Überlastung PI oder NodeRed

Dashboard
1

Hallo

Ich betreibe seit fast 2 Jahren ein Smart Home mit einem PI4 und einer 32GB SD Karte.
Habe ca 15 Dashboards mit Grafischer Kurvenanzeigen mit Daten alle 5 Minuten,
welche verschiedene Analogwerte der letzten 24Std anzeigen.
Ich steuere auch über MQTT mehrere WLAN Steckdosen an.
Wird also schon sehr viele Daten sein die auflaufen und gespeichert werden müssen!
Nun bekomme ich immer mehr Probleme mit den Grafischer Anzeigen, es fehlen alte Daten und es treten auch immer wieder Verbindungs Probleme zu den WLAN Dosen auf.
Kann es sein das ich NodeRed überlastet habe und wie kann ich die Speicherauslastung von NodeRed prüfen oder liegt es einfach an einem überlasteten PI ?
Es läuft kein Desktop auf dem Pi

2

For anyone, like me, who doesn't read German

I've been running a smart home with a Pi4 and a 32GB SD card for almost two years.
I have about 15 dashboards with graphical curve displays with data every five minutes,
which display various analog values ​​from the last 24 hours.
I also control several Wi-Fi outlets via MQTT.
So, there's bound to be a lot of data accumulating and needing to be saved!
Now I'm having more and more problems with the graphical displays; old data is missing, and I'm also constantly having connection problems with the Wi-Fi outlets.
Could it be that I've overloaded NodeRed? How can I check NodeRed's memory usage, or is it simply due to an overloaded Pi?
The desktop isn't running on the Pi.

I am sure someone will be able to let you know how to check memory usage etc. but I would probably check the SD card as a first step

Ich bin sicher, dass jemand Ihnen sagen kann, wie Sie die Speichernutzung usw. überprüfen können, aber ich würde wahrscheinlich als ersten Schritt die SD-Karte überprüfen

3

A couple of command line utilities that might help

Check for overfull filesystems using df, for example:

df -h | grep -v tmpfs
Filesystem      Size  Used Avail Use% Mounted on
udev             72M     0   72M   0% /dev
/dev/mmcblk0p2   57G  6.6G   48G  13% /
/dev/mmcblk0p1  510M   66M  445M  13% /boot/firmware

For memory usage use free:

free -h
               total        used        free      shared  buff/cache   available
Mem:           1.8Gi       369Mi       327Mi       132Ki       1.2Gi       1.4Gi
Swap:          2.4Gi       1.8Mi       2.4Gi

High use % in either of these is an indication of a problem.

You can get an overview of cpu use and top resource hog processes with htop.
This is a heavily overworked Raspberry Pi:

image
image1361×187 12 KB

4

Hallo
ja htop zeigt mir wohl das Problem an
alle 4 kerne vollauslastung

4kerne
4kerne1448×213 67.1 KB

die ursache ist wohl ein update vorgang
cpu
cpu1073×258 116 KB

4x 100% cpuauslastung, jetzt nur noch warum?

5

4x 100% is very bad!
It's not Node-red hogging the CPU though, that would be just 1 core at 100%.

Has your Node-red ever been accessible from the internet?
If so, you may have been hacked and it's busy mining crypto.

6

Also show us the node-red startup log if you start it from a command window.

7

pi@raspberrypi:~ $ node-red start
21 Oct 19:50:19 - [info]

Welcome to Node-RED

21 Oct 19:50:19 - [info] Node-RED version: v4.0.8
21 Oct 19:50:19 - [info] Node.js version: v20.18.1
21 Oct 19:50:19 - [info] Linux 6.6.62+rpt-rpi-v8 arm64 LE
21 Oct 19:50:20 - [info] Loading palette nodes
21 Oct 19:50:23 - [info] Dashboard version 3.6.5 started at /ui
21 Oct 19:50:24 - [info] Settings file : /home/pi/.node-red/settings.js
21 Oct 19:50:24 - [info] Context store : 'default' [module=memory]
21 Oct 19:50:24 - [info] User directory : /home/pi/.node-red
21 Oct 19:50:24 - [warn] Projects disabled : editorTheme.projects.enabled=false
21 Oct 19:50:24 - [info] Flows file : /home/pi/.node-red/start
21 Oct 19:50:24 - [info] Creating new flow file
21 Oct 19:50:24 - [warn] Using unencrypted credentials
21 Oct 19:50:24 - [error] Unable to listen on http://127.0.0.1:1880/
21 Oct 19:50:24 - [error] Error: port in use

8

Ja er ist im Internet erreichbar
Freigabe über Port in der Fritzbox

9

hier mal ein ps -aux ausgabe:

pi@raspberrypi:~ $ ps -aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.5 168572 11144 ? Ss Oct10 0:15 /sbin/init
root 2 0.0 0.0 0 0 ? S Oct10 0:00 [kthreadd]
root 3 0.0 0.0 0 0 ? S Oct10 0:00 [pool_workqueue_release]
root 4 0.0 0.0 0 0 ? I< Oct10 0:00 [kworker/R-rcu_g]
root 5 0.0 0.0 0 0 ? I< Oct10 0:00 [kworker/R-rcu_p]
root 6 0.0 0.0 0 0 ? I< Oct10 0:00 [kworker/R-slub_]
root 7 0.0 0.0 0 0 ? I< Oct10 0:00 [kworker/R-netns]
root 11 0.0 0.0 0 0 ? I Oct10 0:01 [kworker/u8:0-ext4-rsv-conversion]
root 12 0.0 0.0 0 0 ? I< Oct10 0:00 [kworker/R-mm_pe]
root 13 0.0 0.0 0 0 ? I Oct10 0:00 [rcu_tasks_kthread]
root 14 0.0 0.0 0 0 ? I Oct10 0:00 [rcu_tasks_rude_kthread]
root 15 0.0 0.0 0 0 ? I Oct10 0:00 [rcu_tasks_trace_kthread]
root 16 0.0 0.0 0 0 ? S Oct10 0:13 [ksoftirqd/0]
root 17 0.0 0.0 0 0 ? I Oct10 3:41 [rcu_preempt]
root 18 0.0 0.0 0 0 ? S Oct10 0:00 [migration/0]
root 19 0.0 0.0 0 0 ? S Oct10 0:00 [cpuhp/0]
root 20 0.0 0.0 0 0 ? S Oct10 0:00 [cpuhp/1]
root 21 0.0 0.0 0 0 ? S Oct10 0:00 [migration/1]
root 22 0.0 0.0 0 0 ? S Oct10 0:13 [ksoftirqd/1]
root 25 0.0 0.0 0 0 ? S Oct10 0:00 [cpuhp/2]
root 26 0.0 0.0 0 0 ? S Oct10 0:00 [migration/2]
root 27 0.0 0.0 0 0 ? S Oct10 0:14 [ksoftirqd/2]
root 30 0.0 0.0 0 0 ? S Oct10 0:00 [cpuhp/3]
root 31 0.0 0.0 0 0 ? S Oct10 0:00 [migration/3]
root 32 0.0 0.0 0 0 ? S Oct10 0:13 [ksoftirqd/3]
root 39 0.0 0.0 0 0 ? S Oct10 0:00 [kdevtmpfs]
root 40 0.0 0.0 0 0 ? I< Oct10 0:00 [kworker/R-inet_]
root 42 0.0 0.0 0 0 ? S Oct10 0:00 [kauditd]
root 44 0.0 0.0 0 0 ? S Oct10 0:00 [khungtaskd]
root 45 0.0 0.0 0 0 ? S Oct10 0:00 [oom_reaper]
root 46 0.0 0.0 0 0 ? I< Oct10 0:00 [kworker/R-write]
root 47 0.0 0.0 0 0 ? S Oct10 0:53 [kcompactd0]
root 48 0.0 0.0 0 0 ? I< Oct10 0:00 [kworker/R-kinte]
root 49 0.0 0.0 0 0 ? I< Oct10 0:00 [kworker/R-kbloc]
root 50 0.0 0.0 0 0 ? I< Oct10 0:00 [kworker/R-blkcg]
root 52 0.0 0.0 0 0 ? S Oct10 0:00 [watchdogd]
root 57 0.0 0.0 0 0 ? I< Oct10 0:00 [kworker/R-rpcio]
root 58 0.0 0.0 0 0 ? I< Oct10 0:00 [kworker/R-xprti]
root 59 0.0 0.0 0 0 ? S Oct10 0:00 [kswapd0]
root 60 0.0 0.0 0 0 ? I< Oct10 0:00 [kworker/R-nfsio]
root 61 0.0 0.0 0 0 ? I< Oct10 0:00 [kworker/R-kthro]
root 64 0.0 0.0 0 0 ? S Oct10 0:00 [irq/27-aerdrv]
root 65 0.0 0.0 0 0 ? S Oct10 0:00 [hwrng]
root 66 0.0 0.0 0 0 ? I< Oct10 0:00 [kworker/R-iscsi]
root 67 0.0 0.0 0 0 ? I< Oct10 0:00 [kworker/R-nvme-]
root 68 0.0 0.0 0 0 ? I< Oct10 0:00 [kworker/R-nvme-]
