About unsecured instances of Node-RED having a crypto-mining flow automatically deployed

GiovanniG · 17 January 2019 09:50

HI! There is the sticky waring in top on forum, but on the link you give they asked to open a topic here..

I have some questions about that, I report them here, I'm running it on a Raspberry3

Is monitor the CPU load enough to understand if we have this problem?

Can we simply monitor CPU, better daily graph of CPU usage, to be sure we haven't benn hacked?
Can you please explain how to wipe service (as you suggested) and reinstall it safely without reinstall Raspbian and reconfigure all? (in my case not few time)
Are modules in github (or installing by palette) possible infected? Or the hack can come ony from internet?
How to change the TCP port number listening?

Sorry for lot of questions, thanks for help!

RoganFPS · 17 January 2019 09:53

it creates flows if i remember correctly, so you can actually see that its been infected, its not like a internal thing or anything

ukmoose · 17 January 2019 10:31

Can we simply monitor CPU, better daily graph of CPU usage, to be sure we haven't benn hacked?
No monitoring CPU use is NEVER enough to ensure you haven't been hacked.

Can you please explain how to wipe service (as you suggested) and reinstall it safely without reinstall Raspbian and reconfigure all? (in my case not few time)
The sticky warning note referred to a series of breaches caused by people connecting an insecure instance of Node-RED to the internet. The breach was caused by unknown people using that copy of Node-RED and installing their own flows.
If you exposed Node-RED to the internet without protection then someone else could have used it to install / modify your system and then remove the flow that does it. Just wiping Node-RED might clear this instance, but you cannot be certain that other software hasn't been installed. The safest solution is to reinstall everything including the operating system.

Are modules in github (or installing by palette) possible infected? Or the hack can come ony from internet?
The threat that the sticky note refers to came from allowing access to Node-RED from the internet not from modules in github.

How to change the TCP port number listening?
read the docs about the settings.js file

TotallyInformation · 18 January 2019 10:35

There are currently no known infected modules.

Of course, if your system is critical - especially in a commercial setting - review and validation of all components is recommended.

GiovanniG · 21 January 2019 11:55

thank you, really useful

Topic		Replies	Views
Node Red create Flows "automatically" General	4	1392	5 October 2018
Crypto Miner Abuse/Malware General security	20	4746	30 September 2018
⚠️ Malware Infecting unsecured Node-RED servers News	2	2134	12 March 2019
Have I got a virus in Node-red? General	5	1666	27 September 2018
Is It possible to download malicious software with node-red? General	5	335	27 June 2021

About unsecured instances of Node-RED having a crypto-mining flow automatically deployed

Is monitor the CPU load enough to understand if we have this problem?

Related topics