Bit of a left field question but I'm trying to trace why my ZimaBoard2 running only a NodeRed V5.0 with UIBuilder V7.7.4 (and Mosquitto) Docker containers is trying to contact these URL's, about 500 times per day. Is this some telemetry stats built into any of the new releases?
Node-RED 4/1+ does have telemetry (for getting update notifications) but IIRC, it is once an hour or so.
I am almost certain URLs (tracker.opentrackr.org, tracker.empire-js.us, explodie.org, tracker.coppersurfer.tk) are public BitTorrent trackers. They are used by torrent clients to discover peers for downloading or uploading files.
Since your ZimaBoard2 is hitting these about 500 times a day, consider the below
1. Torrent client running somewhere?
Are you are running a torrent client on the ZimaBoard perhaps under a bridge network, your network monitor might be attributing all outbound traffic from the Docker bridge interface to the MAC address of the ZimaBoard, making it look like it's coming from your Node-RED setup?
2. A Torrent Node or WebTorrent Library inside Node-RED
Check your Node-RED palette. Have you or anyone else installed any nodes related to file sharing, video streaming, or torrents?
3. Using non official docker images?
Did you pull the official nodered/node-red and eclipse-mosquitto images?
4. Potential Container Compromise
If your Node-RED instance or Mosquitto broker is exposed directly to the internet without authentication (or using default credentials), it's highly susceptible to automated botnets
Many thanks for the pointers Steve-Mcl, OK, about to go down rabbit hole #2. I use quite a lot of libraries in my app which I import with npm, I think there is some trojans in the likes of axios which has 100 million downloads a week.....here goes.....
If you let it (default is on), UIBUILDER will send a single message approximately once a month. It sends it to a custom Cloudflare domain which is a serverless worker. I would NEVER put trackers or commercial telemetry into UIBUILDER. Check the privacy policy document for details.
To check if any of your dependencies are compromised, get to the container's command line, go to your userDir folder and then run:
npm audit
Obviously, you should also check to see if any "odd" services are running with something like ps -ef (I think that's right, been a while).
Also carefully check through your active flows to make sure someone hasn't compromised them. Don't forget to check outside the normally visible screen areas.
