Beware - Exploit CustomNode for Crypto Mining Bot Farm

[Smuzzies]

Attached found in comfy install. Not sure where it came from but if someone wants to analyze it and find it's origins, that would be helpful and help keep folks safe.

WARNING: Downloads and contains sh scripts that run when Comfy starts.
comfyui-terminal.zip

[comfyanonymous]

Looks like it's from: https://github.com/NullBulgeGroup/comfyui-terminal

Any idea how this could have been installed? Do you have a publicly accessible ComfyUI instance with the manager on it?

This only seems to be able to run the miner by queuing a specific workflow which means that the person needs access to your ComfyUI instance.

If you want to run a publicly accessible ComfyUI I don't really recommend it but if you do you should only use the base nodes and never have the manager installed because it lets anyone install and run anything on your instance.

I assume the method of distribution for this is just someone scanning random ips on the default ComfyUI port for open ComfyUI instances with the manager installed.

[ltdrdata]

hmm.... It seems that we need to warn for that.

[Smuzzies]

It's just a test server that I do have setup to access remote to test stuff before I move workflows to a production server. I'm running on a custom port well into the 10k's. I really don't have any idea how it got added and I always grab custom nodes directly from the manager in its default settings. I'll dig around more this evening as I'm really curious how it got there.

Whatever that script does (mining multi chains I assume), my GPU was pegged at 100% all night. The room temp was blazing hot. That is what caught my attention because that 4090 rarely gets used and never gets over about 50C.

[ltdrdata]

It's just a test server that I do have setup to access remote to test stuff before I move workflows to a production server. I'm running on a custom port well into the 10k's. I really don't have any idea how it got added and I always grab custom nodes directly from the manager in its default settings. I'll dig around more this evening as I'm really curious how it got there.

Whatever that script does (mining multi chains I assume), my GPU was pegged at 100% all night. The room temp was blazing hot. That is what caught my attention because that 4090 rarely gets used and never gets over about 50C.

It seems I need to provide an option for the remote environment to disable installing via git URL and allow installations only through a whitelist.
If you have installed the manager in an environment that is accessible remotely, it could be an attack vector.

I will update it to be disabled by default if the listen IP is not 127.x.x.x.

[Smuzzies]

in the meantime, i manually recreated the comfyui-terminal folder in custom_nodes and removed permissions from it via chmod

yeah, not exactly an ideal setup for my remote access, figured most port scanners don't typically scan that high
disabled for now

[liusida]

It's just a test server that I do have setup to access remote to test stuff before I move workflows to a production server. I'm running on a custom port well into the 10k's. I really don't have any idea how it got added and I always grab custom nodes directly from the manager in its default settings. I'll dig around more this evening as I'm really curious how it got there.
Whatever that script does (mining multi chains I assume), my GPU was pegged at 100% all night. The room temp was blazing hot. That is what caught my attention because that 4090 rarely gets used and never gets over about 50C.

It seems I need to provide an option for the remote environment to disable installing via git URL and allow installations only through a whitelist. If you have installed the manager in an environment that is accessible remotely, it could be an attack vector.

I will update it to be disabled by default if the listen IP is not 127.x.x.x.

How about using an LLM to scan through the code of all custom nodes in the whitelist and provide a one-sentence description for each node so people know what they are installing? (just brain storming)

[ltdrdata]

It's just a test server that I do have setup to access remote to test stuff before I move workflows to a production server. I'm running on a custom port well into the 10k's. I really don't have any idea how it got added and I always grab custom nodes directly from the manager in its default settings. I'll dig around more this evening as I'm really curious how it got there.
Whatever that script does (mining multi chains I assume), my GPU was pegged at 100% all night. The room temp was blazing hot. That is what caught my attention because that 4090 rarely gets used and never gets over about 50C.

It seems I need to provide an option for the remote environment to disable installing via git URL and allow installations only through a whitelist. If you have installed the manager in an environment that is accessible remotely, it could be an attack vector.
I will update it to be disabled by default if the listen IP is not 127.x.x.x.

How about using an LLM to scan through the code of all custom nodes in the whitelist and provide a one-sentence description for each node so people know what they are installing? (just brain storming)

TBH, Unreliable. You can find projects that have been documented using LLM, but they are often very inaccurate.

[ltdrdata]

ComfyUI-Manager support advanced security options.

https://github.com/ltdrdata/ComfyUI-Manager#security-policy

[badbrash]

Have received the warning and tried to find the files to delete but could not locate them in the directory. Guidence please.

[ltdrdata]

Have received the warning and tried to find the files to delete but could not locate them in the directory. Guidence please.

What warning are you referring?