Internet Wide Ethereum JSON-RPC Scans
Ethereum is certainly getting a lot of press this year, and with this, we also see the bad guys spending more effort to steal the shiny fresh off the digital mint crypto coins. Etherum itself is a rather complex beast, but one feature Ethereum nodes provide is a remote access option via RPC. Typically, nodes are listening on port 8545. For the last few months, we have been seeing a steady increase in requests for this port.
A typical request sent:
POST / HTTP/1.1
Host: a.b.c.d:8545
User-Agent: Geth/v1.6.1-stable-021c3c28/linux-amd64/go1.8.1
Content-Length: 86
Content-Type: application/json
Accept-Encoding: gzip
Connection: close{"jsonrpc":"2.0","method":"eth_getBlockByNumber","params":["0x1", false], "id":406270}
The user agent matches the typical Go library used to implement these requests. At this point, this looks just like a recognizance query. If anybody has the "right" response to this type of query, please let me know. the "id" parameter changes between requests.
Currently, two IP addresses are scanning specifically hard using these requests:
216.158.238.186 - Interserver Inc. (a New Jersey hosting company)
46.166.148.120 - NFOrce Entertainment BV (Durch hosting company)
If you are using Ethereum, and if you are running an Ethereum node, then please make sure the node is not listening to inbound queries. As far as I can tell, these requests are simple HTTP requests, they are not protected by same-origin policy and can easily be issued via Javascript. It would be trivial to have Javascript look for a node on the host connecting to a web server, even if the host is behind NAT. Probably because investors in cryptocurrencies are used to taking risks, the JSON RPC interface does not provide for authentication. Instead, if you do want to use any form of authentication, you have to proxy the queries via a server like Nginx that is then able to filter and authenticate requests.
If you are more familiar with the use of JSON-RPC for Ethereum, or if you have anything else to contribute to this, please let me know!
And a quick update: I am also seeing this request now:
POST / HTTP/1.0
Accept: */*
Content-Length: 49
Content-Type: application/json{"id":0,"jsonrpc":"2.0","method":"eth_accounts"}
---
Johannes B. Ullrich, Ph.D., Dean of Research, SANS Technology Institute
STI|Twitter|
Comments