i've been hacked
and traced the malware's wallet to see how much money they actually made from this new exploit
(if you use Next.js/React, READ THIS!)
I woke up to a terrifying email from Hetzner: "Netscan Detected."
my server was blocked and a botnet was using my IP to attack others
i dug into the logs and what I found the anatomy of the attack:
1) The Symptoms: I logged into htop and saw the mess:
- CPU usage: 361%
- A process named ./3ZU1yLK4 running wild
- Random connections to an IP in the Netherlands
my server wasn't serving my app anymore; it was mining crypto for someone else!
2) The Culprit: It wasn't a random SSH brute force. It was inside my Next.js container
the malware was sophisticated
it renamed itself nginxs and apaches to look like web servers
it even had a "killer" script that hunted down other hackers' miners to kill the competition
3) The "Root" Cause (literally): Probably the recent React/Next.js CVE-2025-66478 exploit was the entry point
(my project was running on "next": "15.5.4", behind cloudflare dns, but their recent fix didn't work apparently)
but the fatal error was mine: my Docker container was running as ROOT
Coolify deploys like this automatically when using Nixpacks, and I never changed it...
so because of USER root, the malware could install cron, systemd, and persistence scripts to survive reboots
meaning, it was able to infect my whole server, from a single Next.js docker!
4) The Forensics: I ran docker diff on the container - the hacker didn't just run a script, they installed a whole toolset..
- /tmp/apaches.sh (The installer)
- /var/spool/cron/root (The persistence)
- /c.json (The wallet config)
5) The Fix: I killed the container, scrubbed the host, and extracted the malware for analysis.
but the real fix is in the Dockerfile. if you are deploying Node/Next.js, DO NOT use the default (root), you must:
- RUN adduser --system nextjs
- USER nextjs
if you have Docker on ROOT and didn't update the exploited react version, you'll be hacked soon
check your containers NOW. Run: docker exec <container_id> id
(or get the full list first: docker stats --no-stream)
If it says uid=0(root), you are one vulnerability away from being a crypto-miner host.
(it's easy to notice when hacked, it will be a command running on the top CPU%, using all your hardware resources)
6) The Money: I dug deeper and recovered the config file (c.json)
- Wallet: A Monero (XMR) address: 831abXJn8dBdVe5nZ***
- Pool: auto.c3pool . org
and ofc i tracked the hacker’s wallet on the mining pool
7) The Scale: My server wasn't alone. It was just 1 of 415 active zombies in this botnet
they are burning the CPU of 400+ cloud servers... to earn...
guess how many millions?
$4.26/day
on the image attached you can see: "Total Paid: 0.00", meaning this campaign just started. I caught them on Day 1.
i also tracked back the server where they hosted the malware, and by inspecting the code, I found several comments in Chinese, so I guess that's their origin
im rebuilding from scratch on a fresh VPS. the lesson was expensive, but at least I caught it before the hosting nuked my account permanently...
PS: I have the IP for all the other machines mining with that malware, not sure how I can help them, but feel free to contact me if ur doing infosec
stay safe
The amount of UK orgs that don’t know about @NCSC’s MyNCSC free service is something we as a 🇬🇧 cyber community should change: https://t.co/CF8TWUYJeG I used to use it at my last job and it was great. Definitely worth looking into if you work for an org registered in the UK.
Scotland doesn’t have a massive tradition of halfway houses but the one at Nairn is pretty special.
It’s a converted bothy with a good selection of local whisky, hot rolls and treats. The drinks will be on me next June if you’re on my trip!
What’s your favourite halfway house?
And I’m not accepting any nominations for the very disappointing sausage sandwich at Sunningdale. That was all promise and no follow through!
Our third speaker on track one at Le Tour Du Hack 2025 is
David Brown!
@davidbrown1982 is Napier Alumni,
former police officer, and Lead DFIR consultant at NCC Group.
His talk will cover his experiences and provide some real-world insight into the life of an IR consultant
Evening RIP Denis Law what a Legend with a double Capital L I loved him as a player what a character. Then we met on the circuit I remember once with George Best & Denis I walked in the dressing room and Denis said to George "Right you punch him I'll nick his money" He talked so fast in in a Scottish accent some times I said "slow down your mouth will get a speeding ticket". He was great fun to be with people like Dennis were rare Pure Gold on & off the pitch. A sad sad day for football and across Manchester and Scotland there should be a silent minute for the memory of a true true legend. RIP Denis the short time I spend in your company will never to be forgotten.
🚀Just published a new blog post comparing telemetry on Linux vs. Windows! Dive into the differences in how these platforms handle telemetry for incident response operations.
🔍 It provides answers to the below questions and many more:
•Why is Windows telemetry easier to manage than Linux?
•How do Linux and Windows differ in capturing and interpreting telemetry?
•What are the challenges of aligning telemetry strategies across both platforms?
‼️Plus, exciting news about my EDR Telemetry project expanding to Linux! Check it out here: https://t.co/ZEdmnxf8y7
"By the time that you watch this I will no longer be here"
We wanted to share Rob Burrow's poignant final message with you, recorded before his death for a special BBC documentary 'There's only one Rob Burrow'.
The Rugby League legend will never, ever be forgotten ❤️
Another day, another excellent speaker for this year's Le Tour Du Hack! Please join us in welcoming Dan Walker!
They'll be giving their talk, Bugging you about bug bounty!
Another day, another excellent speaker for this year's Le Tour Du Hack! Please join us in welcoming Dan Walker!
They'll be giving their talk, Bugging you about bug bounty!