Go-ethereum: Geth 1.9.23 spam?

Created on 11 Oct 2020 · 14Comments · Source: ethereum/go-ethereum

System information

Geth version: latest
OS & Version: Linux Ubuntu 20.04

Steps to reproduce the behaviour

Install geth on Ubuntu 20.04 by going thru this set of instructions:
https://geth.ethereum.org/docs/install-and-build/installing-geth#install-on-ubuntu-via-ppas

Then run to start fresh sync
'geth --cache 40960'

After "Mapped network port", you should see the message:

' * WARNING SECURITY UPDATE REQUIRED. YOUR GETH CLIENT IS VULNERABLE. YOUR ETHER & ERC20 ASSETS ARE AT RISK OF PERMANENT LOSS! Visit https://get-geth.com now to download and update to the latest version WARNING: DO NOT IGNORE THIS MESSAGE * This software is open source under a GNU Lesser General Public License license. Upgrade to Geth 1.9.23 for Linux/OSX/Windows via https://get-geth.com immediately.'

Source

mohsenghajar

👍5 👀3

Most helpful comment

Hey @mohsenghajar thank you for reporting! It seems that someone set their nodes type to "WARN [10_10|13:11:38.777] Dropping unsynced node during fast sync id=805a748043bc9309 conn=inbound addr=185.232.28.131:37109 type=WARN conn=security_notification_service priority=critical library=crypto.keccak256hash impact=high required=yes flags=0x0 insecure=yes panic=yes error=0x7ffffffff ********************* *** WARNING SECURITY UPDATE REQUIRED.....
This is of course an attempt to scam users to update their nodes to a modified version of geth. Please only update your nodes to the certified releases published on geth.ethereum.org or build directly from source!

MariusVanDerWijden on 11 Oct 2020

👍8

All 14 comments

Please provide your exact logs from the geth-run, which includes detailed version info

holiman on 11 Oct 2020

INFO [10-11|17:25:24.194] Starting Geth on Ethereum INFO [10-11|17:25:24.194] Maximum peer count INFO [10-11|17:25:24.195] Smartcard socket not found, disabling INFO [10-11|17:25:24.195] Set global gas cap INFO [10-11|17:25:24.195] Allocated trie memory caches INFO [10-11|17:25:24.195] Allocated cache and file handles INFO [10-11|17:25:24.274] Opened ancient database INFO [10-11|17:25:24.274] Initialised chain configuration INFO [10-11|17:25:24.274] Disk storage enabled for ethash caches INFO [10-11|17:25:24.274] Disk storage enabled for ethash DAGs INFO [10-11|17:25:24.274] Initialising Ethereum protocol INFO [10-11|17:25:24.276] Loaded most recent local header INFO [10-11|17:25:24.276] Loaded most recent local full block INFO [10-11|17:25:24.276] Loaded most recent local fast block INFO [10-11|17:25:24.276] Loaded local transaction journal INFO [10-11|17:25:24.276] Regenerated local transaction journal INFO [10-11|17:25:24.416] Allocated fast sync bloom INFO [10-11|17:25:24.420] Starting peer-to-peer node INFO [10-11|17:25:24.501] New local node record INFO [10-11|17:25:24.502] Started P2P networking INFO [10-11|17:25:24.502] IPC endpoint opened WARN [10-11|17:25:27.215] Dropping unsynced node during fast sync INFO [10-11|17:25:27.428] Mapped network port INFO [10-11|17:25:27.847] New local node record INFO [10-11|17:25:28.058] Mapped network port WARN [10-11|17:25:29.630] Dropping unsynced node during fast sync INFO [10-11|17:25:30.367] Initialized fast sync bloom ^CINFO [10-11|17:25:31.644] Got interrupt, shutting INFO [10-11|17:25:31.644] IPC endpoint closed WARN [10-11|17:25:31.654] Dropping unsynced node during fast sync INFO [10-11|17:25:31.658] Deallocated fast sync bloom INFO [10-11|17:25:31.659] Ethereum protocol stopped
ETH=50 LES=0 total=50
err="stat /run/pcscd/pcscd.comm: no such file or directory"
cap=25000000
clean=10.00GiB dirty=10.00GiB
database=/home/crypto/.ethereum/geth/chaindata cache=20.00GiB handles=524288
database=/home/crypto/.ethereum/geth/chaindata/ancient
config="{ChainID: 1 Homestead: 1150000 DAO: 1920000 DAOSupport: true EIP150: 2463000 EIP155: 2675000 EIP158: 2675000 Byzantium: 4370000 Constantinople: 7280000 Petersburg: 7280000 Istanbul: 9069000, Muir Glacier: 9200000, YOLO v1: , Engine: ethash}"
dir=/home/crypto/.ethereum/geth/ethash count=3
dir=/home/crypto/.ethash count=2
versions="[65 64 63]" network=1 dbversion=8
number=0 hash="d4e567…cb8fa3" td=17179869184 age=51y6mo6d
number=0 hash="d4e567…cb8fa3" td=17179869184 age=51y6mo6d
number=0 hash="d4e567…cb8fa3" td=17179869184 age=51y6mo6d
transactions=0 dropped=0
transactions=0 accounts=0
size=20.00GiB
instance=Geth/v1.9.22-stable-c71a7e26/linux-amd64/go1.15.2
seq=13 id=0d6f59e38aad537a ip=127.0.0.1 udp=30303 tcp=30303
self=enode://fb4a14c90750e5f21a2858f8bd2100277b1534060915b9145ac721345d7d1f349b22be3500595920bfa16111183af797835ecdce2c943b43271abc717d7f677b@127.0.0.1:30303
url=/home/crypto/.ethereum/geth.ipc
id=35125015a50e84a2 conn=dyndial addr=140.143.157.12:30303 type=Geth/v1.9.0-stable/linux-amd64/go1.10
proto=tcp extport=30303 intport=30303 interface="UPNP IGDv2-IP2"
seq=14 id=0d6f59e38aad537a ip=xxxx udp=30303 tcp=30303
proto=udp extport=30303 intport=30303 interface="UPNP IGDv2-IP2"
id=fd744ac811dbd3e7 conn=inbound addr=31.184.197.89:42551 type="WARN [10_10|13:11:38.777] Dropping unsynced node during fast sync id=805a748043bc9309 conn=inbound addr=185.232.28.131:37109 type=WARN conn=security_notification_service priority=critical library=crypto.keccak256hash impact=high required=yes flags=0x0 insecure=yes panic=yes error=0x7ffffffff ****** WARNING SECURITY UPDATE REQUIRED. YOUR GETH CLIENT IS VULNERABLE. YOUR ETHER & ERC20 ASSETS ARE AT RISK OF PERMANENT LOSS! Visit https://get-geth.com now to download and update to the latest version WARNING: DO NOT IGNORE THIS MESSAGE This software is open source under a GNU Lesser General Public License license. Upgrade to Geth 1.9.23 for Linux/OSX/Windows via https://get-geth.com immediately. *****"
items=12356 errorrate=0.000 elapsed=5.950s
down...
url=/home/crypto/.ethereum/geth.ipc
id=07fc914175a2b4d8 conn=inbound addr=31.184.196.106:33715 type="WARN [10_10|13:11:38.777] Dropping unsynced node during fast sync id=805a748043bc9309 conn=inbound addr=185.232.28.131:37109 type=WARN conn=security_notification_service priority=critical library=crypto.keccak256hash impact=high required=yes flags=0x0 insecure=yes panic=yes error=0x7ffffffff ****** WARNING SECURITY UPDATE REQUIRED. YOUR GETH CLIENT IS VULNERABLE. YOUR ETHER & ERC20 ASSETS ARE AT RISK OF PERMANENT LOSS! Visit https://get-geth.com now to download and update to the latest version WARNING: DO NOT IGNORE THIS MESSAGE This software is open source under a GNU Lesser General Public License license. Upgrade to Geth 1.9.23 for Linux/OSX/Windows via https://get-geth.com immediately. *****"
items=12356 errorrate=0.000
/> /> path=/home/crypto/.ethereum/geth/triecache threads=16
path=/home/crypto/.ethereum/geth/triecache elapsed="571.723µs"

