Closed SomberNight closed 5 years ago
waiting for network to get connected...
asking server electrum.qtornado.com:50002:s for its peers
got 113 servers
contacting 109 servers
connected to 85 servers
85 answers
Results: attacker 25, honest 60
Attacker servers: [
'gregoire12.mldlab-works.space:50002:s',
'readonly.23734430190.pro:50002:s',
'wireless12.bitquantum.space:50002:s',
'superuser.23734430190.pro:50002:s',
'pacslinkip12.krypto-familar.fun:50002:s',
'topicres.imaginarycoin.info:50002:s',
'wlseuser12.bitcoinplug.website:50002:s',
'operatns.imaginarycoin.info:50002:s',
'superman.cryptoplayer.fun:50002:s',
'lucent01.23734430190.pro:50002:s',
'qtmhhttp12.mldlab-works.space:50002:s',
'plmimservice.bitcoinplug.website:50002:s',
'username.cryptoplayer.fun:50002:s',
'qlpinstall.krypto-familar.fun:50002:s',
'adminstat.imaginarycoin.info:50002:s',
'lessonuser2.cryptoplayer.fun:50002:s',
'utilities12.pebwindkraft.space:50002:s',
'openspirit.cryptoplayer.fun:50002:s',
'qautprof12.coinucopiaspace.xyz:50002:s',
'prodcics12.imaginarycoin.info:50002:s',
'vcoadmin.23734430190.pro:50002:s',
'siteminder.23734430190.pro:50002:s',
'videouser.bitcoinplug.website:50002:s',
'anonymous.bitcoinplug.website:50002:s',
'oraprobe.23734430190.pro:50002:s'
]
Thanks for the info on this. I wasn't aware this was happening.
We here at Electron Cash need to do similar. A bit surprising the original code allowed rich text coming in from the server to be rendered like that.. but c'est la vie.
I fell for this.. i was in a hurry and half paying attention(i know) but i didn't even think about getting phished at first since it was a pop up in the real electrum. i should have know better though.
From any info you have, does there seem to be more malicious files attached to ? i.e. should i be reformatting my drive and starting from scratch or does it seem to be a localized attack on BTC?
When you download the fake client they must get your seed/password somehow. I wiped electrum files then restore the wallet from seed and put a very small amount in there an let it sit. They just emptied the wallet again about 30 mintues ago.
Wouldn't it better if the error message contained a hint that the following text came from a 3rd party electrum-server and should therefore never prompt you to download/update anything (or at least a hint to check electrum.org for updates if you ever want such a message about real updates)?
I have no idea how many people are able to read the HTML message and still fall for it, but I don't think it can do any harm. Also the attack could work without HTML and I could see people falling for it even with the current fix.
Yea, uh plain text doesn't fix anything. You have to design for the lowest common denominator of user. (especially if one wants crypto to be adopted broadly...just saying).
You will just get notices like this (made up but just example).
URGENT SECURITY NOTICE
CALL ###-###-#### FOR HELP WITH CRITICAL SECURITY PROBLEMS. YOUR WALLET IS IN DANGER.
It's hilariously the Windows XP netmsg spam problem. (which made microsoft purge it altogether from later windows).
The safe way is to get the error code from servers and keep the error chart table at electrum official website. Whenever one gets an error, just go to electrum website and find out what the error code means.
How about a Show details...
button, which only shows the error details after you click it?
It's not a true fix at all, but it might make the social engineering less effective.
Error codes are good too. How about an option in settings to display detailed error messages, so that users need to go out of their way to see them?
The safe way is to get the error code from servers and keep the error chart table at electrum official website. Whenever one gets an error, just go to electrum website and find out what the error code means.
The sane thing is to have the decoding table in the client...
It appears the error codes come verbatim from bitcoind. An unknown code could just not show any messages.
In Bitcoin Core we have been fairly aggressive about not displaying human readable text sourced from the network (peers, transactions, or blocks) to users specifically because of the potential for this kind of attack. I have previously recommended everyone else do the same, and I would continue to recommend it here.