root 69 0.0 0.0 0 0 ? I< Oct10 0:00 [kworker/R-nvme-]
root 71 0.0 0.0 0 0 ? I< Oct10 0:00 [kworker/R-DWC N]
root 72 0.0 0.0 0 0 ? I< Oct10 0:00 [kworker/R-uas]
root 75 0.0 0.0 0 0 ? S< Oct10 0:00 [vchiq-slot/0]
root 76 0.0 0.0 0 0 ? S< Oct10 0:00 [vchiq-recy/0]
root 77 0.0 0.0 0 0 ? S< Oct10 0:00 [vchiq-sync/0]
root 79 0.2 0.0 0 0 ? I< Oct10 44:47 [kworker/u13:0-brcmf_wq/mmc1:0001:1]
root 80 0.0 0.0 0 0 ? I< Oct10 0:00 [kworker/u14:0]
root 81 0.0 0.0 0 0 ? I< Oct10 0:00 [kworker/u15:0]
root 82 0.0 0.0 0 0 ? I< Oct10 0:00 [kworker/u16:0]
root 83 0.0 0.0 0 0 ? I< Oct10 0:00 [kworker/u17:0]
root 91 0.0 0.0 0 0 ? I< Oct10 0:00 [kworker/R-sdhci]
root 92 0.0 0.0 0 0 ? S Oct10 0:00 [irq/38-mmc0]
root 120 0.0 0.0 0 0 ? I< Oct10 0:01 [kworker/3:1H-kblockd]
root 127 0.0 0.0 0 0 ? I< Oct10 0:00 [kworker/R-mmc_c]
root 179 0.0 0.0 0 0 ? S Oct10 0:23 [jbd2/mmcblk0p2-8]
root 180 0.0 0.0 0 0 ? I< Oct10 0:00 [kworker/R-ext4-]
root 196 0.0 0.0 0 0 ? I< Oct10 0:00 [kworker/R-mld]
root 197 0.0 0.0 0 0 ? I< Oct10 0:00 [kworker/R-ipv6_]
root 244 0.0 8.8 391176 168060 ? Ss Oct10 1:26 /lib/systemd/systemd-journald
root 264 0.0 0.0 0 0 ? I Oct10 0:00 [kworker/u8:1]
root 266 0.0 0.3 26384 6784 ? Ss Oct10 0:02 /lib/systemd/systemd-udevd
root 295 0.0 0.0 0 0 ? S Oct10 0:00 [vchiq-keep/0]
root 296 0.0 0.0 0 0 ? S< Oct10 0:00 [SMIO]
root 305 0.0 0.0 0 0 ? S Oct10 0:00 [irq/40-vc4 hdmi hpd connected]
root 306 0.0 0.0 0 0 ? S Oct10 0:00 [irq/41-vc4 hdmi hpd disconnected]
root 307 0.0 0.0 0 0 ? S Oct10 0:00 [cec-vc4-hdmi-0]
root 308 0.0 0.0 0 0 ? S Oct10 0:00 [irq/42-vc4 hdmi cec rx]
root 309 0.0 0.0 0 0 ? S Oct10 0:00 [irq/43-vc4 hdmi cec tx]
root 313 0.0 0.0 0 0 ? S Oct10 0:00 [irq/44-vc4 hdmi hpd connected]
root 314 0.0 0.0 0 0 ? S Oct10 0:00 [irq/45-vc4 hdmi hpd disconnected]
root 315 0.0 0.0 0 0 ? S Oct10 0:00 [cec-vc4-hdmi-1]
root 316 0.0 0.0 0 0 ? S Oct10 0:00 [irq/46-vc4 hdmi cec rx]
root 318 0.0 0.0 0 0 ? S Oct10 0:00 [irq/47-vc4 hdmi cec tx]
root 330 0.0 0.0 0 0 ? S Oct10 0:00 [card0-crtc0]
root 331 0.0 0.0 0 0 ? S Oct10 0:00 [card0-crtc1]
root 332 0.0 0.0 0 0 ? S Oct10 0:00 [card0-crtc2]
root 334 0.0 0.0 0 0 ? S Oct10 0:00 [card0-crtc3]
root 335 0.0 0.0 0 0 ? S Oct10 0:00 [card0-crtc4]
root 336 0.0 0.0 0 0 ? S Oct10 0:00 [card0-crtc5]
root 343 0.0 0.0 0 0 ? S Oct10 0:00 [v3d_bin]
root 344 0.0 0.0 0 0 ? I< Oct10 0:00 [kworker/R-mmal-]
root 347 0.0 0.0 0 0 ? S Oct10 0:00 [v3d_render]
root 348 0.0 0.0 0 0 ? S Oct10 0:00 [v3d_tfu]
root 350 0.0 0.0 0 0 ? I< Oct10 0:00 [kworker/R-mmal-]
