-
-
Notifications
You must be signed in to change notification settings - Fork 3.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Wrong hashes (from getmonero.org) #6151
Comments
I can confirm, hash doesn’t match. |
The 53d9d... hash was verified independently in the gitian sigs repo and seems to be the correct one: https://github.com/monero-project/gitian.sigs/blob/master/v0.15.0.0-linux/hyc/monero-linux-0.15-build.assert#L6 . |
Issue should be fixed now, hyc is looking at the bad binary. |
yep it's correct now. |
So. Do I need to do a recompile/redeploy while waiting for 15.0.1 ? |
Looks good, no need to recompile. |
Well. Compared, something changed: A few minutes ago
Compared to:
Both are off clean |
Normal builds are not guaranteed to be deterministic. This issue here is about the getmonero.org download, not self compiled binaries. |
@trasherdk @selsta so.. still an issue (for old users), i keep it open? |
I do realize that, your deterministic build environment, is very different from mine.
|
@trasherdk monero does support reproducible builds, see https://github.com/monero-project/monero/tree/master/contrib/gitian |
@selsta Yes, I know. But I'm not about to change my servers to Debian, just to build a Monero. |
Is there a copy of the bad binary somewhere for anyone else to investigate by downloading onto a VM and decompiling? |
Per u/gingeropolous's Reddit comment which is basically a pastebin of a userpost not going through on Reddit from u/moneromanz, old binary is indeed malicious and not just a fluke of the build process or some bad copy/paste of the checksum onto the website. serhack, a professional investigator, is looking into it. Paste bin:
|
There is a Monero community member from China suggests that networks cause this problem. |
@jindouyunz a network problem wouldn’t have caused a malicious binary to be placed on the download server. We’ve discussed using GitHub as the primary download location, but that just shifts the boundaries as if someone’s GitHub account is compromised they can be replaced. |
@fluffypony agree, it's not a network problem. What you said makes sense, things would turned worse if we do so and the Github account is compromised. |
It may be because the official Monero official account on Github has been stolen or a security hole has been replaced on Monero's official website... |
@sanecito @1522402210 @iphelix Here they are (compare sha256 with hashes i shared in 1st message):
|
I'm analyzing the malicious binaries. Luckily debug symbols are included which makes it easier. Here's my progress so far:
|
@MaxXor
mean, all those was planned before and they got access much before. So, XMR team need to check unusual access logs for 60 days. |
I've found another IP (hxxs://91.210.104.245:18081 that redirects to web page https://monerohash.com/?r=from_node [not involved] - as specified earlier the SSL is self-signed node.hashmonero.com) doing dynamical analysis (e.g. identifying packets via ngrep and tcpdump). Interesting. I'm writing a blog post collecting all the possible analysis. The domain xmrsupport.co was bought using Njalla , a privacy-aware domain and VPS service. |
@serhack Both IPs redirect on port 18081 to https://monerohash.com/?r=from_node and have a certificate with CN=node.hashmonero.com which is self-signed. |
I specified that "redirects" :) that does not mean they're involved. |
Russians. Well, i will call this hoster tomorrow 👍 They offer servers in russia and netherlands. xmrsupport ip's from netherlands. |
I've already filled the ABUSE report for hostkey. |
|
Is using sha1 for checksums part of your "old school" approach? Because it's really kind of useless. |
I was having a look at this earlier as well. Adding onto @MaxXor's analysis, I wrote a brief blog post including how to detect the malicious files: |
Oh my Lord , Thats nasty , anybody lost his funds??? |
Funds are #safu |
What about the other ip? IP Address 45.9.148.65 % Abuse contact for '45.9.148.0 - 45.9.148.255' is abuse@as49447.net '' inetnum: 45.9.148.0 - 45.9.148.255 person: Kimon S. route: 45.9.148.0/24 |
@arch-btw i advice to send an abuse to
Due datacencer in Moscow offers some servers in netherlands too. So probably they are belong to same contracter. |
Deleted a post that linked to mobile apps that claim to be “offline wallets”, but clearly cannot be so. Don’t install random bits of software linked on GitHub, folks. |
This is the wrong place to shill your product. You’re welcome to go post about it elsewhere, like Reddit. |
@bogdan4o yes, there are wrong places indeed. this is a serious security issue and it's not necessarily about monero but about the bigger picture. electrum had similar attacks iirc, myetherwallet had dns attacks. clicking on links in a discussion about a security breach isn't helpful. feel free to shill your stuff any day of the year, everywhere, but here and today is not the right place. if it's so good, we would have read on reddit about it, prior this incident. no disrespect against you, but somebody with a blank github profile gets not even zero trust but -1. thanks. |
91.210.104.245 has been blocked by the hosting provider. Good work guys! |
@bogdan4o I agree with @fluffypony , this issue related to technical problem. It does not related to "tell us in 60 seconds about your product". Same time about apple store or android store: you can simply have online backup feature. Nobody knows till your code isn't opensource. |
Nobody cares, stop shilling CryBawl Ltd...., you've been warned by @fluffypony already. Thank you friend, I will email them. |
Ok I have sent the email. If anyone wants to copy mine, that's totally fine: To:
|
The signatures still don't match. I just downloaded linux cli from the website with header
The actual download is monero-linux-x64-v0.15.0.0.tar.bz2 So you have wrong version to start, and SHA256 is While in downloaded and verified signature hashed.txt So the binary on the getmonero website haven't been updated :( UPDATE: Signature match: 8d61f992a7e2dbc3d753470b4928b5bb9134ea14cf6f2973ba11d1600c0ce9ad The question is if this clean binary :) |
@skironDotNet Try a different browser / private window. The old file is still cached. |
Cached or not, it's good link now, all that matters |
yep, looks fine and legit ❤️
|
monero-gui-v0.14.1.0 points to a new version with the following msg, when i start it:
But when i check the hash, it's the same from the site "c8994781510e234985e24f465761355e4ae7bd58ef686bd8b0ce4401c2314d51". |
It’s a bug that got fixed here: monero-project/monero-gui#2485 v0.14 is not compromised and was never compromised. |
+resolved |
I downloaded:
website say:
Check sha256 and see this (only github's matches hashsum):
I look inside:
monero-linux-x64-v0.15.0.0-github
monero-linux-x64-v0.15.0.0-site
Why
monero-wallet-cli
are different in those 2 releases?The text was updated successfully, but these errors were encountered: