🛡️ Incident Response: Next.js RCE & Cryptojacking

Scenario: You notice your server's CPU usage is at 100%. Upon checking the file directory, you see files like xmrig, kdevtmpfsi, or random .php scripts that aren't part of your project.

Phase 1: The Anatomy of the Attack

The attacker didn't "hack your password"; they used a software flaw to trick the server into downloading and running their tools.

Stage

Action

Purpose

1. Entry

Exploit Vulnerability

Uses a flaw in Next.js (like the RSC bug) to execute a curl or wget command.

2. Payload

Download Miner

The server downloads xmrig (a crypto miner) and a config.json file.

3. Persistence

Install Backdoor

A script creates a "Cron Job" or a PHP web shell to ensure the miner restarts if deleted.

4. Execution

Start Mining

The server begins mining Monero, slowing down your legitimate web traffic.

Phase 2: Identification & Containment

Before you delete files, you must stop the "heartbeat" of the attack.

1. Stop the CPU Drain

Identify the malicious process ID (PID) using top or htop.

Bash

# Find the process
ps aux | grep xmrig

# Kill the process
sudo kill -9 <PID_HERE>

2. Clear the "Persistence" (The Re-infection Loop)

Attackers often hide scripts in your system's scheduler. If you don't clear this, the miner will return in 5 minutes.

Bash

# Check for suspicious tasks
crontab -l

# If you see a line downloading a script from an unknown URL, edit and delete it:
crontab -e

Phase 3: Remediation (The "Clean Room" Approach)

Deleting files manually is risky because you might miss a hidden backdoor. The best practice is a Fresh Deployment.

  1. Update package.json:

    Ensure your Next.js version is safe.

    • Vulnerable: < 14.2.10, < 13.5.7

    • Safe: 15.x.x, 14.2.11+

  2. Verify Integrity:

    Compare your current directory against your Git repository.

    Bash

    git status
# Any file listed as "Untracked" (like xmrig, csfs.php) should be deleted.

  3. Rotation: Since the attacker had RCE, they likely read your .env file. You must change:

    • Database connection strings.

    • API keys (Stripe, AWS, OpenAI).

    • JWT Secret keys.

Phase 4: Prevention Checklist

  • [ ] Automatic Updates: Use tools like Dependabot to alert you of high-severity CVEs immediately.

  • [ ] WAF (Web Application Firewall): Use Cloudflare or Vercel's built-in firewall to block common RCE patterns.

  • [ ] Least Privilege: Never run your Next.js app as root. Run it as a limited user so an attacker cannot install system-level services.

  • [ ] Read-Only Filesystem: If using Docker, run your container with a read-only filesystem where possible to prevent the creation of new malicious files.

Summary Table: Malicious Files to Watch For

File Name

Threat Level

Type

xmrig / kdevtmpfsi

Critical

Crypto Miner (Steals CPU)

config.json (unfamiliar)

High

Miner Configuration

*.php / shell.py

Critical

Backdoor / Remote Access

.hidden_folder

Medium

Often hides the miner binary

Updated on
Merging /home into the Root (/) Partition on LVM