Cryptomining Malware Infecting Node-RED servers

Hi all, some of you will be aware that a few people have reported having their Node-RED servers infected by cryptomining malware.

This can only happen if you have left a server exposed to the Internet in some way without suitable security applied.

The IP address serving the malware script is 192.99.142.226. This belongs to hosting vendor OVH. If you would like to report this to them, that would be good. If lots of people do this, they will probably take action pretty quick. The address to use to report to is abuse@ovh.ca. When reporting, you might like to reference this report which is showing other malware being served from that address.

The full URL of the malware script is: http://192.99.142.226:8220/mr.sh

This is currently safe to access though it is possible that may change so be aware.

If you discover any other IP addresses serving up this malware, please let me know as I'm trying to report it at the moment.

Stay safe! Secure your servers.

2 Likes

@TotallyInformation just edited your post to remove the link to the malware script. We don't want people clicking on it in any circumstances.

No problem. Though I did make sure it was safe to click on before including it. It makes for interesting reading actually.

It does... but lets not make it easy for anyone to accidentally/naively click on it and potentially expose themselves. As you say yourself, its safe to click today, but that may not always be the case.

BTW, I reported this to UK CiSP along with a commentary that I've had no response at all from OVH.

Dear all, please note that I finally managed to get through to an individual security engineer at OVH in France and he has taken down the offending server.

No doubt the malware will pop up somewhere else but at least that's one down.

8 Likes

OVH found a second instance on 192.99.142.248 - also now taken down.

4 Likes

I just remembered I have a cloud server with OVH!

Quick check - not my IP #Phew

"Gee, I don't remember building that worm... hmmm, I wonder what this JSONata expression does?

Hahahaha! And I thought my memory was bad!

I think a relevant question here is if it is "easy" to create & develop such malware and to push it out to unprotected NR installations. I mean, I assume it is not enough having median average skill & competence. Or is it?

Or is this an opening that can be explored/misused via some public api available in NR? I remember I read questions about how to deploy the flow from code. Is this a part that should be revised?

(For sure everybody should understand not to expose any unprotected "thing" to internet)

The node-red runtime exposes an http API for deploying updates. It is the API the editor uses whenever you click the Deploy button. Any action the editor can apply to the runtime is done via this API - installing new nodes, etc. It is fully documented on nodered.org.

It is fairly trivial to craft an http request to perform any of these actions in the runtime - because it's a simple API to use.

adminAuth secures this API to prevent misuse.

1 Like

That's the takeaway. The same things that make Node-RED so very useful to so many of us also make it useful to bad actors - of course. So although I've always warned (as have others) about not connecting Node-RED to the Internet unless you really have to, it isn't especially any more (or less) vulnerable than other powerful web applications.

We should always keep things in perspective too. It is easy to over-react as much as ignore when you get a demonstrable attack.

It is possible to add reasonable protections to Node-RED and that will easily satisfy most of the risks many of us face.

In a commercial, professional or enterprise setting or where you are dealing with sensitive data or critical systems, the risks are entirely different and would need further mitigations. Still perfectly possible but shouldn't be ignored. As you would expect in those situations, the extra mitigations will come with additional cost.

I'm actually glad this has happened, it is a relatively benign attack and acts as a proper wake-up call to our community not to take shortcuts or take security for granted.

2 Likes

<mixedMetaphor>If you're going to let your computer sleep with strangers, it should at least be wearing a password. </mixedMetaphor>

3 Likes

In my case all created flows (1576 flows) had an identifier with 5 letters/numbers so I've deleted them programatically in order to backup only my flows before formatting.

I runned this from chrome's console (modify to fit your requirements):

var counter = 0;
RED.nodes.eachWorkspace(function(e){
if (e.id.length === 5) {
counter++;
}
});
console.log("counter =>" + counter);

var success = 0;
var failed = 0;
RED.nodes.eachWorkspace(function(e){
if (e.id.length === 5) {
if (success > 0)
console.log((success*100/counter).toFixed(2) + " % (" + success + " / " + counter + ")");
$.ajax({
type: "DELETE",
async: false,
url: "/flow/" + e.id,
data: {_method: 'delete'},
success: function (data) {
success++;},
error: function (data) {
failed++;}
});
}
});

Hi - when sharing code on the forum, please follow the advice in this post: How to share code or flow json

But also note that removing the flows is not sufficient to remove the malware - at least, not the malware that led to this thread. The malware installs a cronjob that runs every minute to download its binary and run. The only way to be sure is to reinstall the OS.