Chainaanalysis如何進入流行的門羅幣錢包

2024 年 9 月 16 日

分類

全部新聞

標籤

客製化系統

作者： 伊雷姆·庫尤庫、勞瑞納斯·塞蒂爾基納斯

區塊鏈分析公司 Chainaanalysis 的一段時期已經消失，並且經過積極審查的培訓視頻披露了門羅幣 RPC 日誌，該日誌似乎來自一個名為“門羅幣”的流行門羅幣“節點” node.moneroworld.com許多錢包（例如 Cake Wallet 和 Monerujo）將其包含在預設公共節點清單中。 node.moneroworld.com 以及新增門羅幣節點的已暫停 DNS 記錄的危險。

什麼是 `node.moneroworld.com`？

node.moneroworld.com 相反，該域有大量指向其他門羅幣節點 IP 的 A 記錄。

node.moneroworld.com 在連接埠 18089 – 我將其指向我認為目前最好的任何連接埠。

資料來源：https://web.archive.org/web/20240822030528/https://moneroworld.com/#nodes

Chainaanalysis 影片中顯示的門羅幣 RPC 日誌

為了避免 Chainaanalysis 提出 DMCA 聲明，我們將重新使用不同的影片中的表格，但保留相同的數據。

交易1（影片時間記：29:02）

RPC請求：

日期	IP位址	來源	要求	標頭	身體
2020-10-20, 10:19:21.190	185.220.100.252	003	POST / 發送交易	node.moneroworld.com，應用程式/json；字元集=utf-8，CL	客戶端，tx_as_hex

交易2（影片時間記：35:40）

RPC請求：

日期	IP位址	來源	要求	標頭	身體
2020-10-02, 12:15:55.669	85.248.227.164	140	POST / 發送交易	node.moneroworld.com，應用程式/json；字元集=utf-8，CL	客戶端，tx_as_hex

不幸的是，這些表並沒有直接公開 Chainaanalysis 運行的惡意節點的 IP/主機資訊。 Headers 在列中，我們可以看到這個請求是向 node.moneroworld.comChainaanalysis的應用程式UI省略了標頭名稱，僅顯示值，但我們可以看到：

Host: node.moneroworld.comContent-Type: application/json; charset=utf-8...

基於 Source 列，我們可以假設 node.moneroworld.com 2020 年左右有 A 記錄指向至少兩個 Chainaanalysis 節點（#003、#140）。

幸運的是，舊的 DNS 記錄已緩存在 Virustotal 等服務中。

奇怪的案例 `dallas.xmrnode.com` 號

2024年9月5日，Reddit用戶u/__lt__發表了一篇帖子，講述了他們在調查後從其中一位附屬主機觀察到的奇怪行為 node.moneroworld.com。 dallas.xmrnode.com (104.223.103.222)。

Nginx 在連接埠 443/tcp 上提供自簽名憑證 fn.likauction.com在Shodan上搜尋這個主機名稱會找到6個不同的伺服器，它們開啟了兩個連線連接埠。

然而，直到撰寫本文時，探測這些伺服器上的門羅幣節點連接埠表明這些連接埠不屬於節點或門羅幣RPC伺服器。

2024年9月8日，u/__lt__的Reddit貼文被大量舉報並刪除。

Chainaanalysis 可能正在停靠已新增門羅幣節點的暫停 DNS 記錄

我在 Reddit 上 dorking 時發現了一則評論 "xmrnode.com"。

因為我們知道至少有兩個不同的惡意節點，其中可能是 dallas.xmrmode.com，我決定解析Reddit評論中的子網域，並在DNS記錄歷史中搜尋IP node.moneroworld.com。

2017-08-29 - 169.239.128.104 (africa.xmrnode.com)2017-09-08 - 96.43.143.242 (kc6.xmrnode.com)2017-09-20 - 104.223.103.222 (dallas.xmrmode.com)2017-09-22 - 204.27.62.98 (kc3.xmrnode.com)2017-10-09 - 213.197.187.236 (europe.xmrnode.com)2017-10-09 - 96.43.143.250 (kc7.xmrnode.com)2018-04-28 - 103.208.86.41 (nz.xmrnode.com)2018-05-03 - 96.43.139.226 (xmrnode.com)2018-05-03 - 96.43.139.226 (kc.xmrnode.com)

事實證明 node.moneroworld.com 指向許多 *.xmrnode.com 節點。

我聯繫了#Monero Matrix 房間的盧比，詢問節點的奇怪行為，令我驚訝的是，他們的答案是：

顯然，這些節點自2018年以來就沒有運行過。

假設盧比不是壞人，這意味著盧比以外的其他人正在運行節點（很可能是廢棄同一託管提供者並要求分配相同的IP）。 node.moneroworld.com，因此是這些日期的 Chainaanalysis 表數據。

Chainaanalysis 可能佔用了盧比節點的剩餘 DNS 記錄和 node.moneroworld.com 在盧比停止託管節點後，這些內容明顯被刪除。 node.moneroworld.com 是一個更理想的目標，因為運行它的人的重要性以及它是流行行動錢包的預設事實之一。

經驗教訓

主要的 運行你自己的要點，如果必須使用公共節點，請使用Tor/i2p，並且不要使用穿透DNS記錄聚合或指向隨機節點的節點位置。

另外：反向代理調查

我們推測，除了資源需求之外，惡意行為者操作自己的專用資源不會產生多餘的經濟意義。

相反，我們認為這些節點的「假節點」可能根本不是真正的節點，而是充當反向代理的 Nginx 伺服器，將流量轉送到合法節點，同時捕獲最終資料的副本。

為了調查這一點，我們快速開發了一個工具來收集 monero.fail 和 xmr.ditatompel.com 列出的所有公共 Monero 節點。。

去

// Copyright 2024 Laurynas Četyrkinas//// Licensed under the Apache License, Version 2.0 (the "License");// you may not use this file except in compliance with the License.// You may obtain a copy of the License at////     http://www.apache.org/licenses/LICENSE-2.0//// Unless required by applicable law or agreed to in writing, software// distributed under the License is distributed on an "AS IS" BASIS,// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.// See the License for the specific language governing permissions and// limitations under the License.package mainimport ("context""crypto/tls""encoding/json""fmt""log""net""net/http""net/url""strings""sync""time")type MoneroFailNodes struct {Monero struct {Clear         []string `json:"clear"`WebCompatible []string `json:"web_compatible"`} `json:"monero"`}type XmrDitatompelNodes struct {Data struct {Items []struct {Hostname    string `json:"hostname"`Port        int    `json:"port"`Protocol    string `json:"protocol"`IsTor       bool   `json:"is_tor"`IsAvailable bool   `json:"is_available"`NetType     string `json:"nettype"`} `json:"items"`} `json:"data"`}type MoneroNode struct {IP map[string]NodeIdentifyInfo `json:"ip"`}type NodeIdentifyInfo struct {NodeGetInfoResponse            NodeGetInfoResponse            `json:"get_info"`NodeGetLimitResponse           NodeGetLimitResponse           `json:"get_limit"`NodeGetAltBlocksHashesResponse NodeGetAltBlocksHashesResponse `json:"get_alt_blocks_hashes"`}type NodeGetInfoResponse struct {AdjustedTime              int64  `json:"adjusted_time"`AltBlocksCount            int64  `json:"alt_blocks_count"`BlockSizeLimit            int64  `json:"block_size_limit"`BlockSizeMedian           int64  `json:"block_size_median"`BlockWeightLimit          int64  `json:"block_weight_limit"`BlockWeightMedian         int64  `json:"block_weight_median"`BootstrapDaemonAddress    string `json:"bootstrap_daemon_address"`BusySyncing               bool   `json:"busy_syncing"`Credits                   int64  `json:"credits"`CumulativeDifficulty      int64  `json:"cumulative_difficulty"`CumulativeDifficultyTop64 int64  `json:"cumulative_difficulty_top64"`DatabaseSize              int64  `json:"database_size"`Difficulty                int64  `json:"difficulty"`DifficultyTop64           int64  `json:"difficulty_top64"`FreeSpace                 uint64 `json:"free_space"`GreyPeerlistSize          int64  `json:"grey_peerlist_size"`Height                    int64  `json:"height"`HeightWithoutBootstrap    int64  `json:"height_without_bootstrap"`IncomingConnectionsCount  int64  `json:"incoming_connections_count"`Mainnet                   