root 351 0.0 0.0 0 0 ? S Oct10 0:00 [v3d_csd]
root 352 0.0 0.0 0 0 ? S Oct10 0:00 [v3d_cache_clean]
root 354 0.0 0.0 0 0 ? I< Oct10 0:00 [kworker/R-mmal-]
root 355 0.0 0.0 0 0 ? I< Oct10 0:00 [kworker/R-cfg80]
root 358 0.0 0.0 0 0 ? S Oct10 0:00 [irq/55-feb10000.codec]
root 361 0.0 0.0 0 0 ? I< Oct10 0:00 [kworker/R-mmal-]
root 363 0.0 0.0 0 0 ? I< Oct10 0:00 [kworker/R-mmal-]
root 365 0.0 0.0 0 0 ? I< Oct10 0:00 [kworker/R-mmal-]
root 366 0.0 0.0 0 0 ? I< Oct10 0:00 [kworker/R-mmal-]
root 373 0.0 0.0 0 0 ? I< Oct10 0:00 [kworker/R-brcmf]
root 375 0.0 0.0 0 0 ? S Oct10 8:18 [brcmf_wdog/mmc1:0001:1]
root 424 0.0 0.0 0 0 ? I< Oct10 0:00 [kworker/u13:3-hci0]
systemd+ 440 0.0 0.3 90708 6656 ? Ssl Oct10 0:07 /lib/systemd/systemd-timesyncd
avahi 444 0.0 0.1 7492 3200 ? Ss Oct10 5:39 avahi-daemon: running [raspberrypi-2.local]
root 445 0.0 0.2 13316 5504 ? Ss Oct10 0:00 /usr/libexec/bluetooth/bluetoothd
root 446 0.0 0.1 6692 2432 ? Ss Oct10 0:04 /usr/sbin/cron -f
message+ 447 0.0 0.2 8784 3968 ? Ss Oct10 0:33 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
pi 454 1.1 7.9 9526612 150896 ? Ssl Oct10 181:25 node-red
polkitd 457 0.0 0.3 235212 6656 ? Ssl Oct10 0:00 /usr/lib/polkit-1/polkitd --no-debug
avahi 458 0.0 0.0 7180 1300 ? S Oct10 0:00 avahi-daemon: chroot helper
root 463 0.0 0.3 33796 7168 ? Ss Oct10 0:02 /lib/systemd/systemd-logind
nobody 464 0.0 0.1 5828 2560 ? Ss Oct10 0:13 /usr/sbin/thd --triggers /etc/triggerhappy/triggers.d/ --socket /run/thd.socket --user nob
root 529 0.0 0.9 262720 18816 ? Ssl Oct10 4:12 /usr/sbin/NetworkManager --no-daemon
root 534 0.0 0.5 17292 10624 ? Ss Oct10 0:13 /sbin/wpa_supplicant -u -s -O DIR=/run/wpa_supplicant GROUP=netdev
root 548 0.0 0.6 249672 11520 ? Ssl Oct10 0:00 /usr/sbin/ModemManager
root 580 0.0 0.0 5620 1536 tty1 Ss+ Oct10 0:00 /sbin/agetty -o -p -- \u --noclear - linux
root 581 0.0 0.1 5244 2048 ttyS0 Ss+ Oct10 0:00 /sbin/agetty -o -p -- \u --keep-baud 115200,57600,38400,9600 - vt220
mosquit+ 584 0.2 0.6 20124 11904 ? Rs Oct10 37:12 /usr/sbin/mosquitto -c /etc/mosquitto/mosquitto.conf
root 593 0.0 0.4 16460 8576 ? Ss Oct10 0:00 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups
pi 64932 1.8 1.1 326284 21040 ? Rsl Oct11 266:41 /home/pi/optolink-splitter-main/myvenv/bin/python /home/pi/optolink-splitter-main/optolink
pi 124592 0.0 0.0 4432 1040 ? Ss Oct12 0:00 /usr/sbin/hwm
pi 124593 373 14.5 944264 275220 ? Sl Oct12 47913:24 /usr/lib/syst
pi 124594 0.4 0.0 6476 1428 ? S Oct12 58:53 /usr/sbin/sys
