diff --git a/.gitignore b/.gitignore index 3fc2310..b27479d 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,4 @@ config.sh +whitelist.conf logs/ +*.log diff --git a/check-nextjs-rce-cron.log b/check-nextjs-rce-cron.log deleted file mode 100644 index ba71d1f..0000000 --- a/check-nextjs-rce-cron.log +++ /dev/null @@ -1,83 +0,0 @@ -=== Next.js RCE Vulnerability Scanner === -CVE-2025-66478 / CVE-2025-55182 (CVSS 10.0) - -Searching for Next.js installations... - -Found: /usr/lib/node_modules/n8n/node_modules/@paralleldrive/cuid2/package.json - Next.js version: 13.1.1 - Status: SAFE - -Checking Docker containers... -Checking container: igotify - Status: No Next.js found - -Checking container: gotify - Status: No Next.js found - -Checking container: uptime-kuma - Status: No Next.js found - -Checking container: Shlink-Web - Status: No Next.js found - -Checking container: Shlink - Status: No Next.js found - -Checking container: Shlink-DB - Status: No Next.js found - -Checking container: heimdall - Status: No Next.js found - -Checking container: mermaid - Status: No Next.js found - -Checking container: netbox-netbox-worker-1 - Status: No Next.js found - -Checking container: netbox-netbox-1 - Status: No Next.js found - -Checking container: netbox-postgres-1 - Status: No Next.js found - -Checking container: netbox-redis-1 - Status: No Next.js found - -Checking container: netbox-redis-cache-1 - Status: No Next.js found - -Checking container: task_server-tasks-1 - Status: No Next.js found - -Checking container: task_server-database-1 - Status: No Next.js found - -Checking container: flash_server-flashcards-1 - Status: No Next.js found - -Checking container: flash_server-database-1 - Status: No Next.js found - -Checking container: mosquitto - Status: No Next.js found - -Checking container: nebula-sync - Next.js version: OCI runtime exec failed: exec failed: unable to start container process: exec: "sh": executable file not found in $PATH: unknown - Status: SAFE - -Checking container: zigbee2mqtt - Status: No Next.js found - -Checking container: portainer - Next.js version: OCI runtime exec failed: exec failed: unable to start container process: exec: "sh": executable file not found in $PATH: unknown - Status: SAFE - -Checking container: homarr - Status: No Next.js found - -=== Summary === -Safe installations: 0 -Vulnerable installations: 0 - -✓ All Next.js installations are safe diff --git a/npm-security-check-cron.log b/npm-security-check-cron.log deleted file mode 100644 index a9e87df..0000000 --- a/npm-security-check-cron.log +++ /dev/null @@ -1,104 +0,0 @@ -========================================== - NPM / Node.js Security Check -========================================== -Hostname : sys-apps -Date : Sat Apr 18 08:00:01 AM UTC 2026 -Log file : npm_security_check_sys-apps_20260418_080001.log - -========================================== -1. Global npm packages -========================================== -@anthropic-ai/claude-code@2.1.113 -✓ No suspicious global packages - -========================================== -2. Malicious package names in lock files -========================================== -Scanning 1 lock file(s)... -✓ No known-malicious package names found - -========================================== -3. Running Node/Next.js processes -========================================== -root 1915 0.0 0.0 860 508 ? Ss Apr05 0:36 /sbin/tini -- node index.js -root 2398 0.0 0.2 690020 17264 ? Sl Apr05 0:03 node index.js -root 4650 0.0 0.3 1288132 25096 ? Sl Apr05 9:02 node /app/server.js -root 610442 0.0 0.0 2144 1160 ? Ss Apr16 0:00 /usr/bin/dumb-init -- extra/entrypoint.sh node server/server.js -root 610539 0.5 1.8 11512020 154144 ? Ssl Apr16 10:24 node server/server.js -pdm 1369218 0.0 4.1 27772588 336188 ? Ssl Apr05 17:29 node /usr/bin/n8n -pdm 1369306 0.0 1.1 9936264 96216 ? Sl Apr05 11:18 node --disallow-code-generation-from-strings --disable-proto=delete /usr/lib/node_modules/n8n/node_modules/@n8n/task-runner/dist/start.js -pdm 3861265 0.0 0.0 2800 1856 ? Ss 08:00 0:00 /bin/sh -c /home/pdm/security-tools/npm-security-check.sh >> /home/pdm/security-tools/npm-security-check-cron.log 2>&1 -pdm 3861266 0.0 0.0 7340 3732 ? S 08:00 0:00 bash /home/pdm/security-tools/npm-security-check.sh -pdm 3864276 0.0 0.0 7340 1912 ? S 08:01 0:00 bash /home/pdm/security-tools/npm-security-check.sh -✓ PID 1915 runs as root but is inside a Docker