bool   `json:"mainnet"`Nettype                   string `json:"nettype"`Offline                   bool   `json:"offline"`OutgoingConnectionsCount  int64  `json:"outgoing_connections_count"`Restricted                bool   `json:"restricted"`RPCConnectionsCount       int64  `json:"rpc_connections_count"`Stagenet                  bool   `json:"stagenet"`StartTime                 int64  `json:"start_time"`Status                    string `json:"status"`Synchronized              bool   `json:"synchronized"`Target                    int64  `json:"target"`TargetHeight              int64  `json:"target_height"`Testnet                   bool   `json:"testnet"`TopBlockHash              string `json:"top_block_hash"`TopHash                   string `json:"top_hash"`TxCount                   int64  `json:"tx_count"`TxPoolSize                int64  `json:"tx_pool_size"`Untrusted                 bool   `json:"untrusted"`UpdateAvailable           bool   `json:"update_available"`Version                   string `json:"version"`WasBootstrapEverUsed      bool   `json:"was_bootstrap_ever_used"`WhitePeerlistSize         int64  `json:"white_peerlist_size"`WideCumulativeDifficulty  string `json:"wide_cumulative_difficulty"`WideDifficulty            string `json:"wide_difficulty"`}type NodeGetLimitResponse struct {LimitDown int64  `json:"limit_down"`LimitUp   int64  `json:"limit_up"`Status    string `json:"status"`Untrusted bool   `json:"untrusted"`}type NodeGetAltBlocksHashesResponse struct {BlksHashes []string `json:"blks_hashes"`Credits    int      `json:"credits"`Status     string   `json:"status"`TopHash    string   `json:"top_hash"`Untrusted  bool     `json:"untrusted"`}func main() {var nodes []stringerr := fetchMoneroFailNodes(&nodes)if err != nil {log.Println("Error fetching nodes:", err)return}err = fetchXmrDitatompelNodes(&nodes)if err != nil {log.Println("Error fetching nodes:", err)return}moneroNodes := make(map[string]MoneroNode)var wg1, wg2 sync.WaitGroupvar mu sync.Mutexfor _, host := range nodes {wg1.Add(1)go func(host string) {defer wg1.Done()var node MoneroNodenode.IP = make(map[string]NodeIdentifyInfo)pUrl, err := url.Parse(host)if err != nil {return}ipAddresses, err := net.LookupIP(pUrl.Hostname())if err != nil {return}for _, ip := range ipAddresses {ipStr := ip.String()wg2.Add(1)go func(ip, host string) {defer wg2.Done()nodeInfo, err := identifyMoneroNode(ip, host)if err != nil {log.Println("Failed to getMoneroNodeInfo for:", host, ip, err)return}mu.Lock()node.IP[ip] = nodeInfomoneroNodes[host] = nodemu.Unlock()}(ipStr, host)}wg2.Wait()}(host)}wg1.Wait()uniqueNodes := make(map[string][]string)for host, node := range moneroNodes {for ip, info := range node.IP {rdns := "nil"rdnsa, err := net.LookupAddr(ip)if err == nil {rdns = rdnsa[0]}outJSON, err := json.Marshal(info)strJSON := string(outJSON)uniqueNodes[strJSON] = append(uniqueNodes[strJSON], ip+" "+rdns+" "+host)}}group := 1for _, ips := range uniqueNodes {fmt.Println("Host group", group)for _, ip := range ips {fmt.Println(ip)}group++fmt.Println()}}func fetchMoneroFailNodes(nodes *[]string) error {resp, err := http.Get("https://monero.fail/nodes.json")if err != nil {return err}defer resp.Body.Close()var resNodes MoneroFailNodeserr = json.NewDecoder(resp.Body).Decode(&resNodes)if err != nil {return err}for _, host := range resNodes.Monero.Clear {url, err := normalizeURL(host)if err != nil {continue}// Get rid of i2pif strings.Contains(url, ".i2p") {continue}addUnique(nodes, url)}return err}func fetchXmrDitatompelNodes(nodes *[]string) error {resp, err := http.Get("https://xmr.ditatompel.com/api/v1/nodes?page=1&limit=1000")if err != nil {return err}defer resp.Body.Close()var resNodes XmrDitatompelNodeserr = json.NewDecoder(resp.Body).Decode(&resNodes)if err != nil {return err}for _, item := range resNodes.Data.Items {if !item.IsAvailable || item.IsTor || item.NetType != "mainnet" {continue}u1 := url.URL{Scheme: item.Protocol,Host:   fmt.Sprintf("%s:%s", item.Hostname, item.Port),}u, err := normalizeURL(u1.String())if err != nil {continue}addUnique(nodes, u)}return err}func normalizeURL(rawURL string) (string, error) {parsedURL, err := url.Parse(rawURL)if err != nil {return "", err}if parsedURL.Scheme == "http" && parsedURL.Port() == "80" {parsedURL.Host = strings.TrimSuffix(parsedURL.Host, ":80")}if parsedURL.Scheme == "https" && parsedURL.Port() == "443" {parsedURL.Host = strings.TrimSuffix(parsedURL.Host, ":443")}return parsedURL.String(), nil}func addUnique(slice *[]string, item string) {uniqueMap := make(map[string]struct{})for _, v := range *slice {uniqueMap[v] = struct{}{}}if _, exists := uniqueMap
; !exists {*slice = append(*slice, item)}}func identifyMoneroNode(ip, host string) (NodeIdentifyInfo, error) {client := &http.Client{Transport: &http.Transport{DialContext: func(c context.Context, n, a string) (net.Conn, error) {_, port, err := net.SplitHostPort(a)if err != nil {return nil, err}return net.Dial(n, net.JoinHostPort(ip, port))},TLSClientConfig: &tls.Config{InsecureSkipVerify: true,},},Timeout: 5 * time.Second,}req, err := http.NewRequest("GET", host+"/get_info", nil)if err != nil {return NodeIdentifyInfo{}, err}req.Host = hostresp, err := client.Do(req)if err != nil {return NodeIdentifyInfo{}, err}defer resp.Body.Close()if resp.StatusCode != http.StatusOK {return NodeIdentifyInfo{}, fmt.Errorf("Non-OK HTTP status:", resp.Status)}var getInfo NodeGetInfoResponseerr = json.NewDecoder(resp.Body).Decode(&getInfo)req, err = http.NewRequest("GET", host+"/get_limit", nil)if err != nil {return NodeIdentifyInfo{}, err}req.Host = hostresp, err = client.Do(req)if err != nil {return NodeIdentifyInfo{}, err}defer resp.Body.Close()if resp.StatusCode != http.StatusOK {return NodeIdentifyInfo{}, fmt.Errorf("Non-OK HTTP status:", resp.Status)}var getLimit NodeGetLimitResponseerr = json.NewDecoder(resp.Body).Decode(&getLimit)req, err = http.NewRequest("GET", host+"/get_alt_blocks_hashes", nil)if err != nil {return NodeIdentifyInfo{}, err}req.Host = hostresp, err = client.Do(req)if err != nil {return NodeIdentifyInfo{}, err}defer resp.Body.Close()if resp.StatusCode != http.StatusOK {return NodeIdentifyInfo{}, fmt.Errorf("Non-OK HTTP status:", resp.Status)}var getAltBlocksHashes NodeGetAltBlocksHashesResponseerr = json.NewDecoder(resp.Body).Decode(&getAltBlocksHashes)identifyInfo := NodeIdentifyInfo{NodeGetInfoResponse:            getInfo,NodeGetLimitResponse:           getLimit,NodeGetAltBlocksHashesResponse: getAltBlocksHashes,}return identifyInfo, err}

