Emergency security tools for Linux servers. Detect and remove crypto miners, backdoors, and malware. Built in response to CVE-2025-55182 (React Server Components RCE) attacks.
# One-liner scan (no install needed)
curl -sSL https://raw.githubusercontent.com/maxtors-debug/server-security-toolkit/main/scan.sh | sudo bash
# Or clone and use all tools
git clone https://github.com/maxtors-debug/server-security-toolkit.git
cd server-security-toolkit
sudo ./scan.sh # Scan for malware
sudo ./cleanup.sh # Remove malware
sudo ./harden.sh # Harden server security
sudo ./monitor.sh # Real-time monitoring
sudo ./audit.sh # Full security audit| Script | Purpose |
|---|---|
scan.sh |
Detect crypto miners, backdoors, rootkits |
cleanup.sh |
Remove known malware families |
harden.sh |
Secure SSH, firewall, fail2ban setup |
monitor.sh |
24/7 real-time monitoring |
audit.sh |
Generate full security report |
- ⛏️ Crypto miners (XMRig, c3pool, cryptonight, kinsing)
- 🚪 Backdoors (reverse shells, unauthorized SSH)
- 🔑 Credential scanners (TruffleHog, GitLeaks)
- ⚙️ Malicious systemd services
- 🌐 Exposed database ports (Prisma Studio, MongoDB, Redis)
- 📅 Unauthorized cron jobs
- 👻 Hidden processes
| Field | Value |
|---|---|
| CVE | CVE-2025-55182 |
| CVSS Score | 10.0 (CRITICAL) |
| Attack Type | Unauthenticated Remote Code Execution |
| Attacker Location | Tokyo, Japan 🇯🇵 |
Attackers exploit this vulnerability by sending a malicious HTTP request to any vulnerable React Server Components app - no password or authentication needed. Typical attack pattern:
- 💀 XMRig crypto miner installed (CPU spikes to 100%)
- 🚪 Backdoor processes for persistent access
- 📡 Reverse shell connecting to attacker's C2 server
- 🔑 Credential scanners looking for API keys & secrets
Versions 19.0, 19.1.0, 19.1.1, 19.2.0 of:
react-server-dom-webpackreact-server-dom-parcelreact-server-dom-turbopack
- Next.js
- React Router
- Waku
- @parcel/rsc
- @vitejs/plugin-rsc
- rwsdk (Redwood SDK)
npm install react@latest react-dom@latest react-server-dom-webpack@latestFixed versions: 19.0.1, 19.1.2, 19.2.1
Note: If your app doesn't use React Server Components, you're NOT affected.
📖 Full details: React Security Advisory
| Date | Event |
|---|---|
| Nov 29, 2025 | Vulnerability reported by Lachlan Davidson |
| Nov 30, 2025 | Meta security confirmed the issue |
| Dec 1, 2025 | Fix created, hosting providers notified |
| Dec 3, 2025 | Fix published to npm, CVE disclosed |
| Dec 5-6, 2025 | Active exploitation in the wild |
| Dec 7, 2025 | This toolkit released to help victims |
- Keep dependencies updated - This attack used a 2-day old vulnerability
- Monitor CPU usage - Crypto miners are noisy
- Use fail2ban - Block brute force attempts
- Firewall everything - Only expose necessary ports
- Rotate credentials - Assume they're compromised after an attack
- Backup regularly - You'll thank yourself later
Found a new malware pattern? Open a PR! Let's help each other stay safe.
MIT - Free to use, modify, share. Stay safe! 🔒
If this helped you, consider:
- ⭐ Starring this repo
- 🔄 Sharing with other devs
- 🐛 Reporting new malware patterns
Built to help the community fight back against CVE-2025-55182 attacks 💪