How We Recovered from a Server Compromise: RondoDox Botnet & CVE-2025-55182

How We Recovered from a Server Compromise: RondoDox Botnet & CVE-2025-55182

  December 8, 2025

 

  Our production server was compromised by the RondoDox botnet malware. Here's what happened, how we discovered

  it, and the step-by-step process we used to clean and secure the server. We're sharing this so others can

  learn from our experience.

 

  ---

  The Initial Symptom

 

  Our website went down. PM2 showed 829+ restarts with the error:

 

  EADDRINUSE: address already in use :::3000

 

  Something was blocking our application port.

 

  ---

  Investigation: Finding the Root Cause

 

  Step 1: Identify What's Using the Port

 

  lsof -i :3000

  netstat -tlnp | grep 3000

 

  We found an orphaned next-server process (not managed by PM2) holding the port. After killing it, the site

  came back up—but this led us to investigate further.

 

  Step 2: Check for Suspicious Processes

 

  ps aux --sort=-%cpu | head -20

  ps aux | grep -E "python|perl|base64|/dev/tcp"

 

  We discovered a process named iOzMvcov using 192% CPU—a crypto miner.

 

  Step 3: Find Malware Persistence

 

  # Check systemd services

  systemctl list-units --type=service --state=running

 

  # Check for suspicious services

  ls -la /etc/systemd/system/*.service

 

  # Check cron

  crontab -l

  cat /etc/crontab

  ls -la /etc/cron.d/

 

  We found multiple malicious systemd services:

  - lived.service - Miner launcher with process hiding

  - networkerd.service - Another miner persistence

  - nginxd.service - Fake nginx (actually malware)

  - system-updater-service.service - More miner persistence

 

  ---

  The Attack Vector: CVE-2025-55182 (React2Shell)

 

  After researching, we discovered our server was compromised via CVE-2025-55182, a critical CVSS 10.0 Remote

  Code Execution vulnerability in React Server Components.

 

  Timeline:

  - December 3, 2025: CVE publicly disclosed

  - December 4, 2025: Working exploit published

  - December 5, 2025: Our server compromised (within 24-48 hours)

 

  Our vulnerable versions:

  - React 19.1.0

  - Next.js 15.4.6

 

  The attackers exploited an exposed development tool on port 3001 that was publicly accessible without firewall protection.

 

  ---

  What the Malware Did

 

  RondoDox Botnet

 

  - Created persistent backdoors via systemd, cron, and init.d

  - Downloaded and executed remote payloads

  - Deleted security tools (curl, wget, iptables)

  - Left .pwned marker files

 

  XMRig Crypto Miner

 

  - Mined Monero cryptocurrency using our CPU

  - Connected to mining pools at multiple IPs

  - Used process hiding techniques (bind mounts over /proc)

  - Had multiple persistence mechanisms

 

  Credential Harvesting (Likely)

 

  Based on similar attacks using CVE-2025-55182, the malware likely harvested .env files containing API keys and secrets.

 

  ---

  Step-by-Step Cleanup Process

 

  1. Kill Malicious Processes

 

  # Find and kill miner processes

  ps aux | grep -E "iOzMvcov|miner|xmrig|runnv"

  kill -9 <PID>

 

  # Kill all processes from malware directories

  pkill -9 -f runnv

  pkill -9 -f iOzMvcov

 

  2. Remove Malicious Services

 

  # Stop and disable malware services

  systemctl stop lived.service networkerd.service nginxd.service system-updater-service.service

  systemctl disable lived.service networkerd.service nginxd.service system-updater-service.service

 

  # Remove service files

  rm -f /etc/systemd/system/lived.service

  rm -f /etc/systemd/system/networkerd.service

  rm -f /etc/systemd/system/nginxd.service

  rm -f /etc/systemd/system/system-updater-service.service

 

  # Reload systemd

  systemctl daemon-reload

 

  3. Remove Malware Files

 

  # Remove malware binaries and directories

  rm -rf /etc/rondo/

  rm -f /etc/init.d/rondo

  rm -f /etc/cron.d/rondo

  rm -rf /tmp/runnv/

  rm -f /tmp/iOzMvcov

  rm -f /tmp/config.json

  rm -f /usr/bin/nginxd

  rm -f /usr/bin/softirq

  rm -rf /usr/bin/lib/

  rm -f /dev/health.sh

  rm -f /dev/stink.sh

  rm -f /dev/x86

  rm -f /dev/shm/config.json

  rm -f /dev/shm/a

 

  # Remove infection markers

  rm -f /var/www/*/.*pwned*

  rm -f /var/www/*/s.sh

  rm -f /tmp/s.sh

 

  4. Clean Cron Jobs

 

  # Edit crontab and remove malicious entries

  crontab -e  # Remove any rondo or suspicious entries

 

  # Check and clean system crontab

  nano /etc/crontab  # Remove @reboot lines for rondo

 

  # Check rc.local

  cat /etc/rc.local  # Should only contain "exit 0"

 

  5. Restore Deleted System Tools

 

  The malware deleted security tools to prevent removal:

 

  apt update

  apt install --reinstall curl wget iptables

 

  6. Block Malicious IPs

 

  # Block C2 and mining pool IPs

  iptables -A INPUT -s 193.24.123.68 -j DROP

  iptables -A INPUT -s 37.114.37.82 -j DROP

  iptables -A INPUT -s 37.114.37.94 -j DROP

  iptables -A INPUT -s 205.185.126.196 -j DROP

  iptables -A INPUT -s 86.48.26.26 -j DROP

  iptables -A INPUT -s 194.87.178.21 -j DROP

 

