Hi ~ I know enough Linux to get into trouble. My basement server of many years got a fresh install of Ubuntu Server 20.04 LTS, and a fresh 256GB m.2 pcie as /
I’m running an older 5-stack of 3TB HDDs in an iStarUSA hotswap cage, in RAID5 (one hot spare, so ~9TB avail) and that array was adopted with no problems at all by the fresh LTS install. Before anyone comments, I am intending to convert everything to TrueNAS. I have an empty iStarUSA 5-drive cage in the chassis for future expansion and more parity under truenas.
SO … I got Samba up and running so people in my house can access the storage. I installed and claimed the Plex server, I installed GkrellmD … Unifi Controller for my 3 ubuquiti APs … and finally I thought for something NEW I would try LANcache/Docker
That is where the problem began. I installed Docker, installed and set up LANcache, deleted a few Steam games from my system, re-downloaded them, deleted them and noticed on the next download attempt that the cache was not being used.
I examined the cache directory and was puzzled to see that it as completely locked down as root:root 700 … I assumed that LANcache could not read anything. I loosened the perms all the way out with 777 to see what would happen and everything completely worked. I went to bed since I had been setting up the machine until 5am.
The next day I opened up PiHole’s web interface to make sure it’s behaving since it was a fresh install and I have people here working from home. What do I see but every *15 seconds my Ubuntu server is now hitting servers in Russia, China, and Spain (.es gambling site)
Can someone explain to me if loosening my LANcache database r/w/e permissions opened my system to malicious code and why LANcache set such absurd r/w/e permissions for itself in the first place.
Anything I installed was from official host page links to Github.
–edit I turned off the server for now of course.
– edit I did consider that since lancache intercepts and spoofs gaming server IPs that it only “looked” like the server was hitting the scam sites, since all DNS requests looked like they came from the Ubuntu server to the upstream PiHole RPI. I told my router DHCP to use PiHole for DNS and rebooted every electronic device in the house. The scam site requests were definitely coming from the ubuntu server.
Thanks in advance.
JK