root 134029 0.0 0.0 0 0 ? I< Oct16 0:00 [kworker/2:0H-kblockd]
root 139271 0.0 0.0 0 0 ? I Oct17 0:02 [kworker/u12:2-events_unbound]
root 139717 0.0 0.0 0 0 ? I Oct17 0:03 [kworker/u11:2-events_unbound]
root 140743 0.0 0.0 0 0 ? I Oct18 0:03 [kworker/u10:1-events_unbound]
root 147400 0.0 0.0 0 0 ? I Oct20 0:01 [kworker/u9:1-events_unbound]
root 149104 0.0 0.0 0 0 ? I Oct20 0:02 [kworker/2:0-cgroup_destroy]
root 149151 0.0 0.0 0 0 ? I Oct20 0:01 [kworker/u9:0-events_unbound]
root 149178 0.0 0.0 0 0 ? I< Oct20 0:00 [kworker/1:0H-kblockd]
root 149185 0.0 0.0 0 0 ? I Oct20 0:01 [kworker/u12:1-events_unbound]
root 149512 0.0 0.0 0 0 ? I Oct20 0:04 [kworker/u9:2-flush-179:0]
root 150844 0.0 0.0 0 0 ? I 09:18 0:00 [kworker/u11:1-events_unbound]
root 150939 0.0 0.0 0 0 ? I 09:52 0:00 [kworker/2:1-mm_percpu_wq]
root 151200 0.0 0.0 0 0 ? I< 11:45 0:00 [kworker/0:2H-kblockd]
pi 151210 0.0 0.1 6800 3072 ? S 11:46 0:00 /bin/bash /home/pi/.node-red/node_modules/node-red-node-pi-gpio/nrgpio out 16 1
pi 151212 0.3 0.6 175596 11392 ? Sl 11:46 1:54 python3 -u /home/pi/.node-red/node_modules/node-red-node-pi-gpio/nrgpio.py out 16 1
root 151854 0.0 0.0 0 0 ? I 17:15 0:00 [kworker/u10:2-events_unbound]
root 151906 0.0 0.0 0 0 ? I 17:41 0:00 [kworker/u11:0-events_unbound]
root 152022 0.0 0.0 0 0 ? I 18:46 0:00 [kworker/u12:0-events_unbound]
root 152083 0.0 0.0 0 0 ? I< 19:19 0:00 [kworker/0:0H]
root 152090 0.0 0.0 0 0 ? I< 19:20 0:00 [kworker/3:2H]
root 152113 0.0 0.0 0 0 ? I 19:33 0:00 [kworker/1:3-events_freezable_power_]
root 152184 0.0 0.0 0 0 ? I 19:54 0:00 [kworker/u10:0]
root 152185 0.0 0.0 0 0 ? I 19:54 0:00 [kworker/1:0-cgroup_destroy]
root 152194 0.0 0.0 0 0 ? I< 19:55 0:00 [kworker/1:2H]
root 152236 0.0 0.0 0 0 ? I 20:18 0:00 [kworker/3:0-mm_percpu_wq]
root 152274 0.0 0.0 0 0 ? I< 20:40 0:00 [kworker/2:2H]
root 152283 0.0 0.5 19592 9984 ? Ss 20:48 0:00 sshd: pi [priv]
pi 152286 0.0 0.5 19596 10112 ? Ss 20:49 0:00 /lib/systemd/systemd --user
pi 152288 0.0 0.2 170332 5052 ? S 20:49 0:00 (sd-pam)
pi 152307 0.0 0.3 19852 6536 ? S 20:49 0:00 sshd: pi@pts/0
pi 152308 0.0 0.2 8100 4608 pts/0 Ss 20:49 0:00 -bash
root 152353 0.0 0.0 0 0 ? I 20:49 0:00 [kworker/0:2-mm_percpu_wq]
root 152400 0.0 0.0 0 0 ? I 20:55 0:00 [kworker/0:1-events]
root 152401 0.0 0.0 0 0 ? I 20:57 0:00 [kworker/3:2-events_freezable]
root 152409 0.2 0.0 0 0 ? I 21:01 0:00 [kworker/0:0-events]
root 152411 0.0 0.0 0 0 ? I 21:02 0:00 [kworker/3:1-mm_percpu_wq]
pi 152420 200 0.2 11136 4224 pts/0 R+ 21:05 0:00 ps -aux

