Dashboard suddenly asks for password (Hacked Node-RED servers)

Hello, and thanks for your reply in advance.
For a few years I have used node-red for home control, simple setup, control of heat pumps, monitoring of temperatures etc., I am far from an expert on this, but I got it to work.
have been using node red dashboard, this has worked great until tonight, when I had to change the temp setting, worked fine earlier today. What suddenly happened is that the dashboard asks for a password, the same for the flow editor. I have not set this up with a password.
get in touch with pI via Putty, and have tried rebooting.
have also tried from both PC and phone, same result.

Does anyone have any good tips to solve this?

Same problem here ! And all flows stoped working...

Also have two pi running node-red and both just started asking for login and password. I have a third pi running and it’s still working

What password is it asking for ? ie. what popup do you get, is it from node-red itself ? the browser ?
Did you perform any updates anywhere ? this is without home assistant ? docker ? etc, details please if available.

Just running node red
Trying to log into dashboard or my node red flows flows. Using iPhone safari or from another pc and chrome it looks like it’s coming from node red.
All has been running now for over a year and half all of a sudden it just popped up asking for password
I have a pi 3 that this happened to yesterday and now on my pi4.
I haven’t changed anything on either for at least 3-4months.

image808×554 76.2 KB

Not running anything else but nodered

I had another instance of node-red running on an other port. It did not have this problem. It is running on another port (1881).
Because this instance had no real use anymore, I copied all files of the broken instance to this one. I had to install some missing nodes, and all was running like before.

My node red is running on it's own (no HA, ...). I have been working in it all day. I only installed one new node (solar forecaster) early this morning. As far as I know I did not do any updates.

I now have this login screen. But it started with a node-red login screen (in the typical colors and logo).
In de UI and in the node screen.

I could not find any similar problem on the internet, expect those here posted today.

I am not sure, but I think in the settings file de adminAuth is uncommented, but not by me...

/*******************************************************************************
 * Security
 *  - adminAuth
 *  - https
 *  - httpsRefreshInterval
 *  - requireHttps
 *  - httpNodeAuth
 *  - httpStaticAuth
 ******************************************************************************/

    /** To password protect the Node-RED editor and admin API, the following
     * property can be used. See http://nodered.org/docs/security.html for details.
     */
adminAuth: {
    type: "credentials",
    users: [
        {
            username: "admin",
            password: "$2b$08$O8/aEWlLrdbCkA1hAsnmZe84m3HuXNf5Qpk5W2JtcP9KAeKyb98LO",
            permissions: "*"
        },

        {
            username: "george",
            password: "$2b$08$O8/aEWlLrdbCkA1hAsnmZe84m3HuXNf5Qpk5W2JtcP9KAeKyb98LO",
            permissions: "read"
        }
    ]
},

    /** The following property can be used to enable HTTPS
     * This property can be either an object, containing both a (private) key
     * and a (public) certificate, or a function that returns such an object.
     * See http://nodejs.org/api/https.html#https_https_createserver_options_requestlistener
     * for details of its contents.
     */

Use the cli on one of the pi and do a cd .node-red then ls -al and look at the date of the settings.js, what is it?

Do you access the pi’s from outside your local network?

On my pi it was today, but I did not change it. See my previous post.

If you did not uncommon those lines then my first worry is you have been hacked. That’s why I was asking what the date is on the file.

Take note of the time it changed. Then look in /var/log/syslog and see if anything else happened at that time.

@Mastrond @jan.ove please read the last couple posts and check the date/time settings.js was changed.
Also what version of NR and node.js are you running?

coming from node red.

Node-red has its own login UI form. This is the webserver, was Pi directly accessible from the internet ?

In my case the pi is accessable from the internet.

problem is I checked the settings file after the problem started, so I don't have the exact timestamp anymore. But I can remember it was today.
I tried to login with the uncommented login and password, but I could not login with them...

In that case, i would immediately pull out the cable of the modem and verify all systems within the LAN for processes that should not be running/exist, change all passwords and close down all the "allowed" open ports on the router.

A lot has been written on this forum about not giving access to node-red over the internet, only via secure methods, ie. vpn's, ssl etc.

Yes pi was directly accessible over the internet.

Hi, and thanks for your reply, I was also thinking along those lines, so I have disconnected it from the network. it was connected to the internet.
Will try what you describe tomorrow.

This is exactly what my settings.js file looks like they were un commented
I tried to comment them out but get errors when I do.
Is there a solution I could try to fix this?

same here, disconnected again
22765 Oct 15 19:40 settings.js