All flows have disappeared on AWS hosted system

I have been running a dashboard with some quite complex flows and nodes to show various environmental monitors passing data via MQTT. Node-red is installed on an AWS Ubuntu instance. This morning the dashboard UI is showing "Welcome to the Node Red dashboard" and no content. Accessing Node Red gives me the normal workspace but with no flows visible. The AWS instance has been stable and has not restarted. I have no idea what might have happened for me to have lost all of my content. Does anyone have any pointers of where I should start the journey to trying to recover my system? I'm pretty new to all of this and would be gutted if I had lost all of my work somehow.



How do you expose your AWS Ubuntu instance to the internet?

It might be related:

As for recovery. Does AWS do backups or snapshots for instances?

A public IP address is linked to the UBUNTU instance. Accessing this is where I am seeing the problem. I have since rebooted the server which has changed the IP address but the problem persists.

I will take a look at the posts that you kindly posted. It's a year ago since I installed all of this I need to refresh my memory on how the AWS install works.

In terms of backups etc. If I look in ~/.node-red I can see a flows.json file which has a lot of content, but I'm not sure whether it is my content or not. It may be the default flows file I suppose.

In newer versions of Node-RED, there is an entry in ~/.node-red/settings.js that tells the instance where the flows should be found. Without this, Node-RED will look for flows_<hostname>.json and therefore, if the hostname is dynamic, node-red will not find a flows file.

In short, set a definite flows file using the setting flowFile: 'flows.json

From the docs:

the file used to store the flows. Default: flows_<hostname>.json

See here for more info: Configuration : Node-RED

Thanks Steve.

Looking in settings.js I can see the line

flowFile: 'flows.json'

So I am guessing that any change in hostname will not have had an impact. The flows.json file itself has a timestamp of 5am this morning. I am starting to think that I have possibly been hacked. The flows.json file that I can see just seems to be a collection of "exec" nodes, but I have no idea whether that is unusual or not.


99.99% you've been hacked :frowning:

Any node-red accessible from the internet without requiring credentials to get in is liable to be hacked. There are bots out there looking for them. You will have to rebuild the whole system I am sorry to say, and put it down to a learning exercise.

Then read this FAQ post for advice on how to safely access node-red over the internet.

Yep. I think you are all correct. And being new to AWS I had not set up a robust backup strategy (I have these everywhere else annoyingly).

So, back to the drawing board for the flows and back to school on security and backups.

Thanks for all the input folks.


The file .flows.json.backup might have a previous copy of your flows file. Inspect carefully before trying it though, in case it has been infected.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.