw on the "fake" profiles were named BRUTE.xxx or something like that. I spent a good majority of yesterday trying to figure out how to "undelete" something from a NAS. In the end, I may need to pull all the drives out, connect it to a PC, and have it run through an "UNDELETE" procedure... I didn't use iSCSI...
 

XavierMace

Diamond Member
Apr 20, 2013
4,307
450
126
If it's a current model it should be running ReadyNAS OS6 which uses BTRFS for the root file system. In addition, if that's the case, you should have the option to create snapshots. Do you have any snapshots prior to getting infected?

Edit: Also, can you clarify how exactly your network is setup. Since this is just a NAS unit, you obviously weren't using remote desktop to connect to it. What is the NAS connected to and how?
 

finbarqs

Diamond Member
Feb 16, 2005
4,057
2
81
If it's a current model it should be running ReadyNAS OS6 which uses BTRFS for the root file system. In addition, if that's the case, you should have the option to create snapshots. Do you have any snapshots prior to getting infected?

Edit: Also, can you clarify how exactly your network is setup. Since this is just a NAS unit, you obviously weren't using remote desktop to connect to it. What is the NAS connected to and how?

My NAS is connected to my network, which I use my PMS to access the NAS. I setup different credentials for my NAS, and no I didn't create snapshots :(

It's basically just the Frontier/Verizon FIOS router into an 8 port gigabit switch, Which everything is connected to. Since my PMS is a i5 NUC, I physically placed it next to the NAS, away from my PC's display. Thus, I RDC into the PMS if I needed to make some changes or do something with it. Now, I've changed the port on the RDC, restrict access to READ ONLY on the PMS, and I've added a password. Oh yeah, got rid of Microsoft Security Essentials and Installed ESET NOD32 Anti-Virus 9.X