Hello, I’ve been using Node-RED to control my alarm system for a few years without any issues—until a few months ago, when I started regularly losing the dashboard. Let me explain: when the problem occurred, I checked my flows, only to find that mine had disappeared and been replaced by a simple flow containing just four nodes: "get cmd," "functionality," "executable," and an HTTP output node. I’ve never encountered this before—not even with a fresh Raspbian install and the latest version of Node-RED. Regards.
You should also check for other compromises and unauthorised software installed on the server.
Disconnecting it from the Internet is the most important first step. Then disabling the current flow(s). Then work out what else has been compromised, disabling any unknown services. Then change all your passwords and any security certificates related to the server, especially if you re-use passwords anywhere.
It can be very hard to know how a device has been compromised - a clean rebuild is the safest option.
Hello, thank you for the feedback.
Node 5.0 is installed on a Raspberry Pi running SMP Raspbian 1:6.18.34-1+rpt1.
I performed a complete reinstallation on a 32GB SD card.
My second Raspberry Pi running Node-RED 5.0 connects to the internet without issues. Even after swapping the SD cards between the two Raspberry Pis, the problem persists on that specific unit—which is the one I use to control my alarm system via my phone. Best regards.
This is the exact consequence we've seen many times on compromised systems.
It doesn't really matter how the system has been compromised or even what route the compromise took (could have been via a different system for example) other than how extensively you will need to review systems until you have routed out all of the compromises.
There is no known way that a flow can "disappear" and "be replaced" other than either having a known script to do that or an unknown script (e.g. a security compromise).
Once a hacker has access to your network, in order to preserve and broaden their access, they will try to corrupt other computers, possibly even your router.
If the unwanted flow comes back on a reinstalled OS, it suggests that other devices may have already been compromised.
Perhaps you set up port forwarding in your router?
If so, the attacker can simply reinstall their flow at any time.
You should regard every computer on your network with suspicion.
Hello. Yes, a single port on my router is dedicated to this Raspberry Pi; I still need to find a way to protect against unauthorized access. The password is new and uses a mix of characters. Best regards.
Hello. Yes, only one port on my router is dedicated to this Raspberry Pi; I still need to find a way to protect against unauthorized access—the password is new and uses a mix of characters. I have a second Raspberry Pi connected to my router, but it isn't accessible from the outside, so it hasn't been affected. Best regards.
Port-forwarding is a security catastrophe. I advise you to disable it immediately.
Perhaps that's true, perhaps not.
Imagine someone breaks in to your house. Will they stay just inside the front door or are they more likely to wander round looking for things they can steal?
YOU CANNOT EXPOSE A SERVER TO THE INTERNET WITHOUT PROTECTION.
If you don't know how to protect local resources, you should use a trusted 3rd-party solution such as Cloudflare Zero Trust. Their free tier is generous and allows for up to 50 users and many shared endpoints.
Just using HTTPS with Node-RED alone is unlikely to protect you.