Have I been hacked?

General
1

My RPI had been acting up and upon investigation my flows.json file was empty. I restored the backup file only to find that lots of the nodes were way off the bottom right of the screen and unreachable. I examined the flow file and it looked intact except that most of the x and y coordintes had been set to 99999. How very strange! I have spent some hours editing and sorting most of it out but am now left with another odd one.
Terminal window shows... and I have no idea where to look. Any help please.

Linux portPI 6.1.21-v7+ #1642 SMP Mon Apr 3 17:20:52 BST 2023 armv7l

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Oct 27 18:04:07 2023 from 10.0.0.223
-bash: alias: -f: not found
-bash: alias: /var/log/mosquitto/mosquitto.log: not found
-bash: ccze: command not found
-bash: alias: journalctl: not found
-bash: ccze: command not found
-bash: alias: -f: not found
-bash: alias: -n: not found
-bash: alias: 50: not found
-bash: alias: -u: not found
-bash: alias: nodered: not found
-bash: alias: -o: not found
-bash: alias: cat: not found
-bash: alias: -h: not found
-bash: alias: /home/pi/cls.py’: not found

2

I am not a security expert so PLEASE PLEASE PLEASE do not accept my answer without further validation.

But, it doesn't look too threatening, what it does look like, is some issue with your system, It could well be an SD Card failure (if you use an SD Card) - but again, I personally cant really make a solid conclusion.

@TotallyInformation
You're good at this stuff right?

3

Hi Marcus
Actually I have a hard drive. I would have maybe expected a corrupted flow file but it was just the xy co-ordinates that were affected. Anyway whats with all the garbage in the terminal window?
thanks
John

4

No idea about the nodes migrating to the bottom of the editor, but looking at the command line:

In the terminal, what does pwd && ls -lart give you?

What about alias?

Do you have any port forwarding enabled in your router?

5

So, is the Pi accessible from the Internet? Or is something else on your network accessible from the Internet?

Oh, and if it is accessible from the Internet, take it off immediately while investigating.

6

On all those alias things:

Look at the file
~/.bashrc

That's where any aliases are usually defined.

The idea is:
If they are there, looking at that file may help you understand what is going on.

If the are NOT there, then it sort of says nasty things MAY be happening.

The only other file you may want to look at is
~/.bash_aliasses too.

Good luck.

And I hope it turns out to be nothing.

7

Yes I have disabled any port forwarding.
My alias file looks fine and all the aliases work.
I have no idea where all those strange aliases in terminal come from.
pwd && ls -lart produces

portPI:~ $ pwd && ls -lart
/home/pi
total 25412
drwxr-xr-x 3 root root 4096 Oct 30 2021 ..
-rw-r--r-- 1 pi pi 807 Oct 30 2021 .profile
-rw-r--r-- 1 pi pi 3523 Oct 30 2021 .bashrc
-rw-r--r-- 1 pi pi 220 Oct 30 2021 .bash_logout
drwxr-xr-x 3 pi pi 4096 Oct 30 2021 .local
drwxr-xr-x 2 pi pi 4096 Oct 30 2021 Bookshelf
drwxr-xr-x 2 pi pi 4096 Oct 30 2021 Desktop
drwxr-xr-x 2 pi pi 4096 Oct 30 2021 Videos
drwxr-xr-x 2 pi pi 4096 Oct 30 2021 Templates
drwxr-xr-x 2 pi pi 4096 Oct 30 2021 Public
drwxr-xr-x 2 pi pi 4096 Oct 30 2021 Pictures
drwxr-xr-x 2 pi pi 4096 Oct 30 2021 Music
drwxr-xr-x 2 pi pi 4096 Oct 30 2021 Downloads
drwxr-xr-x 2 pi pi 4096 Oct 30 2021 Documents
-rw-r--r-- 1 pi pi 25874724 Nov 7 2021 fhem-6.1.deb
-rw------- 1 pi pi 22 Jan 5 2022 .npmrc
drwxr-xr-x 3 pi pi 4096 Jan 5 2022 rpi-clone
drwx------ 7 pi pi 4096 Jan 5 2022 .config
drwxr-xr-x 7 pi pi 4096 Jan 5 2022 .cache
drwx------ 3 root root 4096 Jan 5 2022 .dbus
drwxr-x--- 2 pi pi 4096 Jan 15 2022 ovpns
-rw-r--r-- 1 pi pi 58 Jan 15 2022 .influx_history
-rw-r--r-- 1 pi pi 2274 Feb 19 2022 .bash_aliases
drwxr-xr-x 12 pi pi 4096 Feb 23 2022 wiringpi
drwxr-xr-x 2 pi pi 4096 Feb 23 2022 piHomeEasy-master
-rw-r--r-- 1 pi pi 0 Sep 17 2022 clone-date
drwxr-xr-x 4 pi pi 4096 Dec 25 2022 .npm
-rw-r--r-- 1 pi pi 191 Oct 23 19:38 am9jhz.py
-rwxr-xr-x 1 pi pi 1050 Oct 23 23:13 bins.sh
-rw------- 1 pi pi 2358 Oct 27 17:17 .xsession-errors.old
-rw------- 1 pi pi 107 Oct 27 17:55 .Xauthority
drwxr-xr-x 21 pi pi 4096 Oct 27 17:55 .
-rw------- 1 pi pi 2358 Oct 27 17:55 .xsession-errors
drwxr-xr-x 5 pi pi 4096 Oct 27 19:27 .node-red
-rw-r--r-- 1 pi pi 3039 Oct 27 19:27 alexa-speak.txt
-rw------- 1 pi pi 7768 Oct 27 20:52 .bash_history

8

I don't see anything there to explain the command line alias errors.

I presume you recognise am9jhz.py and bins.sh?

So at some time you have had ports open to the internet? Which?
Your username is pi. Do you have a very secure password?

If you opened port 22, there will have been multiple malicious attempts to log in.
If you opened port 1880 someone may have attempted to connect to Node-red. If they succeded they probably had immediate sudo access to the OS.
Since things have gone weird, I think you ought to assume that you have indeed been hacked.

9

Please do cat bins.sh, there is certainly some malware that uses that file name.

As @jbudd says, at this point it does indeed look like you've been hacked.

10

OK hands up I had port 1880 open. I have been very stupid. I have a one year old backup of my system and hopefully I can upload this more recent flows file.
thanks for your help.

11

Oh dear,

We have had a very recent episode of this happening with having an open Node RED instance.

See: Node-RED compromise hack

You might need to check other network connected equipment - to be on the safe side

1 Like
12

Important for people to note that there is at least 1 hacker out there targeting exposed Node-RED systems. We've seen this before.

@knolleary and @Steve-Mcl - is it worth putting a pinned note on the forum?

3 Likes
13

Twice this week, if I am not mistaken

14

Yes, please change the passwords on your router and any other network connected devices.

2 Likes
15

It seems that in this case it is a bad hacker if he deleted your flows. In my case just implement a exec function. I found an example on How to HTB: Reddish | 0xdf hacks stuff .Everything starts off simply enough, with one port open, http on 1880

16

If I have a clean install on the RPI are there any dangers in adding this possibly compromised flow file.
thanks

17

Certainly dangers, you could perhaps do an initial check of the JSON first without loading as a flow. A decent editor like VScode should help you walk through it.

Personally I'd probably even then load it to a test instance of Node-RED with no permissions. Check things in sections and copy over parts I'd checked.

18

Load it into a None-Networked machine, and check for config node (and the flows in general).

Config nodes can start doing stuff without a visual representation, but then again, they may require dependencies in most cases.

EDIT:
Aldo check for hidden flows, which can be abused in such cases.

19

This is getting more weird. I have disconnected my boot hard drive and reverted to a clone sd card from a year ago and it also has this weird stuff in terminal...my alias file looks fine....

Using username "pi".
Linux portPI 5.15.61-v7+ #1579 SMP Fri Aug 26 11:10:59 BST 2022 armv7l

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Oct 28 08:47:55 2023 from 10.0.0.223
-bash: alias: -f: not found
-bash: alias: /var/log/mosquitto/mosquitto.log: not found
-bash: ccze: command not found
-bash: alias: journalctl: not found
-bash: alias: -f: not found
-bash: alias: -n: not found
-bash: alias: 50: not found
-bash: alias: -u: not found
-bash: alias: nodered: not found
-bash: alias: -o: not found
-bash: alias: cat: not found
-bash: ccze: command not found
-bash: alias: -h: not found
-bash: alias: /home/pi/cls.py’: not found
-bash: alias: shutdown: not found
-bash: alias: now’: not found
-bash: alias: reboot’: not found
pi@portPI:~ $

20

I'm scared to continue with this. Strange things happening. Is it possible the router is hacked. It has mysteriously been restored to its factory password.