We need to teach more people how to check pgp signatures.
a simple anti-phishing phrase (only known to user) displayed when the app prompts to upgrade would have mitigated this?
In Bitcoin Core we have been fairly aggressive about not displaying human readable text sourced from the network (peers, transactions, or blocks) to users specifically because of the potential for this kind of attack. I have previously recommended everyone else do the same, and I would continue to recommend it here.
$ bitcoind -uacomment
So the phishing message comes to an electrum legit client, then if the user fall for the phishing message the user install a the fake client and there and only there is when the coins can be stolen or they keys?
Its is safe send coins with electrum 3.3.2 at the moment? Im asking this since if I understand the issue correctly the phishing message arrives to a legit electrum client.
Yes, it is safe to use 3.3.2.
the phishing message comes to an electrum legit client, then if the user fall for the phishing message the user install a the fake client and there and only there is when the coins can be stolen or they keys
right
Wouldn't one possible principled fix be to limit servers to only send an error code, which would select an error message out of a predefined set of messages (none of which would hopefully include a fake download link)?
@zanglebert It's certainly a viable approach. It's the approach we took in Electron Cash and it's working out well so far.
Really? Last I looked Electron Cash wasn't a server.
We have looked into using error codes/ints but the issue is that not even bitcoind is providing (useful) error codes. To use error codes, either (1) bitcoind would need to be modified, or (2) the electrum server would need to classify/categorise messages into error code buckets.
Closely related to (2), we might as well keep using the current architecture, have the server send arbitrary text to the client, and have the classification done in the client, before displaying anything to the user. This is also what @cculianu did in https://github.com/Electron-Cash/Electron-Cash/pull/1076. i.e. do string matching in the client, and display a message out of a predefined set to the user (with generic fallback). As it stands, we will likely do the same.
This is IMHO an ugly solution but there does not seem to be a better one. bitcoind would need to be modified. PRs for Bitcoin Core that improve the returned errors would be great. Some notes and examples how bitcoind behaves:
Wow great research @SomberNight !
I wasn't aware that even on the bitcoind side the codes were so ambiguous. I figured something go "lost in translation" between ElectrumX and us. Interesting.
[...] This is IMHO an ugly solution but there does not seem to be a better one. bitcoind would need to be modified.
Maybe it looks kinda ugly, but the scam-prevention recall is absolutely sound, which seems to be the the most critical aspect by far. Occasionally missing (or misinterpreting) an error could be called secondary in comparison.
Can someone tell me if this file is legit copy from electrum website ? https://www.virustotal.com/#/file/e5bf6cfcb3181c452ea8f0eaab4539a694a60c45bc6fae8fadbb9eb0ac9b44d3/detection
That is what I get when I download and upload to virustotal website.
@adrianTNT see https://github.com/spesmilo/electrum/issues/3198 and https://github.com/spesmilo/electrum/issues/4986#issuecomment-451385953 It's unrelated to this issue.
https://github.com/spesmilo/electrum/pull/5011 is adequate I think closing
another one
I'm getting similar issues
On Fri, Feb 1, 2019, 4:52 AM metroyanno <notifications@github.com wrote:
another one [image: https://ibb.co/7yw7k7c] https://camo.githubusercontent.com/1a5218aeb6382dee6f82ad2a4d6468c2fe7e5e1a/68747470733a2f2f692e6962622e636f2f683850705970352f323031392d30322d30312d31362d34362d35322e706e67 [image: https://ibb.co/bvnyyDF] https://camo.githubusercontent.com/b165aa7c8b825076147e6611ff265581507a1643/68747470733a2f2f692e6962622e636f2f5057386262304d2f323031392d30322d30312d31362d34372d30322e706e67
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/spesmilo/electrum/issues/4968#issuecomment-459667290, or mute the thread https://github.com/notifications/unsubscribe-auth/AjD0C1b0J1XJzeYacPuNmBdpN4KlLp-Yks5vJA50gaJpZM4ZiLL5 .
@metroyanno @Platinumwrist -- DO NOT DOWNLOAD FROM THAT LINK. It's a trojan.