container (normal) -✓ PID 2398 runs as root but is inside a Docker container (normal) -✓ PID 4650 runs as root but is inside a Docker container (normal) -✓ PID 610442 runs as root but is inside a Docker container (normal) -✓ PID 610539 runs as root but is inside a Docker container (normal) - -========================================== -4. Node process network connections -========================================== -✓ No established TCP connections from node processes - -========================================== -5. Known C2 / malware indicators -========================================== -✓ No connections to known C2 infrastructure - -========================================== -6. Suspicious process names -========================================== -✓ No suspicious process names - -========================================== -7. Suspicious files in /tmp and /dev/shm -========================================== -✓ Temp directory scan complete - -========================================== -8. npm configuration -========================================== -prefix=~/.npm-global -✓ .npmrc uses official registry - -========================================== -9. Docker containers -========================================== -NAMES IMAGE STATUS -igotify ghcr.io/androidseb25/igotify-notification-assist:latest Up 34 hours -gotify gotify/server Up 34 hours (healthy) -uptime-kuma louislam/uptime-kuma:latest Up 34 hours (healthy) -Shlink-Web shlinkio/shlink-web-client:3.10.1 Up 34 hours -Shlink shlinkio/shlink:stable Up 34 hours -Shlink-DB postgres:17 Up 34 hours -heimdall lscr.io/linuxserver/heimdall:latest Up 34 hours -mermaid ghcr.io/mermaid-js/mermaid-live-editor Up 6 days -netbox-netbox-worker-1 netboxcommunity/netbox:v4.4-3.4.1 Up 13 days (healthy) -netbox-netbox-1 netboxcommunity/netbox:v4.4-3.4.1 Up 13 days (healthy) -netbox-postgres-1 postgres:17-alpine Up 13 days (healthy) -netbox-redis-1 valkey/valkey:8.1-alpine Up 13 days (healthy) -netbox-redis-cache-1 valkey/valkey:8.1-alpine Up 13 days (healthy) -task_server-tasks-1 task_server-tasks Up 13 days -task_server-database-1 postgres:16 Up 13 days -flash_server-flashcards-1 flash_server-flashcards Up 13 days -flash_server-database-1 postgres:16 Up 13 days -mosquitto eclipse-mosquitto:latest Up 13 days -nebula-sync ghcr.io/lovelaze/nebula-sync:latest Up 13 days (healthy) -zigbee2mqtt ghcr.io/koenkk/zigbee2mqtt Up 13 days -portainer portainer/portainer-ce:latest Up 13 days -homarr ghcr.io/ajnart/homarr:latest Up 13 days (healthy) -✓ All containers use named images - -========================================== -10. Bash history — suspicious patterns -========================================== -✓ No obviously suspicious history entries - -========================================== -SUMMARY -========================================== -Scan completed at: Sat Apr 18 08:01:50 AM UTC 2026 -Results saved to : npm_security_check_sys-apps_20260418_080001.log - -✓ All checks passed — no indicators of compromise diff --git a/npm_security_check_sys-apps_20260417_212655.log b/npm_security_check_sys-apps_20260417_212655.log deleted file mode 100644 index 81dda81..0000000 --- a/npm_security_check_sys-apps_20260417_212655.log +++ /dev/null @@ -1,103 +0,0 @@ -========================================== - NPM / Node.js Security Check -========================================== -Hostname : sys-apps -Date : Fri Apr 17 09:26:55 PM UTC 2026 -Log file : npm_security_check_sys-apps_20260417_212655.log - -========================================== -1. Global npm packages -========================================== -@anthropic-ai/claude-code@2.1.113 -✓ No suspicious global packages - -========================================== -2. Malicious package names in lock files -========================================== -Scanning 1 lock file(s)... -✓ No known-malicious package names found - -========================================== -3. Running Node/Next.js processes -========================================== -root 1915 0.0 0.0 860 508 ? Ss Apr05 0:35 /sbin/tini -- node index.js -root 2398 0.0 0.2 690020 17320 ? Sl Apr05 0:03 node index.js -root 4650 0.0 0.3 1293252 28116 ? Sl Apr05 8:52 node /app/server.js -root 610442 0.0 0.0 2144 1160 ? Ss Apr16 0:00 /usr/bin/dumb-init -- extra/entrypoint.sh node server/server.js -root 610539 0.5 1.8 11511400 152768 ? Ssl Apr16 7:36 node server/server.js -pdm 1369218 0.0 4.2 27768236 