About unsecured instances of Node-RED having a crypto-mining flow automatically deployed

#1

HI! There is the sticky waring in top on forum, but on the link you give they asked to open a topic here..

I have some questions about that, I report them here, I'm running it on a Raspberry3

Is monitor the CPU load enough to understand if we have this problem?

Can we simply monitor CPU, better daily graph of CPU usage, to be sure we haven't benn hacked?
Can you please explain how to wipe service (as you suggested) and reinstall it safely without reinstall Raspbian and reconfigure all? (in my case not few time)
Are modules in github (or installing by palette) possible infected? Or the hack can come ony from internet?
How to change the TCP port number listening?

Sorry for lot of questions, thanks for help!

0 Likes

#2

it creates flows if i remember correctly, so you can actually see that its been infected, its not like a internal thing or anything

1 Like

#3

Can we simply monitor CPU, better daily graph of CPU usage, to be sure we haven't benn hacked?
No monitoring CPU use is NEVER enough to ensure you haven't been hacked.

Can you please explain how to wipe service (as you suggested) and reinstall it safely without reinstall Raspbian and reconfigure all? (in my case not few time)
The sticky warning note referred to a series of breaches caused by people connecting an insecure instance of Node-RED to the internet. The breach was caused by unknown people using that copy of Node-RED and installing their own flows.
If you exposed Node-RED to the internet without protection then someone else could have used it to install / modify your system and then remove the flow that does it. Just wiping Node-RED might clear this instance, but you cannot be certain that other software hasn't been installed. The safest solution is to reinstall everything including the operating system.

Are modules in github (or installing by palette) possible infected? Or the hack can come ony from internet?
The threat that the sticky note refers to came from allowing access to Node-RED from the internet not from modules in github.

How to change the TCP port number listening?
read the docs about the settings.js file

2 Likes

#4

There are currently no known infected modules.

Of course, if your system is critical - especially in a commercial setting - review and validation of all components is recommended.

1 Like

#5

thank you, really useful :slight_smile:

0 Likes