I got hacked: My Hetzner server started mining Monero

Summary

My Server Started Mining Monero This Morning Or: How I learned that “I don’t use Next.js” doesn’t mean your dependencies don’t use Next.js 8:25 AM: The Email I woke up to this beauty from Hetzner: Dear Mr Jake Saunders, We have indications that there was an attack from your server. Please take all necessary measures to avoid this in the future and to solve the issue. We also request that you send a short response to us. This response should contain information about how this could have happened and what you intend to do about it. In the event that the following steps are not completed successfully, your server can be blocked at any time after the 2025-12-17 12:46:15 +0100. Attached was evidence of network scanning from my server to some IP range in Thailand. Great. Nothing says “good morning” like an abuse report and the threat of getting your infrastructure shut down in 4 hours. Background: I run a Hetzner server with Coolify. It runs all my stuff, like my little corner of the internet: 8:30 AM: Oh Fuck First thing I did was SSH in and check the load average: 1 2 $ w 08:25:17 up 55 days, 17:23, 5 users, load average: 15.35, 15.44, 15.60 For context, my load average is normally around 0.5-1.0. Fifteen is “something is very wrong.” I ran ps aux to see what was eating my CPU: 1 2 3 4 5 6 USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND 1001 714822 819 3.6 2464788 2423424 ? Sl Dec16 9385:36 /tmp/.XIN-unix/javae 1001 35035 760 0.0 0 0 ? Z Dec14 31638:25 [javae] <defunct> 1001 3687838 586 0.0 0 0 ? Z Dec07 82103:58 [runnv] <defunct> 1001 4011270 125 0.0 0 0 ? Z Dec11 10151:54 [xmrig] <defunct> 1001 35652 62.3 0.0 0 0 ? Z Dec12 4405:17 [xmrig] <defunct> 819% CPU usage. On a process called javae running from /tmp/.XIN-unix/. And multiple xmrig processes - that’s literally cryptocurrency mining software (Monero, specifically). I’d been mining cryptocurrency for someone since December 7th. For ten days. Brilliant. The Investigation My first thought was “I’m completely ...