Ethereum is certainly getting a lot of press this year, and with this, we also see the bad guys spending more effort to steal the shiny fresh off the digital mint crypto coins. Etherum itself is a rather complex beast, but one feature Ethereum nodes provide is a remote access option via RPC. Typically, nodes are listening on port 8545. For the last few months, we have been seeing a steady increase in requests for this port.
A typical request sent:
The user agent matches the typical Go library used to implement these requests. At this point, this looks just like a recognizance query. If anybody has the "right" response to this type of query, please let me know. the "id" parameter changes between requests.
Currently, two IP addresses are scanning specifically hard using these requests:
220.127.116.11 - Interserver Inc. (a New Jersey hosting company)
If you are more familiar with the use of JSON-RPC for Ethereum, or if you have anything else to contribute to this, please let me know!
And a quick update: I am also seeing this request now:
Nov 21st 2017
3 weeks ago