  # Block outbound to mining pools

  iptables -A OUTPUT -d 37.114.37.82 -j DROP

  iptables -A OUTPUT -d 37.114.37.94 -j DROP

  iptables -A OUTPUT -d 205.185.126.196 -j DROP

  iptables -A OUTPUT -d 86.48.26.26 -j DROP

  iptables -A OUTPUT -d 194.87.178.21 -j DROP

 

  # Save rules

  apt install iptables-persistent -y

  netfilter-persistent save

 

  ---

  Securing the Server

 

  1. Set Up VPN-Only SSH Access

 

  We installed Tailscale for secure SSH access:

 

  # Install Tailscale

  curl -fsSL https://tailscale.com/install.sh | sh

  tailscale up

 

  # Get Tailscale IP

  tailscale ip -4

 

  2. Lock Down the Firewall

 

  # Flush existing rules

  iptables -F INPUT

 

  # Allow essential traffic

  iptables -A INPUT -i lo -j ACCEPT

  iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

  iptables -A INPUT -i tailscale0 -j ACCEPT  # All traffic via VPN

  iptables -A INPUT -p tcp --dport 80 -j ACCEPT   # HTTP

  iptables -A INPUT -p tcp --dport 443 -j ACCEPT  # HTTPS

 

  # Set default policy to DROP

  iptables -P INPUT DROP

 

  # Save

  netfilter-persistent save

 

  Now SSH only works via Tailscale VPN—not from the public internet.

 

  3. Update Vulnerable Packages

 

  cd /var/www/YourApp

  npm install next@latest react@latest react-dom@latest

  npm run build

  pm2 restart your-app

 

  Ensure you're running:

  - React >= 19.0.1, 19.1.2, or 19.2.1

  - Next.js >= patched version

 

  4. Rotate All Credentials

 

  Assume all secrets on the server were compromised. Rotate:

 

  - Database passwords

  - API keys (Supabase, Stripe, AWS, etc.)

  - Service account keys

  - JWT secrets

  - SMTP passwords

  - Any tokens in .env files

 

  For Supabase, we switched to the new publishable/secret key format which allows instant rotation.

 

  ---

  Verification Checklist

 

  Run these commands to verify your server is clean:

 

  # No malware processes

  ps aux | grep -E "miner|xmrig|rondo|iOz|fghgf|runnv|nginxd"

 

  # No suspicious services

  systemctl list-units --type=service | grep -vE "systemd|ssh|docker|nginx|cron|tailscale"

 

  # No malware in temp directories

  find /tmp /var/tmp /dev/shm /dev -type f -executable 2>/dev/null

 

  # No suspicious cron jobs

  crontab -l

  cat /etc/crontab

  ls -la /etc/cron.d/

 

  # No unauthorized network connections

  lsof -i -P -n | grep ESTABLISHED

 

  # Normal CPU usage (no crypto mining)

  top -bn1 | head -10

 

  # Firewall rules are correct

  iptables -L -n

 

  ---

  Indicators of Compromise (IOCs)

 

  File Paths

 

  - /etc/rondo/rondo

  - /etc/init.d/rondo

  - /etc/cron.d/rondo

  - /tmp/runnv/

  - /tmp/iOzMvcov

  - /usr/bin/nginxd

  - /usr/bin/softirq

  - /dev/health.sh

  - /dev/stink.sh

  - *.pwned files in web directories

 

  Systemd Services

 

  - lived.service

  - networkerd.service

  - nginxd.service

  - system-updater-service.service

 

  IP Addresses

 

  - 193.24.123.68 (C2 server)

  - 37.114.37.82 (Mining pool)

  - 37.114.37.94 (Mining pool)

  - 205.185.126.196 (Mining pool)

  - 86.48.26.26 (Mining pool)

  - 194.87.178.21 (Mining pool)

 

  Domains

 

  - ax29g9q123.anondns.net

 

  Email

 

  - rondo2012@atomicmail.io

 

  ---

  Lessons Learned

 

  1. Never expose development tools publicly. Our dev server on port 3001 was accessible without a firewall. Use

   VPNs or SSH tunnels for internal services.

  2. Patch immediately. CVE-2025-55182 was exploited within 24-48 hours of disclosure. Subscribe to security

  advisories for your dependencies.

  3. Use strict firewall rules. Default-deny policies with explicit allows would have blocked the initial

  exploitation.

  4. Monitor for anomalies. High CPU usage, unexpected processes, and network connections to unknown IPs are red

   flags.

  5. Rotate credentials after any breach. Assume everything on the server was compromised.

  6. VPN for SSH. Tailscale or similar makes SSH access much more secure than exposing port 22 publicly.

 

  ---

  Resources

 

  - https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182

  - https://github.com/orgs/supabase/discussions/29260

  - https://tailscale.com/

  - https://www.fortinet.com/blog/threat-research/rondobox-unveiled-breaking-down-a-botnet-threat

 

  ---

  Stay safe out there. Keep your servers patched and your ports closed.

Categories

Website Security

Need help with your website?

Our US-based dev team can fix issues fast — security updates, speed, bugs & more.

Request help now →

Always on Support

Our help desk is available 24/7 via email to assist you with any questions or issues you may have