Electrum dev (github version) right now no longer produces error messages form the server -- and I believe a new release will come out soon to address this.
For now -- switch servers and do not listen download from that link.
Electrum 3.3.3 is out already and contains the referenced PR.
btw @Platinumwrist is almost certainly AI, very annoying.
Thanks will do
On Fri, Feb 1, 2019, 6:32 AM Calin Culianu <notifications@github.com wrote:
@metroyanno https://github.com/metroyanno @Platinumwrist https://github.com/Platinumwrist -- DO NOT DOWNLOAD FROM THAT LINK. It's a trojan.
Electrum dev (github version) right now no longer produces error messages form the server -- and I believe a new release will come out soon to address this.
For now -- switch servers and do not listen download from that link.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/spesmilo/electrum/issues/4968#issuecomment-459694002, or mute the thread https://github.com/notifications/unsubscribe-auth/AjD0C7U2vA_WiSXV6I8BC54b-Tz41fZTks5vJCXBgaJpZM4ZiLL5 .
I just got owned by this exploit. I had a fairly old version of electrum and when I saw the error message it made sense that maybe I needed to upgrade to send transactions. I knew there was something wrong as soon as I saw that "Electrum 4.0" was my current version and the latest version was "3.3.3". So obviously my coins are gone - no point in crying over it but I'd like to know how to proceed? Can I keep my current wallet or just create a new one. I guess that's a stupid question... Fuck... I think I'm writing while I'm still in shock lol.
I fell for this and I honestly think you should have screenshots of that error on the main website to alert people or find another way to warn users. I was lucky I didn't loose anything the version 4 app the phishers are pushing adds an outgoing transaction maxing your funds. If you try and send a transaction it will try and max the funds. It also wont let you open it without entering your password. I saw this post quickly, uninstalled electrum and downloaded the correct version. I then restored my wallet using the seed phrase and created a new password. Can you or should you change a seed phrase too? I have not had any other alerts from my AV about this so I suspect though it's malware it's not adding additional malware and simply uninstalling and reinstalling will address this at a program level.
I fell for this and I honestly think you should have screenshots of that error on the main website to alert people or find another way to warn users
The website has a warning at the top. It has been there since about a day after this issue was opened.
@10771271 I would definitely generate a new wallet on a clean system (perhaps a different, offline system) with a brand new seed and xfer all your funds to it.
I can relate to the state of shock. Believe me in my life I've also lost many things... not just money. Don't kill yourself though! Please. I know it doesn't help much but really you are alive and hopefully healthy. Dying rich men would trade all of their wealth in a heartbeat when they are old just to be healthy again and to live. It's not worth dying for... No amount of money is.
Due to ongoing phishing attacks on old clients, we need users to upgrade. Let's start the "good attack". Please run https://github.com/SomberNight/electrumx/tree/good_attack
EDIT: ElectrumX 1.9.2 now has the changes merged upstream; just upgrade.
If you run this branch, your server will behave the same as normal ElectrumX for "new" clients. However, when an old client broadcasts a transaction, after relaying it onto the bitcoin network as usual, the server sends back an error message (just like the phishing attack), asking the user to upgrade (sending them to the official website).
Thanks if you may kindly help restore my fund as of lost during offline/power off PC with electrum wallet. Thanks.
https://www.blockchain.com/btc/tx/bb08b3ed52955da3c98562638e5d1486328995e029f8b33ce35320deeddcd0b3
wondering official electrum wallet allow ; such fake phishing message as an official notice inside its trusted genuine client.
Went to send. Got the phishing alert it could not be sent. Was sent to this URL . I thought if an in app message with GitHub it should be legit. Installed the false client and it never synced. Came back today to try again with a fresh install.
Lost 8k usd @ 2019-02-03 09:32.
Phished from inside the app, what shit.
If Phishers can send a message to legit clients, why not send a proper notice to everyone?