我們總共得到了這樣的輸出 {ip} {reverse_dns} {node_url}：

Host group 181.163.200.3 pppoe-dynamic-a-3.interblock.pl. http://81.163.200.3:18089Host group 2172.232.19.26 172-232-19-26.ip.linodeusercontent.com. http://xmr-node.agates.io:180892600:3c06:1::ace8:131a nil http://xmr-node.agates.io:18089Host group 384.23.142.12 012.ftthmackmyra1.gavlenet.com. http://opennode.xmr-tw.org:1808984.23.142.12 012.ftthmackmyra1.gavlenet.com. https://opennode.xmr-tw.org:1808984.23.142.12 012.ftthmackmyra1.gavlenet.com. http://xmr.monopolymoney.eu:18089Host group 4147.45.79.135 nil http://monerodice.pro:18089Host group 565.109.30.253 iv.datura.network. https://datura.network:1808165.109.30.253 iv.datura.network. http://datura.network:18081Host group 682.153.138.209 nil http://82.153.138.209:18089Host group 737.27.70.253 crypto.cruncher.com. https://crypto.cruncher.com:18081Host group 888.99.195.15 static.15.195.99.88.clients.your-server.de. http://node3.monerodevs.org:18089Host group 92a01:4f8:231:76a::2 cheems.de.box.skhron.com.ua. https://monero-rpc.cheems.de.box.skhron.com.ua:18089195.201.247.11 cheems.de.box.skhron.com.ua. https://monero-rpc.cheems.de.box.skhron.com.ua:18089Host group 10172.105.13.82 xmr.grub.net. http://xmr.grub.net:18089172.105.13.82 xmr.grub.net. https://xmr.grub.net:18089Host group 11167.114.172.211 xmr.robmanfred.fail. http://xmr.robmanfred.fail:18081Host group 1265.21.185.116 static.116.185.21.65.clients.your-server.de. http://node.yeetin.me:18089Host group 1387.197.115.178 static-dsl-178.87-197-115.telecom.sk. https://xmr.why.tf:18081Host group 142a0b:f4c2:2::63 tor-exit-63.for-privacy.net. http://xmr-de.boldsuck.org:18081Host group 15185.218.124.120 vmi2088507.contaboserver.net. http://185.218.124.120:18889Host group 16175.38.15.166 n175-38-15-166.meb2.vic.optusnet.com.au. http://175.38.15.166:18081Host group 1751.68.212.53 vps-4a3dd5a8.vps.ovh.net. http://xmr-full.p2pool.uk:18089Host group 18185.240.242.36 nodes.hashvault.pro. https://nodes.hashvault.pro:18081185.240.242.36 nodes.hashvault.pro. http://nodes.hashvault.pro:18081Host group 1992.131.11.157 alille-657-1-66-157.w92-131.abo.wanadoo.fr. https://xmr.mailia.be:180882a01:cb10:249:7300::6 nil https://xmr.mailia.be:18088Host group 20135.125.206.110 vps-6fef879a.vps.ovh.net. http://monero.earth:18081135.125.206.110 vps-6fef879a.vps.ovh.net. http://vps-6fef879a.vps.ovh.net:18081Host group 21176.114.248.225 176-114-248-225.rychlydrat.cz. http://server.cnet.cz:18081Host group 22213.165.76.129 ip213-165-76-129.pbiaas.com. http://node.xmr.rocks:18089Host group 2379.205.108.252 p4fcd6cfc.dip0.t-ipconnect.de. http://nexper-xmr-node.tplinkdns.com:18081Host group 2465.21.100.162 eu.node.monero.net. https://node.monero.net:18081Host group 2595.216.15.156 moneronode1.relaycrun.ch. http://moneronode1.relaycrun.ch:18081Host group 26167.235.112.134 static.134.112.235.167.clients.your-server.de. http://167.235.112.134:18081Host group 2792.131.11.157 alille-657-1-66-157.w92-131.abo.wanadoo.fr. https://node.mailia.be:180852a01:cb10:249:7300:b:c:b:c nil https://node.mailia.be:18085Host group 28103.176.58.34 druckt.mavibettv74.com. http://thereisnospoon.pm:18089Host group 29144.91.121.7 