10

You did not stop node-red before starting it again. You do that by running
node-red-stop
node-red-start

Note, that is node-red-start not node-red start

11

Translation:
Yes, it is reachable on the internet via port forwarding on the FRITZ!Box

In that case, unless it is protected by a strong user/pwd and uses https you have probably been hacked. Disconnect it from the internet immediately. Reprogram your SD card and start again and do not open it to the internet unless you understand the implications.

12

Good catch @jbudd

13

Starting as a systemd service.
21 Oct 20:42:19 - [info]
Welcome to Node-RED

21 Oct 20:42:19 - [info] Node-RED version: v4.0.8
21 Oct 20:42:19 - [info] Node.js version: v20.18.1
21 Oct 20:42:19 - [info] Linux 6.6.62+rpt-rpi-v8 arm64 LE
21 Oct 20:42:20 - [info] Loading palette nodes
21 Oct 20:42:21 - [info] Dashboard version 3.6.5 started at /ui
21 Oct 20:42:22 - [info] Settings file : /home/pi/.node-red/settings.js
21 Oct 20:42:22 - [info] Context store : 'default' [module=memory]
21 Oct 20:42:22 - [info] User directory : /home/pi/.node-red
21 Oct 20:42:22 - [warn] Projects disabled : editorTheme.projects.enabled=false
21 Oct 20:42:22 - [info] Flows file : /home/pi/.node-red/flows.json
21 Oct 20:42:22 - [info] Server now running at http://127.0.0.1:1880/
21 Oct 20:42:22 - [warn] Using unencrypted credentials
21 Oct 20:42:22 - [info] Starting flows
21 Oct 20:42:22 - [info] Started flows
21 Oct 20:42:22 - [info] [mqtt-broker:e73cf92749e0bfe3] Connected to broker: mqt t://localhost:1883

14

image
image1920×1008 107 KB

nach neustart ist cpu auslastung weg!
weil auch der hack gestoppt wurde?

