Netbus Backdoor trojan 12346 in Plex

[Chris D]

Hello,

first, sorry for my bad english :) I postet this in the german section in this forum but there, nobody could help me. Maybe you?


I´m running freenas on my homeserver in V.9.2.1.6 with owncloud an plex plugins installed.
Everthing works fine, i can connect to my owncloud account from outside my netzwork with SSL.

But heres my problem. Today at 3:00 am nobody was connectet to my Server ( running MS Windows server 2012R2) but the led of my networkports were blinking all the time. So i scanned my network with fing and found on the IP adress where plex runs an open port.

http://www.directupload.net/file/d/3718/5gwvu8qu_png.htm

Does anybody know this issue. Is this realy a issue? I´m not very happy about this because of that stuff i read about NetBus Trojan.

After i recognised that, i opend the WebGui from freenas and saw that the plex media center plugin was turned off. But the service was attainable via network. I could not switch the plugin back on.Only when i stoppet the jail, the netbus trojan dissapears from my network,

I hope anybody can help me with this.

 

[Dennis K.]

Try to gain some information about the service that is running on that port. Try "sockstat -lP tcp" to see what process/PID is running on that port. Get some more information about the running program with "procstat -c <PID>" for instance.

 

[Chris D]

Hi Dennis,
thx for your reply. I testet every possible command with sockstat within the plexmediaserver jail but i got only errors.

Code:

USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS

nothing more.
Next I tried the whole sockstat thing direct via SSH as root. No problems. But this was just about the freenas. Not the jail.
I tried

Code:

[root@freenas] ~# jls
   JID  IP Address      Hostname                      Path
     1  -               owncloud_1                    /mnt/C/jails/owncloud_1
     3  -               plexmediaserver_1             /mnt/C/jails/plexmediaserver_1

[root@freenas] ~# sockstat -j 3 -c
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS

 

[Dennis K.]

Was the port open while issuing your commands? I'm not really sure how jails work its own network stack (VIMAGE), NAT and such.

 

[Chris D]

Yes, i startet the jail and scanned my network before starting sockstat. The port was open. Maybe the best way to get this off is to delete the jail and reinstall the plugin.

 

[Dennis K.]

Maybe install a second plex instance and see if the port is open there too. That open port could be normal behaviour of plex. If its not, there could be a vulnerability somewhere that wont be closed by just re-installing the plugin.

 

[Chris D]

yes youre right. i´ll try this. thx for your help man !

 

[Dennis K.]

I just installed the plex media plugin. Albeit somewhat broken (plugin is not started, but the jail is. I also can't enable the plugin) the jail gets startet. after switching to the jail with "jexec 1 /bin/sh" and issuing sockstat, I see this:

Code:

# sockstat -P tcp
USER  COMMAND  PID  FD PROTO  LOCAL ADDRESS  FOREIGN ADDRESS   
root  python2.7  73010 3  tcp4  192.168.178.241:12346 *:*

procstat outputs this:

Code:

# procstat -c 73010
  PID COMM  ARGS   
73010 python2.7  /usr/pbi/plexmediaserver-amd64/bin/python2.7 /usr/pbi/plexmediaserver-amd64/control.py start 192.168.178.241 12346

So this is part of Plex. The control.py starts the server for the Plex webinterface.

Btw, I'm running 9.2.1.7.