@SomberNight, is it planned to update 3.2.x branch with this issue fixed? Fedora 29 ships 3.2.4 in the repository, and I almost fell for this attack today. https://bugzilla.redhat.com/show_bug.cgi?id=1672145
Very nearly got caught by this just now, luckily spotted that the Github repo it directed me to had no other releases on it and 0 issues/PRs - major red flag.
This is the Github repo I was directed to, if that's of any use https://github.com/grubproject/electrum
Thanks for this. I am complaining to github under the "Report Abuse" section. I suggest you all do the same so that they take down this malware version of Electrum ASAP.
Report Abuse here: https://github.com/contact/report-abuse
Just sent mine in - thanks for the link.
https://github.com/grubproject/electrum is gone now
W00t! We did it! That was quick.
(Now only 9,999,999,999E+38 more possible places to stamp out!)
I've got another one here for you all. A customer of mine received an in-app message, just like the one reported in this issue, but was on 3.3.3 .
The customer was using 3.3.3. He received a message in-app to update to 3.3.4 due to a vulnerability after trying to send a transaction.
3.3.3 does not display arbitrary text.
clicked on the in-app link that was in the pop-up message that redirected him to a scam github.
Even if you do find a way to get the popup displayed, there is no way it would contain a clickable link in 3.3.2+. We explicitly made rich text opt-in.
Do you know which server they were connected to? Maybe a screenshot/picture of the popup?
User stories are notoriously unreliable; I would assume they were not actually on 3.3.3.
I'll try to gather some photographs if they have them as well as server information.
User is dead set that this happened on version 3.3.3.
server: electrum-server.ninja: 50002
Here are the photographs that were provided:
How is it that phishing messages appear in the electrum wallet, and official warnings are only on the site? I lost my money ... thanks, the safest wallet.
EDIT2: To users: when you broadcast a transaction, servers can tell you about errors with the transaction. In Electrum versions before 3.3.3, this error is arbitrary text, and what's worse, it is HTML/rich text (as that is the Qt default). So the server you are connected to can try to trick you by telling you to install malware (disguised as an update). You should update Electrum from the official website so that servers can no longer do this to you. If you see these messages/popups, just make sure you don't follow them and that you don't install what they tell you to install. The messages are just messages, they cannot hurt you by themselves.
TL;DR: There is an ongoing attack against users where servers raise exceptions when a client broadcasts a transaction; in this case the error text is displayed as is in the client GUI. The attacker has spawned lots of servers on different /16 IPv4s to increase his chances of being connected to. The error messages are trying to get the user to download and install malware (disguised as updated versions of electrum).
In relation to https://github.com/spesmilo/electrum/issues/4953, we were privately sent a screenshot that was apparently floating around a German chat room (on 2018-12-21).
There wasn't really any extra information given, however most likely the following happened:
https://github.com/spesmilo/electrum/blob/b491a30dd9f550ab2f335ae88889c910125d4559/electrum/network.py#L734-L741
To make the attack more effective, the attacker is creating lots of servers (sybils), hence increasing the chance a client would connect to him. See this graph on the number of servers hsmiths shared re the peers found by his server:
At the very least, the message should not be displayed as rich text. It is untrusted input afterall... We should also show some additional explanatory text at the beginning (prepend something).
For context, this mechanism of the server returning error message text to txn broadcasts is used to display error messages originating from bitcoind, such as low incremental fee or missing inputs, etc. Maybe the server should return error codes (ints) instead, and we could have our own decoding table, but then this would need to be kept in sync with bitcoind... (EDIT3: looked into this more, see https://github.com/spesmilo/electrum/issues/4968#issuecomment-455557296)
Hours after we were sent the screenshot, we silently made mitigations in https://github.com/spesmilo/electrum/commit/5248613e9d7b8b8ec85a1cee897d1901d747f5b4 and https://github.com/spesmilo/electrum/commit/5dc240d4ed39796bec72ac115d920160865b3ec5; and released 3.3.2. This is not a true fix, but the more proper fix of using error codes would entail upgrading the whole federated server ecosystem out there...
We did not publicly disclose this until now, as around the time of the 3.3.2 release, the attacker stopped; however they now started the attack again.
This is how the attack, live as writing this now, looks on 3.3.2:
This is on server
plmimservice.bitcoinplug.website
on mainnet.My current server peers on bitcoin mainnet
``` Host Status TCP SSL Server Min Max Pruning Last Good Last Try Tries Source IP Address nl.bitops.me good 50001 50002 ElectrumX 1.8.12 1.2 1.4 01h 40m 07s 01h 40m 07s 0 peer 103.214.4.65 207.154.223.80 good 50001 50002 ElectrumX 1.2.1 0.9 1.2 01h 50m 14s 01h 50m 14s 0 peer 207.154.223.80 hsmiths4fyqlw5xw.onion good 50001 50002 ElectrumX 1.8.12 1.2 1.4 02h 17m 08s 02h 17m 14s 0 peer y4td57fxytoo5ki7.onion good 50001 50002 ElectrumX 1.8.12 1.2 1.4 02h 17m 18s 02h 17m 24s 0 peer 4cii7ryno5j3axe4.onion good 50001 ElectrumX 1.3.1 0.9 1.2 02h 17m 27s 02h 17m 29s 0 peer luggscoqbymhvnkp.onion good 80 ElectrumX 1.8.7 1.1 1.4 02h 17m 28s 02h 17m 32s 0 peer qtornadoklbgdyww.onion good 50001 50002 ElectrumX 1.8.12 1.2 1.4 02h 17m 57s 02h 18m 01s 0 peer ndndword5lpb7eex.onion good 50001 ElectrumX 1.8.12 1.2 1.4 02h 18m 09s 02h 18m 14s 0 peer electrum-server.ninja good 50001 50002 ElectrumX 1.8.12 1.2 1.4 02h 19m 31s 02h 19m 33s 0 peer 220.233.178.199 yuio.top good 50001 50002 ElectrumX 1.8.12 1.2 1.4 02h 19m 33s 02h 19m 35s 0 peer 118.86.185.36 139.162.14.142 good 50001 50002 ElectrumX 1.8.12 1.2 1.4 02h 19m 37s 02h 19m 38s 0 peer 139.162.14.142 electrumx.ddns.net good 50001 50002 ElectrumX 1.8.7 1.1 1.4 02h 19m 44s 02h 19m 45s 0 peer 169.0.147.67 electrum.hsmiths.com good 50001 50002 ElectrumX 1.8.12 1.2 1.4 02h 19m 50s 02h 19m 51s 0 peer 76.174.26.91 orannis.com good 50001 50002 ElectrumX 1.8.12 1.2 1.4 02h 19m 51s 02h 19m 52s 0 peer 50.35.67.146 enode.duckdns.org good 50001 50002 ElectrumX 1.8.12 1.2 1.4 02h 19m 52s 02h 19m 53s 0 peer 75.159.6.167 electrum.leblancnet.us good 50001 50002 ElectrumX 1.8.12 1.2 1.4 02h 19m 52s 02h 19m 53s 0 peer 205.197.210.32 dragon085.startdedicated.de good 50002 ElectrumX 1.8.12 1.2 1.4 02h 19m 54s 02h 19m 55s 0 peer 69.64.46.27 electrumx.bot.nu good 50001 50002 ElectrumX 1.8.12 1.2 1.4 02h 19m 56s 02h 19m 57s 0 peer 173.91.90.62 technetium.network good 50002 ElectrumX 1.8.7 1.1 1.4 02h 19m 57s 02h 19m 58s 0 peer 96.27.8.242 E-X.not.fyi good 50001 50002 ElectrumX 1.8.12 1.2 1.4 02h 19m 57s 02h 19m 58s 0 peer 170.130.28.174 us.electrum.be good 50001 50002 ElectrumX 1.8.7 1.1 1.4 02h 19m 58s 02h 19m 59s 0 peer 208.110.73.107 electrum.coinucopia.io good 50001 50002 ElectrumX 1.4.3 1.0 1.2 02h 20m 01s 02h 20m 01s 0 peer 67.205.187.44 elec.luggs.co good 443 ElectrumX 1.8.7 1.1 1.4 02h 20m 05s 02h 20m 06s 0 peer 95.211.185.14 electrum2.eff.ro good 50001 50002 ElectrumX 1.8.5 1.1 1.4 02h 20m 06s 02h 20m 06s 0 peer 195.135.194.3 AZZARITA.hopto.org good 50001 50002 ElectrumX 1.8.12 1.2 1.4 02h 20m 08s 02h 20m 08s 0 peer 2.236.8.149 electrumx.soon.it good 50001 50002 ElectrumX 1.8.11 1.2 1.4 02h 20m 08s 02h 20m 09s 0 peer 79.11.31.76 electrumx.ftp.sh good 50002 ElectrumX 1.8.12 1.2 1.4 02h 20m 09s 02h 20m 09s 0 peer 213.246.56.95 81-7-13-84.blue.kundencontroll good 50002 ElectrumX 1.8.12 1.2 1.4 02h 20m 09s 02h 20m 09s 0 peer 81.7.13.84 electrum.petrkr.net good 50001 50002 ElectrumX 1.4.3 1.0 1.2 02h 20m 09s 02h 20m 09s 0 peer 213.168.187.27 fedaykin.goip.de good 50001 50002 ElectrumX 1.8.12 1.2 1.4 02h 20m 09s 02h 20m 10s 0 peer 109.192.105.174 81-7-16-182.blue.kundencontrol good 50002 ElectrumX 1.8.12 1.2 1.4 02h 20m 10s 02h 20m 10s 0 peer 81.7.16.182 elx01.knas.systems good 50001 50002 ElectrumX 1.8.4 1.1 1.4 02h 20m 10s 02h 20m 10s 0 peer 83.233.65.59 bitcoin.grey.pw good 50001 50002 ElectrumX 1.8.7 1.1 1.4 02h 20m 10s 02h 20m 10s 0 peer 173.249.8.197 electrum.festivaldelhumor.org good 50001 50002 ElectrumX 1.8.12 1.2 1.4 02h 20m 10s 02h 20m 11s 0 peer 207.180.219.223 tardis.bauerj.eu good 50001 50002 ElectrumX 1.8.12 1.2 1.4 02h 20m 10s 02h 20m 11s 0 peer 51.15.138.64 electrum.anduck.net good 50001 50002 ElectrumX 1.8.12 1.2 1.4 02h 20m 11s 02h 20m 11s 0 peer 62.210.6.26 ndnd.selfhost.eu good 50001 50002 ElectrumX 1.8.12 1.2 1.4 02h 20m 11s 02h 20m 11s 0 peer 87.156.193.92 qmebr.spdns.org good 50001 50002 ElectrumX 1.8.12 1.2 1.4 02h 20m 11s 02h 20m 11s 0 peer 92.116.97.34 bitcoins.sk good 50001 50002 ElectrumX 1.8.12 1.2 1.4 02h 20m 11s 02h 20m 11s 0 peer 46.229.238.187 tomscryptos.com good 50001 50002 ElectrumX 1.8.12 1.2 1.4 02h 20m 11s 02h 20m 11s 0 peer 95.216.28.117 ulrichard.ch good 50001 50002 ElectrumX 1.8.12 1.2 1.4 02h 20m 11s 02h 20m 11s 0 peer 151.248.186.86 electrum.villocq.com good 50001 50002 ElectrumX 1.8.12 1.2 1.4 02h 20m 11s 02h 20m 12s 0 peer 78.143.214.223 b.ooze.cc good 50001 50002 ElectrumX 1.8.12 1.2 1.4 02h 20m 12s 02h 20m 12s 0 peer 145.239.252.207 vmd27610.contaboserver.net good 50002 ElectrumX 1.8.12 1.2 1.4 02h 20m 12s 02h 20m 12s 0 peer 173.249.48.200 electrum.nute.net good 50002 ElectrumX 1.3 0.9 1.2 02h 20m 