Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

unlock operation will cause you to be hacked #1

Open
wagicsec opened this issue Sep 1, 2018 · 0 comments
Open

unlock operation will cause you to be hacked #1

wagicsec opened this issue Sep 1, 2018 · 0 comments

Comments

@wagicsec
Copy link

wagicsec commented Sep 1, 2018

This operation will cause you to be hacked and steal your ETH coin.

https://github.com/dogethereum/dogethereum-tools/blob/master/user/unlock.js

If your ethereum full node is on a public network server.
You should advise users to make firewall policies that prohibit external calls to RPC.
Because the attacker will scan the code to your node and attack you.
You can look at this :Billions of Tokens Theft Case cause by ETH Ecological Defects

Defense Advices
Change the default RPC API port, The configuration method is: --rpcport 8377 or --wsport 8378
Change the RPC API listen address to Intranet. The configuration method is: --rpcaddr 192.168.0.100 or --wsaddr 192.168.0.100
Configure iptables to restrict access to the RPC API port. For example, only 192.168.0.101 is allowed to access port 8545:
iptables -A INPUT -s 192.168.0.101 -p TCP --dport 8545 -j ACCEPT
iptables -A INPUT -p TCP --dport 8545 -j DROP
The keystore should not be stored on the node (because the account is not on the node, unlockAccount will not be used)
Any transaction that uses web3's sendTransaction and sendRawTransaction to send a private key signed transaction
Private key physical isolation (such as cold wallets, manual transcriptions) or high-strength encrypted storage and security keys

At last

If you need, you can contact us to audit dogethereum-contracts.
We support DogeCoin payment.
HaHa
: )

We are the slowmist security team,You can visit our official website: www.slowmist.com

We like DogeCoin very much.
We will pay attention to you, I wish you good luck.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant