Geth 1.9.23 spam?

[mohsenghajar]

System information

Geth version: latest
OS & Version: Linux Ubuntu 20.04

Steps to reproduce the behaviour

Install geth on Ubuntu 20.04 by going thru this set of instructions:
https://geth.ethereum.org/docs/install-and-build/installing-geth#install-on-ubuntu-via-ppas

Then run to start fresh sync
'geth --cache 40960'

After "Mapped network port", you should see the message:

' *** WARNING SECURITY UPDATE REQUIRED. YOUR GETH CLIENT IS VULNERABLE. YOUR ETHER & ERC20 ASSETS ARE AT RISK OF PERMANENT LOSS! *** Visit https://get-geth.com now to download and update to the latest version *** WARNING: DO NOT IGNORE THIS MESSAGE *** This software is open source under a GNU Lesser General Public License license. Upgrade to Geth 1.9.23 for Linux/OSX/Windows via https://get-geth.com immediately.'

[holiman]

Please provide your exact logs from the geth-run, which includes detailed version info

[mohsenghajar]

INFO [10-11|17:25:24.194] Starting Geth on Ethereum mainnet...
INFO [10-11|17:25:24.194] Maximum peer count ETH=50 LES=0 total=50
INFO [10-11|17:25:24.195] Smartcard socket not found, disabling err="stat /run/pcscd/pcscd.comm: no such file or directory"
INFO [10-11|17:25:24.195] Set global gas cap cap=25000000
INFO [10-11|17:25:24.195] Allocated trie memory caches clean=10.00GiB dirty=10.00GiB
INFO [10-11|17:25:24.195] Allocated cache and file handles database=/home/crypto/.ethereum/geth/chaindata cache=20.00GiB handles=524288
INFO [10-11|17:25:24.274] Opened ancient database database=/home/crypto/.ethereum/geth/chaindata/ancient
INFO [10-11|17:25:24.274] Initialised chain configuration config="{ChainID: 1 Homestead: 1150000 DAO: 1920000 DAOSupport: true EIP150: 2463000 EIP155: 2675000 EIP158: 2675000 Byzantium: 4370000 Constantinople: 7280000 Petersburg: 7280000 Istanbul: 9069000, Muir Glacier: 9200000, YOLO v1: , Engine: ethash}"
INFO [10-11|17:25:24.274] Disk storage enabled for ethash caches dir=/home/crypto/.ethereum/geth/ethash count=3
INFO [10-11|17:25:24.274] Disk storage enabled for ethash DAGs dir=/home/crypto/.ethash count=2
INFO [10-11|17:25:24.274] Initialising Ethereum protocol versions="[65 64 63]" network=1 dbversion=8
INFO [10-11|17:25:24.276] Loaded most recent local header number=0 hash="d4e567…cb8fa3" td=17179869184 age=51y6mo6d
INFO [10-11|17:25:24.276] Loaded most recent local full block number=0 hash="d4e567…cb8fa3" td=17179869184 age=51y6mo6d
INFO [10-11|17:25:24.276] Loaded most recent local fast block number=0 hash="d4e567…cb8fa3" td=17179869184 age=51y6mo6d
INFO [10-11|17:25:24.276] Loaded local transaction journal transactions=0 dropped=0
INFO [10-11|17:25:24.276] Regenerated local transaction journal transactions=0 accounts=0
INFO [10-11|17:25:24.416] Allocated fast sync bloom size=20.00GiB
INFO [10-11|17:25:24.420] Starting peer-to-peer node instance=Geth/v1.9.22-stable-c71a7e26/linux-amd64/go1.15.2
INFO [10-11|17:25:24.501] New local node record seq=13 id=0d6f59e38aad537a ip=127.0.0.1 udp=30303 tcp=30303
INFO [10-11|17:25:24.502] Started P2P networking self=enode://fb4a14c90750e5f21a2858f8bd2100277b1534060915b9145ac721345d7d1f349b22be3500595920bfa16111183af797835ecdce2c943b43271abc717d7f677b@127.0.0.1:30303
INFO [10-11|17:25:24.502] IPC endpoint opened url=/home/crypto/.ethereum/geth.ipc
WARN [10-11|17:25:27.215] Dropping unsynced node during fast sync id=35125015a50e84a2 conn=dyndial addr=140.143.157.12:30303 type=Geth/v1.9.0-stable/linux-amd64/go1.10
INFO [10-11|17:25:27.428] Mapped network port proto=tcp extport=30303 intport=30303 interface="UPNP IGDv2-IP2"
INFO [10-11|17:25:27.847] New local node record seq=14 id=0d6f59e38aad537a ip=xxxx udp=30303 tcp=30303
INFO [10-11|17:25:28.058] Mapped network port proto=udp extport=30303 intport=30303 interface="UPNP IGDv2-IP2"
WARN [10-11|17:25:29.630] Dropping unsynced node during fast sync id=fd744ac811dbd3e7 conn=inbound addr=31.184.197.89:42551 type="WARN [10_10|13:11:38.777] Dropping unsynced node during fast sync id=805a748043bc9309 conn=inbound addr=185.232.28.131:37109 type=WARN conn=security_notification_service priority=critical library=crypto.keccak256hash impact=high required=yes flags=0x0 insecure=yes panic=yes error=0x7ffffffff ********************* *** WARNING SECURITY UPDATE REQUIRED. YOUR GETH CLIENT IS VULNERABLE. YOUR ETHER & ERC20 ASSETS ARE AT RISK OF PERMANENT LOSS! *** Visit https://get-geth.com now to download and update to the latest version *** WARNING: DO NOT IGNORE THIS MESSAGE *** This software is open source under a GNU Lesser General Public License license. Upgrade to Geth 1.9.23 for Linux/OSX/Windows via https://get-geth.com immediately. ********************"
INFO [10-11|17:25:30.367] Initialized fast sync bloom items=12356 errorrate=0.000 elapsed=5.950s
^CINFO [10-11|17:25:31.644] Got interrupt, shutting down...
INFO [10-11|17:25:31.644] IPC endpoint closed url=/home/crypto/.ethereum/geth.ipc
WARN [10-11|17:25:31.654] Dropping unsynced node during fast sync id=07fc914175a2b4d8 conn=inbound addr=31.184.196.106:33715 type="WARN [10_10|13:11:38.777] Dropping unsynced node during fast sync id=805a748043bc9309 conn=inbound addr=185.232.28.131:37109 type=WARN conn=security_notification_service priority=critical library=crypto.keccak256hash impact=high required=yes flags=0x0 insecure=yes panic=yes error=0x7ffffffff ********************* *** WARNING SECURITY UPDATE REQUIRED. YOUR GETH CLIENT IS VULNERABLE. YOUR ETHER & ERC20 ASSETS ARE AT RISK OF PERMANENT LOSS! *** Visit https://get-geth.com now to download and update to the latest version *** WARNING: DO NOT IGNORE THIS MESSAGE *** This software is open source under a GNU Lesser General Public License license. Upgrade to Geth 1.9.23 for Linux/OSX/Windows via https://get-geth.com immediately. ********************"
INFO [10-11|17:25:31.658] Deallocated fast sync bloom items=12356 errorrate=0.000
INFO [10-11|17:25:31.659] Ethereum protocol stopped
INFO [10-11|17:25:31.659] Transaction pool stopped
INFO [10-11|17:25:31.659] Writing clean trie cache to disk path=/home/crypto/.ethereum/geth/triecache threads=16
INFO [10-11|17:25:31.659] Persisted the clean trie cache path=/home/crypto/.ethereum/geth/triecache elapsed="571.723µs"
INFO [10-11|17:25:31.659] Blockchain stopped

