I noticed that Node red has started mining Monero cryptocurrency without my knowledge and permission. I remove the process in htop but after deploying the flow in Node red it reappears. How did this happen?
1 Like
Your node-red instance is accessible from the internet ?
Yes, it is available. But there is a password to access it.
That would have to be the slowest mining op in history.
Although off topic:
WHY is your Node-Red accessible from the internet?
yes, it is available. But there is a password to access it.
Was it ever exposed to the internet before you added the username/password?
Is the username and password guessable?
You need to search your flows for exec nodes (probably need to scroll down and to the right a lot),
Better yet, probably delete the flows.json file and start again from scratch.
From a security PoV, it would be interesting to see what they actually implemented in your environment @devifast.
If you have the time/willingness - could you please share what they set up in your flow(s?)
2 Likes
That's exactly what I'm going to do, I'm going to do it from scratch.
1 Like
Although the hack may have gained access via Node-red, it will have attempted to spread beyond there.
You should consider the entire Node-red machine compromised and possibly other devices on your network, perhaps even your router.
When you rebuild the machine, use a different, not common, Node-red user name and a properly secure password.
Do Not allow the Node-red user access to sudo without a password.
Only access from the internet via some sort of VPN, eg Zerotier or Tailscale. Don't use port forwarding.
2 Likes
Added the security tag to this thread.
@devifast - please read the security FAQ's and security documentation regarding node-red.
Rule #1 is NEVER connect your Node-RED Editor endpoints direct to the Internet. Regardless of how secure you think you've made it.
Rule #2 is never connect your server direct to the Internet if you can possibly avoid it.
There are plenty of ways to avoid exposing your local network and servers to the Internet while still securely allowing access to specific endpoints.
Also, don't forget to change all passwords AFTER securing/resetting things. And make sure that you are using strong passcodes and not re-using them for different things.
1 Like
Are you using https?
No, I don't use https. I haven't been able to do it. If there's an article somewhere I'd be happy to read it.
Using user/pwd without https is pretty much pointless.
But as others have said, don't rely on user/pwd even with https. Read, and understand, the docs pointed to earlier.
Without HTTPS (wire-level encryption), passwords are worse than useless, especially if you used just HTTP Basic security.
If you don't understand Internet security basics, you are strongly recommended to use a 3rd-party solution to protect everything. There are plenty around and a number are listed in the security threads already mentioned as well as more detailed implementation guides that you can search for on the forum.
Just out of interest, what was your Node-red user name?
If it was anything even vaguely uncommon, the odds are that your name and password were sniffed out of your network traffic at the coffee shop, or wherever.
I don't understand the question correctly.
The question is:
You said you have to log into Node-Red's editor.
What name / password did you use?
(Given that it is now academic, as you WILL be changing it now anyway.)
Perhaps I misunderstood your posts.
You can setup a username and password for the Node-red editor.
Then at login you should see this screen
I think that most cases we have seen of hacked Node-red did not have this setup.
A hacker who gets this far knows you have Node-red but they have to guess user names and passwords.
There is nothing in Node-red to respond to many failed login attempts, so they could keep trying different combinations over an extended period.
So I wondered if your user name was one commonly guessed eg "root", "admin", "nodered".
If not, it seems likely that the attacker already knew your user name and password.
I only asked about the user name, I don't think it's good to reveal passwords, even expired ones.
Don't ask so we don't expose ourselves. 
Fair enough!
How's that going for you? 