vmd62396.contaboserver.net. http://144.91.121.7:18089144.91.121.7 vmd62396.contaboserver.net. http://econanon.com:18089Host group 3037.120.165.105 v22019017574680478.happysrv.de. http://node.cryptocano.de:18089Host group 31162.210.173.15 monero.forked.net. http://monero.forked.net:18089Host group 3223.128.248.240 nil http://xmr.stormycloud.org:180892602:fc05::240 nil http://xmr.stormycloud.org:18089Host group 3371.229.155.41 c-71-229-155-41.hsd1.co.comcast.net. http://xmrbandwagon.hopto.org:18081Host group 34202.61.250.91 next.fackler.cloud. http://monero-g2.hexhex.online:18081Host group 352a0b:f4c2:2:1::223 nil http://xmr-de-2.boldsuck.org:18081185.220.101.223 tor-exit-223.for-privacy.net. http://xmr-de-2.boldsuck.org:18081185.220.101.223 tor-exit-223.for-privacy.net. http://tor-exit-223.for-privacy.net:180812a0b:f4c2:2:1::223 nil http://tor-exit-223.for-privacy.net:18081Host group 36207.66.71.46 nil http://monero.sphinxlogic.com:18089Host group 37185.112.144.198 vps-185-112-144-198.1984.is. http://185.112.144.198:18089Host group 38151.48.191.155 adsl-ull-155-191.48-151.wind.it. http://edge7.servebeer.com:18089Host group 3915.204.197.8 monero.stackwallet.com. https://monero.stackwallet.com:18081Host group 40190.115.19.98 mail.miningcompany.ltd. http://node.majesticbank.at:18089190.115.19.98 mail.miningcompany.ltd. http://node.majesticbank.is:18089Host group 4114.224.137.18 static.vnpt.vn. http://monero.hexalink.xyz:18081Host group 4285.160.78.94 85-160-78-94.reb.o2.cz. http://85.160.78.94:18089Host group 43194.163.176.218 hantaan.fullm00n.de. http://194.163.176.218:18089194.163.176.218 hantaan.fullm00n.de. http://hantaan.fullm00n.de:18089Host group 44193.200.227.16 dc1-nat.filmweb.pl. http://monero.filmweb.pl:18081193.200.227.16 dc1-nat.filmweb.pl. http://193.200.227.16:18081Host group 4537.187.74.171 ns3365046.ip-37-187-74.eu. http://node.moneroworld.com:1808937.187.74.171 ns3365046.ip-37-187-74.eu. https://node.moneroworld.com:1808937.187.74.171 ns3365046.ip-37-187-74.eu. http://node2.monerodevs.org:18089Host group 4623.154.81.12 mail.yuuta.moe. https://xmr.winslow.cloud:18081185.218.124.120 vmi2088507.contaboserver.net. http://185.218.124.120:18989Host group 4765.100.46.162 65-100-46-162.dia.static.qwest.net. http://moneronode.xyz:180892602:41:642e:a610::251 nil http://moneronode.xyz:18089Host group 48188.245.34.63 static.63.34.245.188.clients.your-server.de. http://static.63.34.245.188.clients.your-server.de:18089Host group 4923.137.57.100 nil http://node.sethforprivacy.com:1808968.118.241.70 syn-068-118-241-070.res.spectrum.com. http://68.118.241.70:1808923.137.57.100 nil https://node.sethforprivacy.com:18089Host group 50192.99.8.110 ns508306.ip-192-99-8.net. http://node.moneroworld.com:18089192.99.8.110 ns508306.ip-192-99-8.net. https://node.moneroworld.com:18089192.99.8.110 ns508306.ip-192-99-8.net. https://uwillrunanodesoon.moneroworld.com:18089192.99.8.110 ns508306.ip-192-99-8.net. http://opennode.xmr-tw.org:18089192.99.8.110 ns508306.ip-192-99-8.net. http://uwillrunanodesoon.moneroworld.com:18089192.99.8.110 ns508306.ip-192-99-8.net. https://opennode.xmr-tw.org:18089192.99.8.110 ns508306.ip-192-99-8.net. http://node.monerodevs.org:18089Host