Regular command injection attempts on media server

Hi all,
New here and to this.

I currently run a windows 11 system as a dedicated plex media server, with 8 drives. I have bitdefender installed on it and its reporting that on a daily basis someone or something is attempting a command injection. It gives me the URL as 95.214.55.244, bitdefender is blocking the attempts but I am still a little concerned. Anyone have any suggestion how I can better protect the system?

Thanks

Is there any other information with that report?

That IP is Polish, I think.

What firewall settings do you have on your router? IIRC Plex only needs a single port forwarded.

Quick lookup of IP suggests it’s somehow malware related and in Poland.

Now we should figure out if command injections are coming from the outside - in which case firewall should do the trick, or from inside - the server itself or some other machine on the network try to connect to that IP and execute commands.

Describing your network topology would be a great start. How are machines connected to LAN, Internet, are there guests on the same network, IOT devices…

1 Like

Can’t one Whois the IP, get the “abuse” email of the hosting service, and tell them whoever renting the IP is being a bad boi?

Paste a couple log lines in the email for effect?

Or do such emails get sent to /dev/null

In theory abuse report works, in practice - who knows but I did send it just in case. And if malware is resident on the home server it will probably contact another C&C somewhere else.

1 Like

Thank you, having read you response my original post was vague.

Bitdefender details on the attack:
Unfortunately I am unable to find any further details in Bitdefencde other than this has happened 15 time in the last 30 days. The syetem has been off a few times but it lookd like when its left on this occurs. The other devices I have that I am running Bitdefender aren’t reporting any such attempts. Also worth mentioning that as you pointed out about the firewall, as Bitdefender manages the firewall it is blocking the attempts and im probably just being over cautious.

Network:
This is my layout and the devices I have connected

I have my ISP router plugged into an ASUS ZENWIFI ET12 which the server is plugged directly into. There are 2 additional ET12 for a AI mesh setup. these have a desktop and a docking station (provided through my work) and 2 x nvidia shield plugged in. Then 1x doorbell, 1x smart light switch, dryer and a few smart speakers on WIFI
I have recently changed it so all the IOT devices are on the 2.4G network which is now hidden and the 5G and 6G networks are available. A guest network is available but nothing is showing as connected.

Sorry that seems a little chaotic

It’s not super clear how your network works, for example just because 2.4Ghz is hidden doesen’t mean devices from that network can’t communicate with other netowks - either WiFi or LAN.

What I could put together from the description is you likely have 3 possible scenarios:


Scenario 1:

Your server is infected with malware that is receiving commands from the IP and BitDefender is terminating the connection.

Possible resolutions

Get a live boot antivirus tool and do a scan on the server while the PC is not running Windows, something like Kaspersky Rescue Disk, ESET SysRescue Live, Bitdefender Rescue CD…


Scenario 2:

You have port forwards that, well forward any traffic from your public IP to your server and BitDefender is preventing intrusion on the PC firewall level. Sometimes software, such as Plex, punches holes in your ISP and/or any other router that is UPnP compliant and has it on.

The idea is to make itself available to you even if you are not home, but this makes it available to the whole Internet as well - bad idea. This is how people end up with cameras in their homes streaming to the Internet without their knowledge.

Quick edit:
I’d say this is less likely but not impossible. If you had open ports you would be up to your balls in intrusion attempts, not just from single IP.

Possible resolutions:

Try and scan your public IP for open ports. There is a lot of tools to try and test this, such as yougetsignal website, or even use a laptop with mobile hotspot and nmap. Scan for common ports, or just a range of ports if you use nmap.


Scenario 3:

It’s a false positive, but may not be likely given that the IP has bad rep for malware and phishing.


Anyway, I’ve reported that IP for abuse and provider may take it down and you may see a change in behavior if they do. Maybe intrusion attempts stop or maybe the IP changes. But that still depends on VPS provider Mevspace.

2 Likes

^^
did it better so removing my post :slight_smile:

Thank you so much for your help.

Sorry it has taken me a few days to respond but I wanted to check and see if the issue is resolved.

I can say that I have not received any further reports of this issue. Upon your advice I ran the antivirus environments which resulted in no issues being reported. While considering what you told me I did a review of all the applications on the system (mostly just thinking of possible issues) and I removed anything no longer needed.

Thank you for reporting the site (I wasn’t aware we could do this), whether it was this or the removal of an application that may have been causing it I am not sure but hopefully thats it resolved.

Again, thank you for all your help.

2 Likes