15

If you do have malware on the Pi it can see user names and passwords for other services such as your mosquitto broker, external API keys etc.

16

Danke für die Hilfe!
Denke das war kein Hack
Immer noch niedrige Auslastung von ca 3%
Es war wohl eher ein abgestürzte Anwendung oder Update

17

I would be grateful if you could translate before posting. That would save most of us the effort of translating each one.

Do you mean that you have not rebooted or restarted node red since it started behaving strangely?

Whether this was a hack or not, I hope that you have a strong password protecting node-red, and are using https. Otherwise you will likely get hacked at some points. There are bots looking for poorly protected node-red systems, which they hack with, for example, bitcoin mining code.

18

I understand you seem happy now, but having something connected directly to the internet would make me nervous.
When you put all that to chatGPT you get:

does anything of this look like the system is compromised, hacked, or running other malishious code? hier mal ein ps -aux ausgabe:...

Short answer: yes — there are a few very suspicious processes here.
Most entries are normal kernel/system threads, but these three jump out:

  • pi 124592 … /usr/sbin/hwm
  • pi 124593 373 … /usr/lib/syst (truncated — likely trying to look like “systemd”)
  • pi 124594 … /usr/sbin/sys

Why they look bad:

  • They’re not standard Raspberry Pi OS/Debian binaries (/usr/sbin/sys and /usr/sbin/hwm don’t exist on a clean install).
  • They’re owned by user pi but live in system directories (/usr/sbin, /usr/lib) — unusual and a common malware trick.
  • One is burning huge CPU (%CPU 373 and TIME in the tens of thousands of minutes), which fits crypto-miner/bot behavior.
  • The names (sys, syst) look like masquerades for real services.

Your other entries like node-red, mosquitto, NetworkManager, wpa_supplicant, ModemManager, sshd, and kernel kworker threads all look normal for a Pi with IoT software.

:puzzle_piece: Schlussfolgerung (auf Deutsch)

Ja — es sieht sehr stark danach aus, dass dein System kompromittiert wurde.
Fast alle Prozesse in deiner ps -aux-Liste sind absolut normal für ein Raspberry-Pi-Linux-System – außer drei Prozessen, die sehr verdächtig sind:

  • /usr/sbin/hwm
  • /usr/lib/syst… (vermutlich absichtlich abgeschnitten, um wie „systemd“ auszusehen)
  • /usr/sbin/sys

Diese drei Programme:

  • liegen in Systemverzeichnissen, gehören aber dem Benutzer „pi“ → das ist ungewöhnlich und deutet auf manipulierte Dateien hin,
  • verwenden täuschende Namen, die wie echte Systemdienste aussehen sollen,
  • einer davon (/usr/lib/syst...) verbraucht extrem viel CPU – ein typisches Verhalten für Krypto-Miner oder Botnet-Software.

Alles andere (Node-RED, mosquitto, NetworkManager, sshd, systemd usw.) ist völlig normal.

:broom: Empfohlener nächster Schritt

Wenn sich die Verdachtsmomente bestätigen:

  1. Trenne den Pi vom Internet.
  2. Sichere deine wichtigen Daten (Node-RED-Flows, mosquitto-Konfiguration).
  3. Setze das System neu auf (SD-Karte neu flashen mit aktueller Raspberry Pi OS-Version).
  4. Passwörter ändern und SSH absichern.

Read: Protecting Node-RED from itself "No Internet access to the Editor"

19

Thanks for your very good Help

so i started complete from Zero
now with password for Nodered and a good password for the pi

but i need to check and change datas over the www

so i use "Portfreigabe" from my Fritzbox, only http is working

i should use https but i dont know how
what should i do, to get a save system?

20

Do not use http over the internet for any reason. You WILL be hacked.

There are several useful threads on the forum telling you how to more safely connect node-red to the internet, check the "security" tag and the faq category.

If you don't know how to do internet security, you should make use of a cloud solution such as Cloudfflare Zero Trust.