342100 ? Ssl Apr05 17:08 node /usr/bin/n8n -pdm 1369306 0.0 1.2 9936264 98068 ? Sl Apr05 11:03 node --disallow-code-generation-from-strings --disable-proto=delete /usr/lib/node_modules/n8n/node_modules/@n8n/task-runner/dist/start.js -pdm 2793084 0.0 0.0 7340 3752 pts/0 S+ 21:26 0:00 bash npm-security-check.sh -pdm 2793842 0.0 0.0 7340 1920 pts/0 S+ 21:27 0:00 bash npm-security-check.sh -✓ PID 1915 runs as root but is inside a Docker container (normal) -✓ PID 2398 runs as root but is inside a Docker container (normal) -✓ PID 4650 runs as root but is inside a Docker container (normal) -✓ PID 610442 runs as root but is inside a Docker container (normal) -✓ PID 610539 runs as root but is inside a Docker container (normal) - -========================================== -4. Node process network connections -========================================== -✓ No established TCP connections from node processes - -========================================== -5. Known C2 / malware indicators -========================================== -✓ No connections to known C2 infrastructure - -========================================== -6. Suspicious process names -========================================== -✓ No suspicious process names - -========================================== -7. Suspicious files in /tmp and /dev/shm -========================================== -✓ Temp directory scan complete - -========================================== -8. npm configuration -========================================== -prefix=~/.npm-global -✓ .npmrc uses official registry - -========================================== -9. Docker containers -========================================== -NAMES IMAGE STATUS -igotify ghcr.io/androidseb25/igotify-notification-assist:latest Up 23 hours -gotify gotify/server Up 23 hours (healthy) -uptime-kuma louislam/uptime-kuma:latest Up 23 hours (healthy) -Shlink-Web shlinkio/shlink-web-client:3.10.1 Up 23 hours -Shlink shlinkio/shlink:stable Up 23 hours -Shlink-DB postgres:17 Up 23 hours -heimdall lscr.io/linuxserver/heimdall:latest Up 23 hours -mermaid ghcr.io/mermaid-js/mermaid-live-editor Up 5 days -netbox-netbox-worker-1 netboxcommunity/netbox:v4.4-3.4.1 Up 12 days (healthy) -netbox-netbox-1 netboxcommunity/netbox:v4.4-3.4.1 Up 12 days (healthy) -netbox-postgres-1 postgres:17-alpine Up 12 days (healthy) -netbox-redis-1 valkey/valkey:8.1-alpine Up 12 days (healthy) -netbox-redis-cache-1 valkey/valkey:8.1-alpine Up 12 days (healthy) -task_server-tasks-1 task_server-tasks Up 12 days -task_server-database-1 postgres:16 Up 12 days -flash_server-flashcards-1 flash_server-flashcards Up 12 days -flash_server-database-1 postgres:16 Up 12 days -mosquitto eclipse-mosquitto:latest Up 12 days -nebula-sync ghcr.io/lovelaze/nebula-sync:latest Up 12 days (healthy) -zigbee2mqtt ghcr.io/koenkk/zigbee2mqtt Up 12 days -portainer portainer/portainer-ce:latest Up 12 days -homarr ghcr.io/ajnart/homarr:latest Up 12 days (healthy) -✓ All containers use named images - -========================================== -10. Bash history — suspicious patterns -========================================== -✓ No obviously suspicious history entries - -========================================== -SUMMARY -========================================== -Scan completed at: Fri Apr 17 09:27:19 PM UTC 2026 -Results saved to : npm_security_check_sys-apps_20260417_212655.log - -✓ All checks passed — no indicators of compromise diff --git a/npm_security_check_sys-apps_20260417_215843.log b/npm_security_check_sys-apps_20260417_215843.log deleted file mode 100644 index 8f8dd7e..0000000 --- a/npm_security_check_sys-apps_20260417_215843.log +++ /dev/null @@ -1,103 +0,0 @@ -========================================== - NPM / Node.js Security Check -========================================== -Hostname : sys-apps -Date : Fri Apr 17 09:58:43 PM UTC 2026 -Log file : npm_security_check_sys-apps_20260417_215843.log - -========================================== -1. Global npm packages -========================================== -@anthropic-ai/claude-code@2.1.113 -✓ No suspicious global packages - -========================================== -2. Malicious package names in lock files -========================================== -Scanning 1 lock file(s)... -✓ No known-malicious package names found - -========================================== -3. Running Node/Next.js processes -========================================== -root 1915 0.0 0.0 860 508 ? Ss Apr05 0:35 /sbin/tini -- node index.js -root 2398 0.0 0.2 690020 17320 ? Sl Apr05 0:03 node index.js -root 4650 0.0 0.3 1293252 28248 ? Sl Apr05 8:53 node /app/server.js -root 610442 0.0 0.0 2144 1160 ? Ss Apr16 0:00 /usr/bin/dumb-init -- extra/entrypoint.sh node server/server.js -root 610539 0.5 1.8 11511832 151984 ? Ssl Apr16 7:45 node server/server.js -pdm 1369218 0.0 4.1 27768236 341164 ? Ssl Apr05 17:09 node /usr/bin/n8n -pdm 1369306 0.0 1.2 9936264 98028 ? Sl Apr05 11:04 node --disallow-code-generation-from-strings --disable-proto=delete /usr/lib/node_modules/n8n/node_modules/@n8n/task-runner/dist/start.js -pdm 2864330 0.0 0.0 7340 3800 pts/0 S+ 21:58 0:00 bash /home/pdm/security-tools/npm-security-check.sh -pdm 2864796 0.0 0.0 7340 1904 pts/0 S+ 21:58 0:00 bash /home/pdm/security-tools/npm-security-check.sh -✓ PID 1915 runs as root but is inside a Docker container (normal) -✓ PID 2398 runs as root but is inside a Docker container (normal) -✓ PID 4650 runs as root but is inside a Docker container (normal) -✓ PID 610442 runs as root but is inside a Docker container (normal) -✓ PID 610539 runs as root but is inside a Docker container (normal) - -========================================== -4. Node process network connections -========================================== -✓ No established TCP connections from node processes - -========================================== -5. Known C2 / malware indicators -========================================== -✓ No connections to known C2 infrastructure - -========================================== -6. Suspicious process names -========================================== -✓ No suspicious process names - -========================================== -7. Suspicious files in /tmp and /dev/shm -========================================== -✓ Temp directory scan complete - -========================================== -8. npm configuration -========================================== -prefix=~/.npm-global -✓ .npmrc uses official registry - -========================================== -9. Docker containers -========================================== -NAMES IMAGE STATUS -igotify ghcr.io/androidseb25/igotify-notification-assist:latest Up 24 hours -gotify gotify/server Up 24 hours (healthy) -uptime-kuma louislam/uptime-kuma:latest Up 24 hours (healthy) -Shlink-Web shlinkio/shlink-web-client:3.10.1 Up 24 hours -Shlink shlinkio/shlink:stable Up 24 hours -Shlink-DB postgres:17 Up 24 hours -heimdall lscr.io/linuxserver/heimdall:latest Up 24 hours -mermaid ghcr.io/mermaid-js/mermaid-live-editor Up 6 days -netbox-netbox-worker-1 netboxcommunity/netbox:v4.4-3.4.1 Up 12 days (healthy) -netbox-netbox-1 netboxcommunity/netbox:v4.4-3.4.1 Up 12 days (healthy) -netbox-postgres-1 postgres:17-alpine Up 12 days (healthy) -netbox-redis-1 valkey/valkey:8.1-alpine Up 12 days (healthy) -netbox-redis-cache-1 valkey/valkey:8.1-alpine Up 12 days (healthy) -task_server-tasks-1 task_server-tasks Up 12 days -task_server-database-1 postgres:16 Up 12 days -flash_server-flashcards-1 flash_server-flashcards Up 12 days -flash_server-database-1 postgres:16 Up 12 days -mosquitto eclipse-mosquitto:latest Up 12 days -nebula-sync ghcr.io/lovelaze/nebula-sync:latest Up 12 days (healthy) -zigbee2mqtt ghcr.io/koenkk/zigbee2mqtt Up 12 days -portainer portainer/portainer-ce:latest Up 12 days -homarr ghcr.io/ajnart/homarr:latest Up 12 days (healthy) -✓ All containers use named images - -========================================== -10. Bash history — suspicious patterns -========================================== -✓ No obviously suspicious history entries - -========================================== -SUMMARY -========================================== -Scan completed at: Fri Apr 17 09:58:56 PM UTC 2026 -Results saved to : npm_security_check_sys-apps_20260417_215843.log - -✓ All checks passed — no indicators of compromise diff --git a/npm_security_check_sys-apps_20260417_215948.log b/npm_security_check_sys-apps_20260417_215948.log deleted file mode 100644 index 8209377..0000000 --- a/npm_security_check_sys-apps_20260417_215948.log +++ /dev/null @@ -1,103 +0,0 @@ -========================================== - NPM / Node.js Security Check -========================================== -Hostname : sys-apps -Date : Fri Apr 17 09:59:48 PM UTC 2026 -Log file : npm_security_check_sys-apps_20260417_215948.log - -========================================== -1. Global npm packages -========================================== -@anthropic-ai/claude-code@2.1.113 -✓ No suspicious global packages - -========================================== -2. Malicious package names in lock files -========================================== -Scanning 1 lock file(s)... -✓ No known-malicious package names found - -========================================== -3. Running Node/Next.js processes -========================================== -root 1915 0.0 0.0 860 508 ? Ss Apr05 0:35 /sbin/tini -- node index.js -root 2398 0.0 0.2 690020 17320 ? Sl Apr05 0:03 node index.js -root 4650 0.0 0.3 1293252 28376 ? Sl Apr05 8:53 node /app/server.js -root 610442 0.0 0.0 2144 1160 ? Ss Apr16 0:00 /usr/bin/dumb-init -- extra/entrypoint.sh node server/server.js -root 610539 0.5 1.8 11513044 153472 ? Ssl Apr16 7:45 node server/server.js -pdm 1369218 0.0 4.1 27768236 341164 ? Ssl Apr05 17:09 node /usr/bin/n8n -pdm 1369306 0.0 1.2 9936264 98028 ? Sl Apr05 11:04 node --disallow-code-generation-from-strings --disable-proto=delete /usr/lib/node_modules/n8n/node_modules/@n8n/task-runner/dist/start.js -pdm 2886551 0.0 0.0 7340 3760 pts/1 S+ 21:59 0:00 bash /home/pdm/security-tools/npm-security-check.sh -pdm 2886715 0.0 0.0 7340 1808 pts/1 S+ 21:59 0:00 bash /home/pdm/security-tools/npm-security-check.sh -✓ PID 1915 runs as root but is inside a Docker container (normal) -✓ PID 2398 runs as root but is inside a Docker container (normal) -✓ PID 4650 runs as root but is inside a Docker container (normal) -✓ PID 610442 runs as root but is inside a Docker container (normal) -✓ PID 610539 runs as root but is inside a Docker container (normal) - -========================================== -4. Node process network connections -========================================== -✓ No established TCP connections from node processes - -========================================== -5. Known C2 / malware indicators -========================================== -✓ No connections to known C2 infrastructure - -========================================== -6. Suspicious process names -========================================== -✓ No suspicious process names - -========================================== -7. Suspicious files in /tmp and /dev/shm -========================================== -✓ Temp directory scan complete - -========================================== -8. npm configuration -========================================== -prefix=~/.npm-global -✓ .npmrc uses official registry - -========================================== -9. Docker containers -========================================== -NAMES IMAGE STATUS -igotify ghcr.io/androidseb25/igotify-notification-assist:latest Up 24 hours -gotify gotify/server Up 24 hours (healthy) -uptime-kuma louislam/uptime-kuma:latest Up 24 hours (healthy) -Shlink-Web shlinkio/shlink-web-client:3.10.1 Up 24 hours -Shlink shlinkio/shlink:stable Up 24 hours -Shlink-DB postgres:17 Up 24 hours -heimdall lscr.io/linuxserver/heimdall:latest Up 24 hours -mermaid ghcr.io/mermaid-js/mermaid-live-editor Up 6 days -netbox-netbox-worker-1 netboxcommunity/netbox:v4.4-3.4.1 Up 12 days (healthy) -netbox-netbox-1 netboxcommunity/netbox:v4.4-3.4.1 Up 12 days (healthy) -netbox-postgres-1 postgres:17-alpine Up 12 days (healthy) -netbox-redis-1 valkey/valkey:8.1-alpine Up 12 days (healthy) -netbox-redis-cache-1 valkey/valkey:8.1-alpine Up 12 days (healthy) -task_server-tasks-1 task_server-tasks Up 12 days -task_server-database-1 postgres:16 Up 12 days -flash_server-flashcards-1 flash_server-flashcards Up 12 days -flash_server-database-1 postgres:16 Up 12 days -mosquitto eclipse-mosquitto:latest Up 12 days -nebula-sync ghcr.io/lovelaze/nebula-sync:latest Up 12 days (healthy) -zigbee2mqtt ghcr.io/koenkk/zigbee2mqtt Up 12 days -portainer portainer/portainer-ce:latest Up 12 days -homarr ghcr.io/ajnart/homarr:latest Up 12 days (healthy) -✓ All containers use named images - -========================================== -10. Bash history — suspicious patterns -========================================== -✓ No obviously suspicious history entries - -========================================== -SUMMARY -========================================== -Scan completed at: Fri Apr 17 09:59:50 PM UTC 2026 -Results saved to : npm_security_check_sys-apps_20260417_215948.log - -✓ All checks passed — no indicators of compromise