My RPI had been acting up and upon investigation my flows.json file was empty. I restored the backup file only to find that lots of the nodes were way off the bottom right of the screen and unreachable. I examined the flow file and it looked intact except that most of the x and y coordintes had been set to 99999. How very strange! I have spent some hours editing and sorting most of it out but am now left with another odd one.
Terminal window shows... and I have no idea where to look. Any help please.
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Oct 27 18:04:07 2023 from 10.0.0.223
-bash: alias: -f: not found
-bash: alias: /var/log/mosquitto/mosquitto.log: not found
-bash: ccze: command not found
-bash: alias: journalctl: not found
-bash: ccze: command not found
-bash: alias: -f: not found
-bash: alias: -n: not found
-bash: alias: 50: not found
-bash: alias: -u: not found
-bash: alias: nodered: not found
-bash: alias: -o: not found
-bash: alias: cat: not found
-bash: alias: -h: not found
-bash: alias: /home/pi/cls.py’: not found
I am not a security expert so PLEASE PLEASE PLEASE do not accept my answer without further validation.
But, it doesn't look too threatening, what it does look like, is some issue with your system, It could well be an SD Card failure (if you use an SD Card) - but again, I personally cant really make a solid conclusion.
Hi Marcus
Actually I have a hard drive. I would have maybe expected a corrupted flow file but it was just the xy co-ordinates that were affected. Anyway whats with all the garbage in the terminal window?
thanks
John
Yes I have disabled any port forwarding.
My alias file looks fine and all the aliases work.
I have no idea where all those strange aliases in terminal come from. pwd && ls -lart produces
portPI:~ $ pwd && ls -lart
/home/pi
total 25412
drwxr-xr-x 3 root root 4096 Oct 30 2021 ..
-rw-r--r-- 1 pi pi 807 Oct 30 2021 .profile
-rw-r--r-- 1 pi pi 3523 Oct 30 2021 .bashrc
-rw-r--r-- 1 pi pi 220 Oct 30 2021 .bash_logout
drwxr-xr-x 3 pi pi 4096 Oct 30 2021 .local
drwxr-xr-x 2 pi pi 4096 Oct 30 2021 Bookshelf
drwxr-xr-x 2 pi pi 4096 Oct 30 2021 Desktop
drwxr-xr-x 2 pi pi 4096 Oct 30 2021 Videos
drwxr-xr-x 2 pi pi 4096 Oct 30 2021 Templates
drwxr-xr-x 2 pi pi 4096 Oct 30 2021 Public
drwxr-xr-x 2 pi pi 4096 Oct 30 2021 Pictures
drwxr-xr-x 2 pi pi 4096 Oct 30 2021 Music
drwxr-xr-x 2 pi pi 4096 Oct 30 2021 Downloads
drwxr-xr-x 2 pi pi 4096 Oct 30 2021 Documents
-rw-r--r-- 1 pi pi 25874724 Nov 7 2021 fhem-6.1.deb
-rw------- 1 pi pi 22 Jan 5 2022 .npmrc
drwxr-xr-x 3 pi pi 4096 Jan 5 2022 rpi-clone
drwx------ 7 pi pi 4096 Jan 5 2022 .config
drwxr-xr-x 7 pi pi 4096 Jan 5 2022 .cache
drwx------ 3 root root 4096 Jan 5 2022 .dbus
drwxr-x--- 2 pi pi 4096 Jan 15 2022 ovpns
-rw-r--r-- 1 pi pi 58 Jan 15 2022 .influx_history
-rw-r--r-- 1 pi pi 2274 Feb 19 2022 .bash_aliases
drwxr-xr-x 12 pi pi 4096 Feb 23 2022 wiringpi
drwxr-xr-x 2 pi pi 4096 Feb 23 2022 piHomeEasy-master
-rw-r--r-- 1 pi pi 0 Sep 17 2022 clone-date
drwxr-xr-x 4 pi pi 4096 Dec 25 2022 .npm
-rw-r--r-- 1 pi pi 191 Oct 23 19:38 am9jhz.py
-rwxr-xr-x 1 pi pi 1050 Oct 23 23:13 bins.sh
-rw------- 1 pi pi 2358 Oct 27 17:17 .xsession-errors.old
-rw------- 1 pi pi 107 Oct 27 17:55 .Xauthority
drwxr-xr-x 21 pi pi 4096 Oct 27 17:55 .
-rw------- 1 pi pi 2358 Oct 27 17:55 .xsession-errors
drwxr-xr-x 5 pi pi 4096 Oct 27 19:27 .node-red
-rw-r--r-- 1 pi pi 3039 Oct 27 19:27 alexa-speak.txt
-rw------- 1 pi pi 7768 Oct 27 20:52 .bash_history
I don't see anything there to explain the command line alias errors.
I presume you recognise am9jhz.py and bins.sh?
So at some time you have had ports open to the internet? Which?
Your username is pi. Do you have a very secure password?
If you opened port 22, there will have been multiple malicious attempts to log in.
If you opened port 1880 someone may have attempted to connect to Node-red. If they succeded they probably had immediate sudo access to the OS.
Since things have gone weird, I think you ought to assume that you have indeed been hacked.
OK hands up I had port 1880 open. I have been very stupid. I have a one year old backup of my system and hopefully I can upload this more recent flows file.
thanks for your help.
It seems that in this case it is a bad hacker if he deleted your flows. In my case just implement a exec function. I found an example on How to HTB: Reddish | 0xdf hacks stuff .Everything starts off simply enough, with one port open, http on 1880
Certainly dangers, you could perhaps do an initial check of the JSON first without loading as a flow. A decent editor like VScode should help you walk through it.
Personally I'd probably even then load it to a test instance of Node-RED with no permissions. Check things in sections and copy over parts I'd checked.
This is getting more weird. I have disconnected my boot hard drive and reverted to a clone sd card from a year ago and it also has this weird stuff in terminal...my alias file looks fine....
Using username "pi".
Linux portPI 5.15.61-v7+ #1579 SMP Fri Aug 26 11:10:59 BST 2022 armv7l
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Oct 28 08:47:55 2023 from 10.0.0.223
-bash: alias: -f: not found
-bash: alias: /var/log/mosquitto/mosquitto.log: not found
-bash: ccze: command not found
-bash: alias: journalctl: not found
-bash: alias: -f: not found
-bash: alias: -n: not found
-bash: alias: 50: not found
-bash: alias: -u: not found
-bash: alias: nodered: not found
-bash: alias: -o: not found
-bash: alias: cat: not found
-bash: ccze: command not found
-bash: alias: -h: not found
-bash: alias: /home/pi/cls.py’: not found
-bash: alias: shutdown: not found
-bash: alias: now’: not found
-bash: alias: reboot’: not found
pi@portPI:~ $
I'm scared to continue with this. Strange things happening. Is it possible the router is hacked. It has mysteriously been restored to its factory password.