group 5138.105.209.54 vmi732985.contaboserver.net. http://38.105.209.54:18089Host group 52185.218.124.120 vmi2088507.contaboserver.net. http://185.218.124.120:18189Host group 5370.77.245.214 S010694a67ee915ac.cg.shawcable.net. http://compking.ddns.net:18089Host group 54194.163.172.26 btc.heelsn.eu. https://xmr.heelsn.eu:18089Host group 5523.137.254.9 nil http://23.137.254.9:18081Host group 56135.181.202.85 static.85.202.181.135.clients.your-server.de. http://static.85.202.181.135.clients.your-server.de:18089Host group 5783.135.90.98 i53875A62.versanet.de. http://monero.firewall-gateway.de:18081Host group 5877.237.238.26 vmi1839646.contaboserver.net. http://77.237.238.26:1808177.237.238.26 vmi1839646.contaboserver.net. http://xmr.perkele.digital:18081Host group 5964.74.162.85 nil http://xmr.vectorlink.io:18089Host group 60184.107.109.143 nil http://xmr.vectorlink.io:18089Host group 6168.251.60.69 68-251-60-69.lightspeed.sntcca.sbcglobal.net. http://68.251.60.69:18089Host group 62179.43.158.213 hostedby.privatelayer.com. https://xmr.yemekyedim.com:18089179.43.158.213 hostedby.privatelayer.com. http://xmr.yemekyedim.com:18081179.43.158.213 hostedby.privatelayer.com. http://179.43.158.213:18089179.43.158.213 hostedby.privatelayer.com. https://xmr.yemekyedim.com:18081Host group 63185.218.124.120 vmi2088507.contaboserver.net. http://185.218.124.120:18689Host group 6469.85.89.42 nil http://xmr.tcpcat.net:18089Host group 65188.40.85.196 static.196.85.40.188.clients.your-server.de. http://monero.homelinux.org:18081Host group 66185.218.124.120 vmi2088507.contaboserver.net. http://185.218.124.120:18489185.218.124.120 vmi2088507.contaboserver.net. http://185.218.124.120:18789179.36.224.11 179-36-224-11.speedy.com.ar. http://monero.10z.com.ar:18089Host group 6751.195.219.36 anstee.dev. https://anstee.dev:180812001:41d0:801:2000::5811 anstee.dev. https://anstee.dev:18081Host group 68185.218.124.120 vmi2088507.contaboserver.net. http://185.218.124.120:18389Host group 6993.95.228.74 vps-93-95-228-74.1984.is. http://93.95.228.74:18089Host group 70146.185.21.170 nil http://p2pool.uk:18089146.185.21.170 nil http://xmr-pruned.p2pool.uk:18089Host group 71185.66.143.190 nil http://xmr.litepay.ch:18081Host group 7265.109.50.106 static.106.50.109.65.clients.your-server.de. http://65.109.50.106:18081Host group 73190.211.255.227 public.deepdns.net. https://xmr.cryptostorm.is:18081Host group 74154.201.90.46 nil http://node.c3pool.org:18081Host group 7545.88.200.82 nil http://xm.rip:18081Host group 7646.32.46.171 2E202EAB.rev.sefiber.dk. http://46.32.46.171:1808146.32.46.171 2E202EAB.rev.sefiber.dk. https://storj.myqnapcloud.com:18081Host group 7787.202.12.6 athedsl-03054.home.otenet.gr. http://monero.homeqloud.com:18089Host group 78194.5.183.35 nil http://xmr.nodes.masberthet.fr:18081Host group 79152.89.105.105 moneronode.org. http://moneronode.org:18081152.89.105.105 moneronode.org. https://moneronode.org:18081Host group 80104.168.82.96 104-168-82-96-host.colocrossing.com. http://xmr.support:18081Host group 81125.168.80.60 60.80.168.125.sta.wbroadband.net.au. http://moneropay.techthis.online:18089Host group 82104.153.209.162 nil http://104.153.209.162:18081Host