Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Internet Wide Ethereum JSON-RPC Scans

Published: 2017-11-21
Last Updated: 2017-11-21 22:36:21 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

Ethereum is certainly getting a lot of press this year, and with this, we also see the bad guys spending more effort to steal the shiny fresh off the digital mint crypto coins. Etherum itself is a rather complex beast, but one feature Ethereum nodes provide is a remote access option via RPC. Typically, nodes are listening on port 8545. For the last few months, we have been seeing a steady increase in requests for this port.

A typical request sent:

POST / HTTP/1.1
Host: a.b.c.d:8545
User-Agent: Geth/v1.6.1-stable-021c3c28/linux-amd64/go1.8.1
Content-Length: 86
Content-Type: application/json
Accept-Encoding: gzip
Connection: close

{"jsonrpc":"2.0","method":"eth_getBlockByNumber","params":["0x1", false], "id":406270}

The user agent matches the typical Go library used to implement these requests. At this point, this looks just like a recognizance query. If anybody has the "right" response to this type of query, please let me know. the "id" parameter changes between requests.

Currently, two IP addresses are scanning specifically hard using these requests:

216.158.238.186 - Interserver Inc. (a New Jersey hosting company)
46.166.148.120 - NFOrce Entertainment BV (Durch hosting company)

If you are using Ethereum, and if you are running an Ethereum node, then please make sure the node is not listening to inbound queries. As far as I can tell, these requests are simple HTTP requests, they are not protected by same-origin policy and can easily be issued via Javascript. It would be trivial to have Javascript look for a node on the host connecting to a web server, even if the host is behind NAT. Probably because investors in cryptocurrencies are used to taking risks, the JSON RPC interface does not provide for authentication. Instead, if you do want to use any form of authentication, you have to proxy the queries via a server like Nginx that is then able to filter and authenticate requests.

If you are more familiar with the use of JSON-RPC for Ethereum, or if you have anything else to contribute to this, please let me know!

And a quick update: I am also seeing this request now:

POST / HTTP/1.0
Accept: */*
Content-Length: 49
Content-Type: application/json

{"id":0,"jsonrpc":"2.0","method":"eth_accounts"}

---
Johannes B. Ullrich, Ph.D., Dean of Research, SANS Technology Institute
STI|Twitter|

 
 
 
 
Keywords:
0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

One month later, Magniber ransomware is still out there
Nov 20th 2017
2 days ago by Brad (0 comments)

Resume-themed malspam pushing Smoke Loader
Nov 19th 2017
2 days ago by Brad (0 comments)

BTC Pickpockets
Nov 18th 2017
4 days ago by DidierStevens (0 comments)

Top-100 Malicious IP STIX Feed
Nov 17th 2017
5 days ago by Xme (4 comments)

Suspicious Domains Tracking Dashboard
Nov 16th 2017
6 days ago by Xme (5 comments)

If you want something done right, do it yourself!
Nov 15th 2017
1 week ago by Xme (0 comments)

View All Diaries →

Latest Discussions

Strange user-agent on DSHIELD project
created Nov 20th 2017
2 days ago by DrGreen (0 replies)

Suspicious traffic to unusual site names in the .info TLD
created Nov 16th 2017
6 days ago by jauntysankey (0 replies)

Advice for setting up an inexpensive lab
created Nov 10th 2017
1 week ago by Anonymous (1 reply)

Linux Process Hunter
created Nov 8th 2017
1 week ago by Anonymous (0 replies)

Linux Process Hunter
created Nov 8th 2017
1 week ago by Anonymous (0 replies)

View All Forums →

Latest News

View All News →

Top Diaries

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
4 months ago by Brad (6 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
3 months ago by Johannes (12 comments)

Second Google Chrome Extension Banker Malware in Two Weeks
Aug 29th 2017
2 months ago by Renato (0 comments)

Maldoc with auto-updated link
Aug 17th 2017
3 months ago by Xme (2 comments)

OAUTH phishing against Google Docs ? beware!
May 3rd 2017
6 months ago by Bojan (6 comments)