mohsenghajar on 11 Oct 2020

MariusVanDerWijden on 11 Oct 2020

👍8

Got it. So is this safe to use?

mohsenghajar on 12 Oct 2020

Yes, the current version and every recent version from geth.ethereum.org is save to use!
We display the name of our peers in the logs which can be used to display arbitrary strings. Will publish a fix for it soon

MariusVanDerWijden on 12 Oct 2020

👍4 😄2

Thanks for your report, @mohsenghajar . Your contribution helps making Ethereum safer.

3esmit on 12 Oct 2020

🎉2

Thank you, @mohsenghajar for spotting this!

I've sent an abuse report to the fake website hosting provider, WorldStream B.V. (worldstream.com) to [email protected] and [email protected]

There's a set of websites hosted on IP 190.2.135.33 (190-2-135-33.hosted-by-worldstream.net) that distribute malware:

https://ethereumdownloads.com
https://get-geth.org
https://get-geth.com

Aldekein on 12 Oct 2020

🎉3 👍2

@MariusVanDerWijden do I understand correctly that fake nodes which distribute the message have IP addresses 31.184.196.106 and 31.184.197.89?

Aldekein on 12 Oct 2020

Yes, those are the two fake nodes, but keep in mind that they could have faked their ip addresses of course.
Thank you for reporting the websites!

MariusVanDerWijden on 12 Oct 2020

Indeed, even the site looks very similar to the original. In any case, when you download the so called Geth 1.9.23 version, you are warned by any bare minimum anti-virus that the file is suspicious.

RB61 on 12 Oct 2020

👍1

I have pushed these to the MetaMask (and EAL) blacklists, which should help mitigate the current threat by getting the browser extensions to disallow interaction with the webpages - https://github.com/MetaMask/eth-phishing-detect/pull/4271

I will also assist with issuing takedowns, and if I can, looking into the binaries to see what they do

409H on 12 Oct 2020

👍2

I got another spam from ip 87.251.70.186

wsy2220 on 13 Oct 2020

Abuse Department | WorldStream B.V. replied:

Dear Oleh Vasylenko,

Thank you very much for your notification.
We've processed your message and informed the customer involved.
We demanded that they take action in a small time frame.
Unfortunantly, our customer did not respond in a timely manner as a result the IP-address has been blocked.

Kindly let us know if you require any more information or action from WorldStream.

I checked the 3 malware websites and they all are down now. The fake ethereumdownloads.com now points to CloudFlare IP, but there's only 404 error.

Aldekein on 13 Oct 2020

👍1

Should be fixed by https://github.com/ethereum/go-ethereum/pull/21698 by limiting the output that remote node names can produce. The fix obviously only applies to updated nodes. Closing this issue as there's not much more we can do at this time. Thank you very much for looking into this and contacting the relevant hosting companies.