Nodered process burning cpu resources

I have a box with Ubuntu that I use to write and test scripts and nodes.
I found it was quite unresponsive and Started investigating who is taking 300% of the resources.
I did found the following process and files to be responsible for the above:

-rwxr-xr-x 1 root root 8714712 Jun 23 19:58 kperl
-rw-r--r-- 1 root root 3540510 Jul 25 15:17 kperl.tar.gz

   1614 root      20   0  358200   9168   8472 S 194.1   0.1   3:48.17 kperl

I did check who is running such process and it looks like is something associated to nodered.

:/tmp$ systemctl status $(pgrep kperl)
â—Ź nodered.service - Node-RED graphical event wiring tool
     Loaded: loaded (/lib/systemd/system/nodered.service; enabled; vendor preset: enabled)
     Active: active (running) since Mon 2022-07-25 16:07:39 CAT; 26min ago
   Main PID: 709 (node-red)
      Tasks: 22 (limit: 9251)
     Memory: 131.7M
     CGroup: /system.slice/nodered.service
             ├─ 709 node-red
             ├─1458 sh /tmp/tmp
             └─1614 /tmp/kperl --no-color

Does anyone know what is about and how to stop this kperl?

After disabling the nodered with systemctl and reboot, the kperl doesn't start and the box' cpu is happy again. So, looks like "kperl"it is really belong to nodered. I definitively need some help to sort this out.

  1. Are you running node-red as root? If the answer is yes then that is almost certainly a bad idea.

  2. Have you got any exec nodes in your flows? If so then what commands are they executing?

  3. What extra nodes have you installed? You can look in ~/.node-red/package.json to get a list of them.

  4. Is your node-red system accessible via the internet?

  5. If you stop node-red does the process get killed? If not then disable node-red auto run on boot and reboot, then check the process is not there. Start node-red and see if it re-appears.

Nodered is not running as root.
No exec nodes.
At present I have only one flow with an HTTP-in node receiving messages from Sigfox backend.
I di stop and disabled nodered, rebooted and the issue disappear .

I have enabled and restarted nodered as well as the flow with the http-in node and the issue disappeared. I hope forever.
What was the issue about?

You didn't answer point 4. If node-red has ever been open to the internet then you might have been hacked.

Also, what does
sudo systemctl status nodered
show now?

$ systemctl status nodered
â—Ź nodered.service - Node-RED graphical event wiring tool
Loaded: loaded (/lib/systemd/system/nodered.service; enabled; vendor prese>
Active: active (running) since Mon 2022-07-25 17:15:51 CAT; 2min 44s ago
Docs: Redirecting…
Main PID: 705 (node-red)
Tasks: 11 (limit: 9251)
Memory: 111.0M
CGroup: /system.slice/nodered.service
└─705 node-red

Most likely you are in a loop and you need to toss in debug nodes until you see a whole bunch of messages spinning past that you aren't expecting.

Been there, done that.

Yes. It has been exposed. I had to redirect a port to 1880 to test the HTTP-in node to receive the messages from Sigfox.
So.... it is time to wipe out such box and make a clean installation?

Unless someone else can suggest what might have been going on I would certainly be suspicious. Note that the command being run was /tmp/kperl which means that it had been temporarily constructed in /tmp rather than being a normal installed program. There are bots out in the internet looking for 1880 being open and there have been reports of people being hacked after even a short time exposed without security features. I am confused about how it could run the s/w as root though, if node-red is not running as root.

The even bigger worry for you is whether the machine might have infiltrated other systems on your local network if you have any.

1 Like

Thanks for the hints. It could be. Is the only box with very low security because I use it to test my little messy codes. I will have a look at the other devices on the network but are all strongly password protected.
If it was an intrusion attempt, it was a stupid one. Doesn’t make sense to run something that burns cpu resources to get discovered in few hours.
Thanks for sharing your opinions

gotta mine those bitcoin somehow... always going to be cpu intensive on a Pi...

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.