How Network Monitoring Saved My Server from a Cryptominer: A Real Case with CVE-2025-66478

In IT infrastructure management, there's a golden rule: "You can't manage what you don't measure." Usually, we limit ourselves to checking website availability (UP/DOWN), but the devil is in the details. Metrics such as Jitter, Packet Loss, UDP latency, and channel bandwidth are not just quality of service indicators—they're excellent indicators of your server's health (and security).

Today I want to share a story about how simple network latency monitoring helped detect a server breach and illegal cryptomining.

The Incident: "Strange Pattern" on the Dashboard

To test the reliability of communication channels with our service, I installed our example—Jitter and Packet Loss Monitoring—on one of the test VPS instances. This is a Node.js script that tracks connection quality.

One fine morning, after opening the monitoring widget, I saw an anomalous pattern: huge delays and strange packet loss spikes.

Here's what it looked like in real time:

And here's a detailed breakdown of the graph that opened my eyes to what was happening:

widget_desc

What Do These Numbers Tell Us?

  1. Zone #1 (Beginning of Infection): We see a sharp spike in Packet Loss up to 100%. Most likely, at this moment the malicious script was downloading the miner installer. The channel was either completely saturated with downloads, or the script deliberately limited network activity to hide communication with the command and control server (C&C). Because of this, the connection with our receiving end of the Jitter monitoring example was interrupted.

  2. Zone #2 (Active Phase): Huge delays (Latency/Ping) and high Jitter appeared. Why? The monitoring calculates latency on the client side: the time from sending a packet to its return. The miner consumed all CPU resources, and the server simply couldn't process and decode network packets in time, creating artificial queuing and lag.

  3. Zone #3 (Finale): The graph cuts off—this is the moment when I, realizing the breach, forcibly shut down the VPS.

Investigation

After seeing the graph, I tried to SSH into the server. The console was "sluggish," with long delays on simple commands. Somehow managing to launch the top utility, I saw the cause:

  • nodejs: 50% CPU
  • xmrig: 50% CPU

A quick search confirmed my fears: xmrig is a popular Monero cryptocurrency miner. The server had been compromised.

How Did This Happen?

Without much thought, I remembered that an old, forgotten Next.js project was "running" on this machine. I had completely forgotten about it and hadn't updated it in time, missing the critical recommendation in the NEXT.js Security Advisory: CVE-2025-66478.

Hackers exploited this vulnerability for remote code execution (RCE) and installed the miner. By the way, I'm not the only victim—here's an example from x.com @SebastianB929, although that author was luckier than me.

Why Are Notifications Important?

The main lesson of this story is not that you need to update software (that's obvious), but that monitoring without notifications is just pretty graphs.

If I had configured triggers for abnormally high ping latency or CPU load, I would have received a notification in Telegram or email instantly, at moment #1 on the graph. This would have allowed me to stop the hackers' exploitation of the server in minutes, not hours.

Summary: What Should You Monitor?

Don't wait for incidents. Set up monitoring for your devices right now. Here are three basic examples that will help you keep your finger on the pulse:

  1. Basic Hardware Status: Use PC and Server Status Monitoring (CPU, RAM, Disk). If the processor is loaded at 100% without your command—that's an alarm signal.

  2. Network Quality: Configure Jitter and Packet Loss Monitoring. As my example showed, network anomalies are often a consequence of performance or security issues.

  3. Bandwidth: Use Network Monitoring with iperf3 to understand whether someone is utilizing your channel for a DDoS attack or data exfiltration.

And most importantly—always configure notifications in Viziot. This will save you nerves, money, and reputation.