Hacker erased my flows and put THIS flow in

When I woke up today, none of my flows were there anymore, and a 'flow' that I have no idea where it came from was there. Here is what it showed:

Untitled

Does anyone have an idea what this node was doing to my system?

Thanks.

Charlie

[NOTE: post edited by operator to blur out IP address]

Please read the other posts about being hacked.

You have presumably left the Editor open to the Internet.

Block off access immediately. Outbound as well as inbound.

Hopefully you have a good backup of your system. The safest thing to do is wipe and rebuild.

I blocked access to the internet, and removed the sd card, am using the backup one now. I just wondered what that exec command does.

There are examples in the other posts. You will likely find a variety of malware. You can look it up if you like, download the scripts just don't run them.

Oh Dear!

It seems to be an epidemic :scream:

Really only takes one person in the know to cause havoc.

1 Like

Hello there,

I've been having the same issue with my flow. It stops running at some point and I check the website and my flow deleted and those nodes were added with the same thing as you showed in the image.

Do you suggest its someone who hacked into the flows? I don't see why that would be since I've had the same issue as well. The flows have stopped for other reasons not sure why maybe I should make a new forum for that.

Thanks,
Ethan

Hi,
It's not just a question of stopped flow - updated flow without you do it is not normal.

Check the contents of the flow.json file, does it contain your nodes, or others like exec nodes?

This should not be taken lightly, several people have already been victims.

Hello, thank you for the reply.

I'm not sure how to check the flow.json file as im running node-red on an AWS EC2 instance so there is no file storage on my computer...


This is the only node that is in my flow now..

So yes you have been hacked; look at the first line, it's an exec node with a script link

1 Like

What we now really would like to know is whether you had your Editor secured behind an id and password? And if so, was it a strong or weak password?

Okay, it seemed a bit fishy. From what I know I have no security in place for accessing the Editor, if you know the IP you can access it I suppose.

Every time I run it on Node-Red it gives me this:
Your flow credentials file is encrypted using a system-generated key.

If the system-generated key is lost for any reason, your credentials
file will not be recoverable, you will have to delete it and re-enter
your credentials.

You should set your own key using the 'credentialSecret' option in
your settings file. Node-RED will then re-encrypt your credentials
file using your chosen key the next time you deploy a change.

I don't know how to change the credentials however as I don't know how to access the settings.js file to change the credentialSecret since the files are on the AWS server.
Thanks.

Rule number 1: Never expose anything to the Internet if you don't know the risks and don't know how to secure things.

There is no rule number 2.

The credentials secret is not the issue here. Unrestricted access to http://<yourip>:1880 is the problem. A simple port scan gives all the information needed to completely compromise both Node-RED and probably your entire system. Quite possibly other systems as well if you have multiple systems on the same virtual AWS network.

Port scans of new servers happen via botnets within a few seconds of appearing on the Internet.

I see. I'll have to change who can access the instance on the AWS side then.

Thank you for the help.

You will also need to completely rebuild your VM since you cannot be sure what other changes may have been made to it.

Probably they have installed some software to do crypto mining or other services to remotely control the machine. They may even accessed other devices on the same network and installed other stuff.
As already suggested, it is recommended to reinstall/wipe the machine completely and transfer only 100% checked files. Moreover, keep an eye on the rest of the network to make sure they have not infected other devices. Good luck.....

The installed exec node loads malware from 91.92.249.32
I contacted the SWITCH-CERT from the company where I work. They told me that it seems to be a variant of the Mirai Malware group.

I think I identified malware variants in a previous thread.

Obviously both the IP address and the malware type may change over time or from different threat actors. The point is that you can no longer be sure of the safety of the server and the only safe thing to do is to wipe the server and rebuild from scratch - taking care only to restore known good data (don't restore executables). Then to also changes passwords on everything connected to the same network. If you reuse passwords, make sure to change them everywhere.

1 Like