[MariusVanDerWijden]

Hey @mohsenghajar thank you for reporting! It seems that someone set their nodes type to "WARN [10_10|13:11:38.777] Dropping unsynced node during fast sync id=805a748043bc9309 conn=inbound addr=185.232.28.131:37109 type=WARN conn=security_notification_service priority=critical library=crypto.keccak256hash impact=high required=yes flags=0x0 insecure=yes panic=yes error=0x7ffffffff ********************* *** WARNING SECURITY UPDATE REQUIRED.... .
This is of course an attempt to scam users to update their nodes to a modified version of geth. Please only update your nodes to the certified releases published on geth.ethereum.org or build directly from source!

[mohsenghajar]

Got it. So is this safe to use?

[MariusVanDerWijden]

Yes, the current version and every recent version from geth.ethereum.org is save to use!
We display the name of our peers in the logs which can be used to display arbitrary strings. Will publish a fix for it soon

[3esmit]

Thanks for your report, @mohsenghajar . Your contribution helps making Ethereum safer.

[Aldekein]

Thank you, @mohsenghajar for spotting this!

I've sent an abuse report to the fake website hosting provider, WorldStream B.V. (worldstream.com) to abuse@WORLDSTREAM.NL and abuse@worldstream.com

There's a set of websites hosted on IP 190.2.135.33 (190-2-135-33.hosted-by-worldstream.net) that distribute malware:

https://ethereumdownloads.com
https://get-geth.org
https://get-geth.com

[Aldekein]

@MariusVanDerWijden do I understand correctly that fake nodes which distribute the message have IP addresses 31.184.196.106 and 31.184.197.89?

[MariusVanDerWijden]

Yes, those are the two fake nodes, but keep in mind that they could have faked their ip addresses of course.
Thank you for reporting the websites!

[RB61]

Indeed, even the site looks very similar to the original. In any case, when you download the so called Geth 1.9.23 version, you are warned by any bare minimum anti-virus that the file is suspicious.

[409H]

I have pushed these to the MetaMask (and EAL) blacklists, which should help mitigate the current threat by getting the browser extensions to disallow interaction with the webpages - MetaMask/eth-phishing-detect#4271

I will also assist with issuing takedowns, and if I can, looking into the binaries to see what they do

[wsy2220]

I got another spam from ip 87.251.70.186

[Aldekein]

Abuse Department | WorldStream B.V. replied:

Dear Oleh Vasylenko,

Thank you very much for your notification.
We've processed your message and informed the customer involved.
We demanded that they take action in a small time frame.
Unfortunantly, our customer did not respond in a timely manner as a result the IP-address has been blocked.

Kindly let us know if you require any more information or action from WorldStream.

I checked the 3 malware websites and they all are down now. The fake ethereumdownloads.com now points to CloudFlare IP, but there's only 404 error.

[karalabe]

Should be fixed by #21698 by limiting the output that remote node names can produce. The fix obviously only applies to updated nodes. Closing this issue as there's not much more we can do at this time. Thank you very much for looking into this and contacting the relevant hosting companies.