node-RED virus >> emoncms image file

Hi all. I’ve pinned the post about the node-RED virus issue until Monday, I hope that’s OK.

It is affecting quite a number of systems, and the node-RED authors are recommending that any infected system should be completely wiped, as the virus is pretty much free (having root access) to install or do whatever it wants.

I think it’s important that emoncms users are aware, because not only has node-RED been bundled into the OS which is most popular with emoncms, but many users are using it as integration with emoncms, which of course would also need to be wiped if infected.

It’s hard to believe that users actually expose their system to the web without even considering the most basic password protection, but there we go, they’ll learn the hard way :sunglasses:

1 Like

Just wondered… does the emoncms image file have node-RED adminAuth setup by default?

Thanks Paul, I will ask @glyn.hudson about this

Hi @Paul, Thanks for bringing this to our attention. I’m currently reading all the threads on the nodered forums regarding the issue. Is this the issue you are talking about:

Yes, every single emonPi / emonBase / emonSD with nodered is secured with an adminAuth username / password.

From my understanding it seems that the malware has only affected systems open to the internet without secure admin access. By default emonPi / emonBase systems should not have the nodered port open to the internet, if a users chooses to open their nodered system to the internet we have always strongly recommend they change the default password.

I’ve just scanned all the nodred installations that I have access (all have adminauth) to and have not been able to find any infections.

With this in mind, I guess we should be ‘ok’ and no further action is needed other than to make users aware of the importance of changing the emonPi default nodered password, if they choose to open their nodered port to the world. Do you agree?

Would you mind if I made this thread public?

Yes, I’m not aware of any cases where the virus has breached the adminAuth security, so a password change should suffice.
See Nick O’Leary’s summary.

Not at all. I only posted this in the Staff section to avoid publically highlighting potential exploit with the emoncms image file, until we had time to fully assess - which has been done.


1 Like