group 83185.162.249.141 owl.lc. http://owl.lc:18089Host group 8495.217.143.178 static.178.143.217.95.clients.your-server.de. http://rucknium.me:18081Host group 852a01:4f8:a0:3800::7 nil https://xmr2.julias.zone:1808988.198.38.83 dedi2.julias.zone. https://xmr2.julias.zone:18089Host group 86159.69.153.93 xmrvsbeast.com. http://p2pmd.xmrvsbeast.com:18081Host group 87185.218.124.120 vmi2088507.contaboserver.net. http://185.218.124.120:18089Host group 88193.168.143.9 nil http://monero.anycolo.net:18081Host group 89190.115.29.70 ddos-guard.net. http://node.majesticbank.at:18089190.115.29.70 ddos-guard.net. http://node.majesticbank.is:18089Host group 9089.147.109.91 vps-89.147.109.91.1984.is. http://89.147.109.91:18089Host group 9188.212.32.151 ip-88-212-32-151.antik.sk. http://xmr.ppke.sk:18081Host group 922a01:cb10:249:7300:b:c:b:c nil https://node.mailia.be:1808992.131.11.157 alille-657-1-66-157.w92-131.abo.wanadoo.fr. https://node.mailia.be:18089Host group 93204.8.45.35 r2.ckwp.dyni.net. http://monero.dyni.net:18081Host group 94147.45.79.135 nil https://monerodice.pro:18089Host group 9551.195.200.94 vps-a6d1909f.vps.ovh.net. http://node.community.rino.io:18081Host group 96135.148.45.230 richfowler.net. http://opennode.xmr-tw.org:18089135.148.45.230 richfowler.net. https://opennode.xmr-tw.org:18089135.148.45.230 richfowler.net. http://node.richfowler.net:18089Host group 97125.229.105.12 125-229-105-12.hinet-ip.hinet.net. http://node1.xmr-tw.org:18081Host group 98186.190.208.100 nil http://node3-us.monero.love:18081Host group 99141.98.153.205 vmi1917710.contaboserver.net. http://141.98.153.205:18089Host group 10050.86.7.28 nil http://xmr.cruxexperts.com:18089Host group 10137.187.74.171 ns3365046.ip-37-187-74.eu. https://uwillrunanodesoon.moneroworld.com:1808937.187.74.171 ns3365046.ip-37-187-74.eu. http://uwillrunanodesoon.moneroworld.com:18089Host group 102184.75.221.107 mojeooffers.net. http://monero.us.to:18193Host group 103185.25.108.186 185025108186.net-el.pl. http://185.25.108.186:18081Host group 104185.218.124.120 vmi2088507.contaboserver.net. http://185.218.124.120:18289Host group 10595.217.178.183 static.183.178.217.95.clients.your-server.de. http://95.217.178.183:1808937.27.89.118 static.118.89.27.37.clients.your-server.de. http://37.27.89.118:18089Host group 106167.172.30.17 nil http://xmr.bikini.cafe:18081Host group 107172.104.202.210 172-104-202-210.ip.linodeusercontent.com. http://xmr-node.cakewallet.com:18081172.104.202.210 172-104-202-210.ip.linodeusercontent.com. http://xmr-node-uk.cakewallet.com:18081172.104.202.210 172-104-202-210.ip.linodeusercontent.com. http://xmr-node-eu.cakewallet.com:18081Host group 10877.51.51.199 nil http://l4nk0r.dev:18089Host group 10989.147.109.123 vps-89.147.109.123.1984.is. http://89.147.109.123:18089Host group 110185.218.124.120 vmi2088507.contaboserver.net. http://185.218.124.120:18589

此輸出中的每個主機群組（無論協定或IP）代表的底層Monero 節點。

根據這些結果，我們得出的結論是，此類攻擊發生的次數比我們最初想像的要少。

主機組49： http://68.118.241.70:18089 是一個代理 http://node.sethforprivacy.com:18089。
主機組66： http://185.218.124.120:18489 是一個代理 http://monero.10z.com.ar:18089 或反之亦然。
主持人組105： http://95.217.178.183:18089 是一個代理 http://37.27.89.118:18089 或反之亦然。