For a few days I’ve been seeing strange DNS requests (a/aaaa/https) from radarr, sonarr and lidarr linuxserver containers for the following domains:
The domains were registered recently but they’re not resolving, at least not right now.
I’ve removed both the images, volumes and configuration and started them up fresh, and these requests still happen every 30 to 90 minutes.
Anyone else noticed this?
This feels like it could potentially be a compromised setup. Are 100% sure that the requests stop when the containers aren’t running?
I’m still testing, but last night I brought down radarr, sonarr and lidarr and saw no requests during the night. This morning I started up just sonarr and got a request after 30 minutes. Stopped sonarr and started lidarr and got the same requests. Now all three are stopped and no requests for just over 2 hours.
Will keep testing today and post an update later. Mostly curious if anyone else seen the same before I nuke the server.
Check the host for any weird processes or files
I used iptables string matching to find the uid making the particular requests and it pointed to the uid running containers on this host. They’re rootless and managed by podman. Some trial and error narrowed it down the these three containers.
I prefer not to wipe it all until I figured out what’s really going on.
It’s unlikely that all 3 containers have been individually compromised, either your host is compromised or it’s something else on your network.
Besides that, if you were exposing the arrs then you shouldn’t.
Exactly. And yes nothing is exposed.
So it turned out it’s just the prowlarr container. And radarr/sonarr/lidarr queries it every 30 minutes or so. So thats where the strange dns requests originates from. My bad.
Not sure if it’s some indexer used by prowlarr or something perhaps returned by an indexer which then triggers these dns requests. I’ve checked for strings of the domain names in both the prowlarr container image and the volumes but there are no matches.
I’ll just wipe and reinstall prowlarr I think.