I think I self-pwned .. fresh Ubuntu Server 20.04 install begins visiting .cn , .ru , and .es sites according to my RPI PiHole

Hi ~ I know enough Linux to get into trouble. My basement server of many years got a fresh install of Ubuntu Server 20.04 LTS, and a fresh 256GB m.2 pcie as /

I’m running an older 5-stack of 3TB HDDs in an iStarUSA hotswap cage, in RAID5 (one hot spare, so ~9TB avail) and that array was adopted with no problems at all by the fresh LTS install. Before anyone comments, I am intending to convert everything to TrueNAS. I have an empty iStarUSA 5-drive cage in the chassis for future expansion and more parity under truenas.

SO … I got Samba up and running so people in my house can access the storage. I installed and claimed the Plex server, I installed GkrellmD … Unifi Controller for my 3 ubuquiti APs … and finally I thought for something NEW I would try LANcache/Docker

That is where the problem began. I installed Docker, installed and set up LANcache, deleted a few Steam games from my system, re-downloaded them, deleted them and noticed on the next download attempt that the cache was not being used.

I examined the cache directory and was puzzled to see that it as completely locked down as root:root 700 … I assumed that LANcache could not read anything. I loosened the perms all the way out with 777 to see what would happen and everything completely worked. I went to bed since I had been setting up the machine until 5am.

The next day I opened up PiHole’s web interface to make sure it’s behaving since it was a fresh install and I have people here working from home. What do I see but every *15 seconds my Ubuntu server is now hitting servers in Russia, China, and Spain (.es gambling site)

Can someone explain to me if loosening my LANcache database r/w/e permissions opened my system to malicious code and why LANcache set such absurd r/w/e permissions for itself in the first place.

Anything I installed was from official host page links to Github.

–edit I turned off the server for now of course.

– edit I did consider that since lancache intercepts and spoofs gaming server IPs that it only “looked” like the server was hitting the scam sites, since all DNS requests looked like they came from the Ubuntu server to the upstream PiHole RPI. I told my router DHCP to use PiHole for DNS and rebooted every electronic device in the house. The scam site requests were definitely coming from the ubuntu server.

Thanks in advance.
JK

So as a precaution I have reflashed my ASUS RT-N66U router’s rom image, reset it’s settings to factory default and re-built the settings freshly, changed the passwords on any Windows PCs I have in the house and of course changed the router LAN access password and double checked that it’s WAN SSH, Samba, and Web admin interface access are off .

My advise: start afresh, installing the apps one at a time and checking between each operation when these connections begin to occur. I suspect it’s the Steam games you’ve downloaded, maybe think carefully if you really want to play these.

2 Likes

When I was securing my router, i noticed I had a port 80 port forwarding to the Ubuntu server from a Minecraft server I ran on it 3 years ago to service the world mapping extension app. I had forgotten that port-forward existed.

In the back of my head I seem to think that LANcache/SteamCache warn against unguarded port 80 exposed to the internet … I will search it’s docs and confirm.

I have found the answer in a 3yr old ARStechnica article ~~

A strong word of warning

Do not—repeat not —do any of this on a computer with ports 80 or 53 accessible to the Internet. If you’re insane or crazy and you keep your gaming PC set as your router’s DMZ host, for the love of God, don’t run these Docker images on your gaming PC. And also get your gaming PC out of the DMZ and configure port forwarding properly, because the only reason to leave a gaming PC as the DMZ host is laziness—find and fix the underlying issue!

The reasons for making damn sure this setup is properly firewalled and LAN-only are legion. But the short version is that you’re going to be installing services that could be heavily abused by malicious strangers if those services were reachable from the Internet.

By having a delinquent, forgotten 3 to 6 year old port 80 forwarded on my router, I set myself up to be pwned.

5 Likes

Well, better late then never, I s’pose. That’s one mistake you’ll never make again for sure :wink:

Good thing you got it sorted, looks like your server was compromised after all. Like I said, start afresh, to make sure everything malicious is gone.

1 Like

Not this week, anyway.

2 Likes

If you expose 22/TCP into a public network with a guessable password it is a matter of time before this happens.

2 Likes

and if you really need to expose ssh to the internet it should always be using public key authentication with password logins disabled.

3 Likes

Hello! thank you for your reply but this has entirely to do with accidentally exposing LANcache to the WAN via a 3 to 6 year old forgotten open port 80 on the firewall appliance, not anything about SSH.