InfoSec Handlers Diary Blog - SANS Internet Storm Center

SANS ISC: InfoSec Handlers Diary Blog - SANS Internet Storm Center

SANS Site Network
- Current Site
- SANS Internet Storm Center
- Other SANS Sites Help
- Graduate Degree Programs
- Security Training
- Security Certification
- Security Awareness Training
- Penetration Testing
- Industrial Control Systems
- Cyber Defense Foundations
- DFIR
- Software Security
- Government OnSite Training

InfoSec Handlers Diary Blog

jsonrpc Scanning for root account

Published: 2017-11-13
Last Updated: 2017-11-13 19:34:15 UTC
by Guy Bruneau (Version: 1)

In the past few weeks I have noticed this type of POST activity showing in my honeypot {"id":0,"jsonrpc":"2.0","method":"eth_accounts"} looking for ID 0 (root). Activity has a static source port of 65535 and destination port 8080.

Do you have logs to share related to this type of activity?

[1] https://github.com/ethereum/wiki/wiki/JSON-RPC
[2] https://github.com/ethereum/wiki/wiki/JSON-RPC#eth_accounts

-----------
Guy Bruneau IPSS Inc.
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

Keywords: ID 0 jsonrpc scanning

2 comment(s)

Top of page

Diary Archives