diff --git a/check-nextjs-rce-cron.log b/check-nextjs-rce-cron.log new file mode 100644 index 0000000..ba71d1f --- /dev/null +++ b/check-nextjs-rce-cron.log @@ -0,0 +1,83 @@ +=== Next.js RCE Vulnerability Scanner === +CVE-2025-66478 / CVE-2025-55182 (CVSS 10.0) + +Searching for Next.js installations... + +Found: /usr/lib/node_modules/n8n/node_modules/@paralleldrive/cuid2/package.json + Next.js version: 13.1.1 + Status: SAFE + +Checking Docker containers... +Checking container: igotify + Status: No Next.js found + +Checking container: gotify + Status: No Next.js found + +Checking container: uptime-kuma + Status: No Next.js found + +Checking container: Shlink-Web + Status: No Next.js found + +Checking container: Shlink + Status: No Next.js found + +Checking container: Shlink-DB + Status: No Next.js found + +Checking container: heimdall + Status: No Next.js found + +Checking container: mermaid + Status: No Next.js found + +Checking container: netbox-netbox-worker-1 + Status: No Next.js found + +Checking container: netbox-netbox-1 + Status: No Next.js found + +Checking container: netbox-postgres-1 + Status: No Next.js found + +Checking container: netbox-redis-1 + Status: No Next.js found + +Checking container: netbox-redis-cache-1 + Status: No Next.js found + +Checking container: task_server-tasks-1 + Status: No Next.js found + +Checking container: task_server-database-1 + Status: No Next.js found + +Checking container: flash_server-flashcards-1 + Status: No Next.js found + +Checking container: flash_server-database-1 + Status: No Next.js found + +Checking container: mosquitto + Status: No Next.js found + +Checking container: nebula-sync + Next.js version: OCI runtime exec failed: exec failed: unable to start container process: exec: "sh": executable file not found in $PATH: unknown + Status: SAFE + +Checking container: zigbee2mqtt + Status: No Next.js found + +Checking container: portainer + Next.js version: OCI runtime exec failed: exec failed: unable to start container process: exec: "sh": executable file not found in $PATH: unknown + Status: SAFE + +Checking container: homarr + Status: No Next.js found + +=== Summary === +Safe installations: 0 +Vulnerable installations: 0 + +✓ All Next.js installations are safe diff --git a/npm-security-check-cron.log b/npm-security-check-cron.log new file mode 100644 index 0000000..a9e87df --- /dev/null +++ b/npm-security-check-cron.log @@ -0,0 +1,104 @@ +========================================== + NPM / Node.js Security Check +========================================== +Hostname : sys-apps +Date : Sat Apr 18 08:00:01 AM UTC 2026 +Log file : npm_security_check_sys-apps_20260418_080001.log + +========================================== +1. Global npm packages +========================================== +@anthropic-ai/claude-code@2.1.113 +✓ No suspicious global packages + +========================================== +2. Malicious package names in lock files +========================================== +Scanning 1 lock file(s)... +✓ No known-malicious package names found + +========================================== +3. Running Node/Next.js processes +========================================== +root 1915 0.0 0.0 860 508 ? Ss Apr05 0:36 /sbin/tini -- node index.js +root 2398 0.0 0.2 690020 17264 ? Sl Apr05 0:03 node index.js +root 4650 0.0 0.3 1288132 25096 ? Sl Apr05 9:02 node /app/server.js +root 610442 0.0 0.0 2144 1160 ? Ss Apr16 0:00 /usr/bin/dumb-init -- extra/entrypoint.sh node server/server.js +root 610539 0.5 1.8 11512020 154144 ? Ssl Apr16 10:24 node server/server.js +pdm 1369218 0.0 4.1 27772588 336188 ? Ssl Apr05 17:29 node /usr/bin/n8n +pdm 1369306 0.0 1.1 9936264 96216 ? Sl Apr05 11:18 node --disallow-code-generation-from-strings --disable-proto=delete /usr/lib/node_modules/n8n/node_modules/@n8n/task-runner/dist/start.js +pdm 3861265 0.0 0.0 2800 1856 ? Ss 08:00 0:00 /bin/sh -c /home/pdm/security-tools/npm-security-check.sh >> /home/pdm/security-tools/npm-security-check-cron.log 2>&1 +pdm 3861266 0.0 0.0 7340 3732 ? S 08:00 0:00 bash /home/pdm/security-tools/npm-security-check.sh +pdm 3864276 0.0 0.0 7340 1912 ? S 08:01 0:00 bash /home/pdm/security-tools/npm-security-check.sh +✓ PID 1915 runs as root but is inside a Docker container (normal) +✓ PID 2398 runs as root but is inside a Docker container (normal) +✓ PID 4650 runs as root but is inside a Docker container (normal) +✓ PID 610442 runs as root but is inside a Docker container (normal) +✓ PID 610539 runs as root but is inside a Docker container (normal) + +========================================== +4. Node process network connections +========================================== +✓ No established TCP connections from node processes + +========================================== +5. Known C2 / malware indicators +========================================== +✓ No connections to known C2 infrastructure + +========================================== +6. Suspicious process names +========================================== +✓ No suspicious process names + +========================================== +7. Suspicious files in /tmp and /dev/shm +========================================== +✓ Temp directory scan complete + +========================================== +8. npm configuration +========================================== +prefix=~/.npm-global +✓ .npmrc uses official registry + +========================================== +9. Docker containers +========================================== +NAMES IMAGE STATUS +igotify ghcr.io/androidseb25/igotify-notification-assist:latest Up 34 hours +gotify gotify/server Up 34 hours (healthy) +uptime-kuma louislam/uptime-kuma:latest Up 34 hours (healthy) +Shlink-Web shlinkio/shlink-web-client:3.10.1 Up 34 hours +Shlink shlinkio/shlink:stable Up 34 hours +Shlink-DB postgres:17 Up 34 hours +heimdall lscr.io/linuxserver/heimdall:latest Up 34 hours +mermaid ghcr.io/mermaid-js/mermaid-live-editor Up 6 days +netbox-netbox-worker-1 netboxcommunity/netbox:v4.4-3.4.1 Up 13 days (healthy) +netbox-netbox-1 netboxcommunity/netbox:v4.4-3.4.1 Up 13 days (healthy) +netbox-postgres-1 postgres:17-alpine Up 13 days (healthy) +netbox-redis-1 valkey/valkey:8.1-alpine Up 13 days (healthy) +netbox-redis-cache-1 valkey/valkey:8.1-alpine Up 13 days (healthy) +task_server-tasks-1 task_server-tasks Up 13 days +task_server-database-1 postgres:16 Up 13 days +flash_server-flashcards-1 flash_server-flashcards Up 13 days +flash_server-database-1 postgres:16 Up 13 days +mosquitto eclipse-mosquitto:latest Up 13 days +nebula-sync ghcr.io/lovelaze/nebula-sync:latest Up 13 days (healthy) +zigbee2mqtt ghcr.io/koenkk/zigbee2mqtt Up 13 days +portainer portainer/portainer-ce:latest Up 13 days +homarr ghcr.io/ajnart/homarr:latest Up 13 days (healthy) +✓ All containers use named images + +========================================== +10. Bash history — suspicious patterns +========================================== +✓ No obviously suspicious history entries + +========================================== +SUMMARY +========================================== +Scan completed at: Sat Apr 18 08:01:50 AM UTC 2026 +Results saved to : npm_security_check_sys-apps_20260418_080001.log + +✓ All checks passed — no indicators of compromise diff --git a/npm_security_check_sys-apps_20260417_212655.log b/npm_security_check_sys-apps_20260417_212655.log new file mode 100644 index 0000000..81dda81 --- /dev/null +++ b/npm_security_check_sys-apps_20260417_212655.log @@ -0,0 +1,103 @@ +========================================== + NPM / Node.js Security Check +========================================== +Hostname : sys-apps +Date : Fri Apr 17 09:26:55 PM UTC 2026 +Log file : npm_security_check_sys-apps_20260417_212655.log + +========================================== +1. Global npm packages +========================================== +@anthropic-ai/claude-code@2.1.113 +✓ No suspicious global packages + +========================================== +2. Malicious package names in lock files +========================================== +Scanning 1 lock file(s)... +✓ No known-malicious package names found + +========================================== +3. Running Node/Next.js processes +========================================== +root 1915 0.0 0.0 860 508 ? Ss Apr05 0:35 /sbin/tini -- node index.js +root 2398 0.0 0.2 690020 17320 ? Sl Apr05 0:03 node index.js +root 4650 0.0 0.3 1293252 28116 ? Sl Apr05 8:52 node /app/server.js +root 610442 0.0 0.0 2144 1160 ? Ss Apr16 0:00 /usr/bin/dumb-init -- extra/entrypoint.sh node server/server.js +root 610539 0.5 1.8 11511400 152768 ? Ssl Apr16 7:36 node server/server.js +pdm 1369218 0.0 4.2 27768236 342100 ? Ssl Apr05 17:08 node /usr/bin/n8n +pdm 1369306 0.0 1.2 9936264 98068 ? Sl Apr05 11:03 node --disallow-code-generation-from-strings --disable-proto=delete /usr/lib/node_modules/n8n/node_modules/@n8n/task-runner/dist/start.js +pdm 2793084 0.0 0.0 7340 3752 pts/0 S+ 21:26 0:00 bash npm-security-check.sh +pdm 2793842 0.0 0.0 7340 1920 pts/0 S+ 21:27 0:00 bash npm-security-check.sh +✓ PID 1915 runs as root but is inside a Docker container (normal) +✓ PID 2398 runs as root but is inside a Docker container (normal) +✓ PID 4650 runs as root but is inside a Docker container (normal) +✓ PID 610442 runs as root but is inside a Docker container (normal) +✓ PID 610539 runs as root but is inside a Docker container (normal) + +========================================== +4. Node process network connections +========================================== +✓ No established TCP connections from node processes + +========================================== +5. Known C2 / malware indicators +========================================== +✓ No connections to known C2 infrastructure + +========================================== +6. Suspicious process names +========================================== +✓ No suspicious process names + +========================================== +7. Suspicious files in /tmp and /dev/shm +========================================== +✓ Temp directory scan complete + +========================================== +8. npm configuration +========================================== +prefix=~/.npm-global +✓ .npmrc uses official registry + +========================================== +9. Docker containers +========================================== +NAMES IMAGE STATUS +igotify ghcr.io/androidseb25/igotify-notification-assist:latest Up 23 hours +gotify gotify/server Up 23 hours (healthy) +uptime-kuma louislam/uptime-kuma:latest Up 23 hours (healthy) +Shlink-Web shlinkio/shlink-web-client:3.10.1 Up 23 hours +Shlink shlinkio/shlink:stable Up 23 hours +Shlink-DB postgres:17 Up 23 hours +heimdall lscr.io/linuxserver/heimdall:latest Up 23 hours +mermaid ghcr.io/mermaid-js/mermaid-live-editor Up 5 days +netbox-netbox-worker-1 netboxcommunity/netbox:v4.4-3.4.1 Up 12 days (healthy) +netbox-netbox-1 netboxcommunity/netbox:v4.4-3.4.1 Up 12 days (healthy) +netbox-postgres-1 postgres:17-alpine Up 12 days (healthy) +netbox-redis-1 valkey/valkey:8.1-alpine Up 12 days (healthy) +netbox-redis-cache-1 valkey/valkey:8.1-alpine Up 12 days (healthy) +task_server-tasks-1 task_server-tasks Up 12 days +task_server-database-1 postgres:16 Up 12 days +flash_server-flashcards-1 flash_server-flashcards Up 12 days +flash_server-database-1 postgres:16 Up 12 days +mosquitto eclipse-mosquitto:latest Up 12 days +nebula-sync ghcr.io/lovelaze/nebula-sync:latest Up 12 days (healthy) +zigbee2mqtt ghcr.io/koenkk/zigbee2mqtt Up 12 days +portainer portainer/portainer-ce:latest Up 12 days +homarr ghcr.io/ajnart/homarr:latest Up 12 days (healthy) +✓ All containers use named images + +========================================== +10. Bash history — suspicious patterns +========================================== +✓ No obviously suspicious history entries + +========================================== +SUMMARY +========================================== +Scan completed at: Fri Apr 17 09:27:19 PM UTC 2026 +Results saved to : npm_security_check_sys-apps_20260417_212655.log + +✓ All checks passed — no indicators of compromise diff --git a/npm_security_check_sys-apps_20260417_215843.log b/npm_security_check_sys-apps_20260417_215843.log new file mode 100644 index 0000000..8f8dd7e --- /dev/null +++ b/npm_security_check_sys-apps_20260417_215843.log @@ -0,0 +1,103 @@ +========================================== + NPM / Node.js Security Check +========================================== +Hostname : sys-apps +Date : Fri Apr 17 09:58:43 PM UTC 2026 +Log file : npm_security_check_sys-apps_20260417_215843.log + +========================================== +1. Global npm packages +========================================== +@anthropic-ai/claude-code@2.1.113 +✓ No suspicious global packages + +========================================== +2. Malicious package names in lock files +========================================== +Scanning 1 lock file(s)... +✓ No known-malicious package names found + +========================================== +3. Running Node/Next.js processes +========================================== +root 1915 0.0 0.0 860 508 ? Ss Apr05 0:35 /sbin/tini -- node index.js +root 2398 0.0 0.2 690020 17320 ? Sl Apr05 0:03 node index.js +root 4650 0.0 0.3 1293252 28248 ? Sl Apr05 8:53 node /app/server.js +root 610442 0.0 0.0 2144 1160 ? Ss Apr16 0:00 /usr/bin/dumb-init -- extra/entrypoint.sh node server/server.js +root 610539 0.5 1.8 11511832 151984 ? Ssl Apr16 7:45 node server/server.js +pdm 1369218 0.0 4.1 27768236 341164 ? Ssl Apr05 17:09 node /usr/bin/n8n +pdm 1369306 0.0 1.2 9936264 98028 ? Sl Apr05 11:04 node --disallow-code-generation-from-strings --disable-proto=delete /usr/lib/node_modules/n8n/node_modules/@n8n/task-runner/dist/start.js +pdm 2864330 0.0 0.0 7340 3800 pts/0 S+ 21:58 0:00 bash /home/pdm/security-tools/npm-security-check.sh +pdm 2864796 0.0 0.0 7340 1904 pts/0 S+ 21:58 0:00 bash /home/pdm/security-tools/npm-security-check.sh +✓ PID 1915 runs as root but is inside a Docker container (normal) +✓ PID 2398 runs as root but is inside a Docker container (normal) +✓ PID 4650 runs as root but is inside a Docker container (normal) +✓ PID 610442 runs as root but is inside a Docker container (normal) +✓ PID 610539 runs as root but is inside a Docker container (normal) + +========================================== +4. Node process network connections +========================================== +✓ No established TCP connections from node processes + +========================================== +5. Known C2 / malware indicators +========================================== +✓ No connections to known C2 infrastructure + +========================================== +6. Suspicious process names +========================================== +✓ No suspicious process names + +========================================== +7. Suspicious files in /tmp and /dev/shm +========================================== +✓ Temp directory scan complete + +========================================== +8. npm configuration +========================================== +prefix=~/.npm-global +✓ .npmrc uses official registry + +========================================== +9. Docker containers +========================================== +NAMES IMAGE STATUS +igotify ghcr.io/androidseb25/igotify-notification-assist:latest Up 24 hours +gotify gotify/server Up 24 hours (healthy) +uptime-kuma louislam/uptime-kuma:latest Up 24 hours (healthy) +Shlink-Web shlinkio/shlink-web-client:3.10.1 Up 24 hours +Shlink shlinkio/shlink:stable Up 24 hours +Shlink-DB postgres:17 Up 24 hours +heimdall lscr.io/linuxserver/heimdall:latest Up 24 hours +mermaid ghcr.io/mermaid-js/mermaid-live-editor Up 6 days +netbox-netbox-worker-1 netboxcommunity/netbox:v4.4-3.4.1 Up 12 days (healthy) +netbox-netbox-1 netboxcommunity/netbox:v4.4-3.4.1 Up 12 days (healthy) +netbox-postgres-1 postgres:17-alpine Up 12 days (healthy) +netbox-redis-1 valkey/valkey:8.1-alpine Up 12 days (healthy) +netbox-redis-cache-1 valkey/valkey:8.1-alpine Up 12 days (healthy) +task_server-tasks-1 task_server-tasks Up 12 days +task_server-database-1 postgres:16 Up 12 days +flash_server-flashcards-1 flash_server-flashcards Up 12 days +flash_server-database-1 postgres:16 Up 12 days +mosquitto eclipse-mosquitto:latest Up 12 days +nebula-sync ghcr.io/lovelaze/nebula-sync:latest Up 12 days (healthy) +zigbee2mqtt ghcr.io/koenkk/zigbee2mqtt Up 12 days +portainer portainer/portainer-ce:latest Up 12 days +homarr ghcr.io/ajnart/homarr:latest Up 12 days (healthy) +✓ All containers use named images + +========================================== +10. Bash history — suspicious patterns +========================================== +✓ No obviously suspicious history entries + +========================================== +SUMMARY +========================================== +Scan completed at: Fri Apr 17 09:58:56 PM UTC 2026 +Results saved to : npm_security_check_sys-apps_20260417_215843.log + +✓ All checks passed — no indicators of compromise diff --git a/npm_security_check_sys-apps_20260417_215948.log b/npm_security_check_sys-apps_20260417_215948.log new file mode 100644 index 0000000..8209377 --- /dev/null +++ b/npm_security_check_sys-apps_20260417_215948.log @@ -0,0 +1,103 @@ +========================================== + NPM / Node.js Security Check +========================================== +Hostname : sys-apps +Date : Fri Apr 17 09:59:48 PM UTC 2026 +Log file : npm_security_check_sys-apps_20260417_215948.log + +========================================== +1. Global npm packages +========================================== +@anthropic-ai/claude-code@2.1.113 +✓ No suspicious global packages + +========================================== +2. Malicious package names in lock files +========================================== +Scanning 1 lock file(s)... +✓ No known-malicious package names found + +========================================== +3. Running Node/Next.js processes +========================================== +root 1915 0.0 0.0 860 508 ? Ss Apr05 0:35 /sbin/tini -- node index.js +root 2398 0.0 0.2 690020 17320 ? Sl Apr05 0:03 node index.js +root 4650 0.0 0.3 1293252 28376 ? Sl Apr05 8:53 node /app/server.js +root 610442 0.0 0.0 2144 1160 ? Ss Apr16 0:00 /usr/bin/dumb-init -- extra/entrypoint.sh node server/server.js +root 610539 0.5 1.8 11513044 153472 ? Ssl Apr16 7:45 node server/server.js +pdm 1369218 0.0 4.1 27768236 341164 ? Ssl Apr05 17:09 node /usr/bin/n8n +pdm 1369306 0.0 1.2 9936264 98028 ? Sl Apr05 11:04 node --disallow-code-generation-from-strings --disable-proto=delete /usr/lib/node_modules/n8n/node_modules/@n8n/task-runner/dist/start.js +pdm 2886551 0.0 0.0 7340 3760 pts/1 S+ 21:59 0:00 bash /home/pdm/security-tools/npm-security-check.sh +pdm 2886715 0.0 0.0 7340 1808 pts/1 S+ 21:59 0:00 bash /home/pdm/security-tools/npm-security-check.sh +✓ PID 1915 runs as root but is inside a Docker container (normal) +✓ PID 2398 runs as root but is inside a Docker container (normal) +✓ PID 4650 runs as root but is inside a Docker container (normal) +✓ PID 610442 runs as root but is inside a Docker container (normal) +✓ PID 610539 runs as root but is inside a Docker container (normal) + +========================================== +4. Node process network connections +========================================== +✓ No established TCP connections from node processes + +========================================== +5. Known C2 / malware indicators +========================================== +✓ No connections to known C2 infrastructure + +========================================== +6. Suspicious process names +========================================== +✓ No suspicious process names + +========================================== +7. Suspicious files in /tmp and /dev/shm +========================================== +✓ Temp directory scan complete + +========================================== +8. npm configuration +========================================== +prefix=~/.npm-global +✓ .npmrc uses official registry + +========================================== +9. Docker containers +========================================== +NAMES IMAGE STATUS +igotify ghcr.io/androidseb25/igotify-notification-assist:latest Up 24 hours +gotify gotify/server Up 24 hours (healthy) +uptime-kuma louislam/uptime-kuma:latest Up 24 hours (healthy) +Shlink-Web shlinkio/shlink-web-client:3.10.1 Up 24 hours +Shlink shlinkio/shlink:stable Up 24 hours +Shlink-DB postgres:17 Up 24 hours +heimdall lscr.io/linuxserver/heimdall:latest Up 24 hours +mermaid ghcr.io/mermaid-js/mermaid-live-editor Up 6 days +netbox-netbox-worker-1 netboxcommunity/netbox:v4.4-3.4.1 Up 12 days (healthy) +netbox-netbox-1 netboxcommunity/netbox:v4.4-3.4.1 Up 12 days (healthy) +netbox-postgres-1 postgres:17-alpine Up 12 days (healthy) +netbox-redis-1 valkey/valkey:8.1-alpine Up 12 days (healthy) +netbox-redis-cache-1 valkey/valkey:8.1-alpine Up 12 days (healthy) +task_server-tasks-1 task_server-tasks Up 12 days +task_server-database-1 postgres:16 Up 12 days +flash_server-flashcards-1 flash_server-flashcards Up 12 days +flash_server-database-1 postgres:16 Up 12 days +mosquitto eclipse-mosquitto:latest Up 12 days +nebula-sync ghcr.io/lovelaze/nebula-sync:latest Up 12 days (healthy) +zigbee2mqtt ghcr.io/koenkk/zigbee2mqtt Up 12 days +portainer portainer/portainer-ce:latest Up 12 days +homarr ghcr.io/ajnart/homarr:latest Up 12 days (healthy) +✓ All containers use named images + +========================================== +10. Bash history — suspicious patterns +========================================== +✓ No obviously suspicious history entries + +========================================== +SUMMARY +========================================== +Scan completed at: Fri Apr 17 09:59:50 PM UTC 2026 +Results saved to : npm_security_check_sys-apps_20260417_215948.log + +✓ All checks passed — no indicators of compromise