12s 02h 20m 12s 0 peer 37.187.141.73 currentlane.lovebitco.in good 50001 50002 ElectrumX 1.8.7 1.1 1.4 02h 20m 12s 02h 20m 12s 0 peer 88.198.91.74 rbx.curalle.ovh good 50002 ElectrumX 1.8.12 1.2 1.4 02h 20m 12s 02h 20m 12s 0 peer 176.31.252.219 185.64.116.15 good 50001 50002 ElectrumX 1.8.9 1.1 1.4 02h 20m 12s 02h 20m 13s 0 peer 185.64.116.15 13.80.67.162 good 50001 50002 ElectrumX 1.4.3 1.0 1.2 02h 20m 12s 02h 20m 13s 0 peer 13.80.67.162 kirsche.emzy.de good 50001 50002 ElectrumX 1.8.12 1.2 1.4 02h 20m 13s 02h 20m 13s 0 peer 78.47.61.83 vmd30612.contaboserver.net good 50002 ElectrumX 1.8.12 1.2 1.4 02h 20m 13s 02h 20m 13s 0 peer 173.212.249.224 electrum.vom-stausee.de good 50001 50002 ElectrumX 1.3.1 0.9 1.2 02h 20m 13s 02h 20m 13s 0 peer 37.59.46.112 fn.48.org good 50003 50002 ElectrumX 1.8.7 1.1 1.4 02h 20m 13s 02h 20m 13s 0 peer 5.79.90.70 electrum.taborsky.cz good 50002 ElectrumX 1.8.12 1.2 1.4 02h 20m 13s 02h 20m 13s 0 peer 37.205.8.78 e-1.claudioboxx.com good 50001 50002 ElectrumX 1.8.12 1.2 1.4 02h 20m 13s 02h 20m 13s 0 peer 37.61.209.146 e-2.claudioboxx.com good 50001 50002 ElectrumX 1.8.12 1.2 1.4 02h 20m 14s 02h 20m 14s 0 peer 37.61.209.147 btc.cihar.com good 50001 50002 ElectrumX 1.8.7 1.1 1.4 02h 20m 14s 02h 20m 14s 0 peer 78.46.177.74 dedi.jochen-hoenicke.de good 50001 50002 ElectrumX 1.8.12 1.2 1.4 02h 20m 14s 02h 20m 14s 0 peer 88.198.39.205 hetzner01.fischl-online.de good 50002 ElectrumX 1.8.12 1.2 1.4 02h 20m 14s 02h 20m 14s 0 peer 5.9.124.124 electrum.be good 50001 50002 ElectrumX 1.8.7 1.1 1.4 02h 20m 14s 02h 20m 14s 0 peer 88.198.241.196 electrum.qtornado.com good 50001 50002 ElectrumX 1.8.12 1.2 1.4 02h 20m 15s 02h 20m 15s 0 peer 88.99.162.199 bitcoin.corgi.party good 50001 50002 ElectrumX 1.8.12 1.2 1.4 02h 30m 09s 02h 30m 09s 0 peer 176.223.139.65 mooo.not.fyi good 50011 50012 ElectrumX 1.8.12 1.2 1.4 02h 38m 52s 02h 38m 53s 0 peer 71.239.40.8 2AZZARITA.hopto.org good 50001 50002 ElectrumX 1.8.12 1.2 1.4 03h 07m 03s 03h 07m 03s 0 peer 173.212.253.26 tpslocalserver12.cryptoplayer. good 50001 50002 ElectrumX 1.8.12 1.2 1.4 04h 28m 07s 04h 28m 09s 0 peer 128.199.223.21 62.80.227.49 good 50001 50002 ElectrumX 1.8.12 1.2 1.4 04h 30m 12s 04h 30m 12s 0 peer 62.80.227.49 ozahtqwp25chjdjd.onion good 50001 50002 ElectrumX 1.8.12 1.2 1.4 04h 46m 27s 04h 46m 34s 0 peer sysdump112.bitcoinplug.website good 50001 50002 ElectrumX 1.8.12 1.2 1.4 04h 49m 49s 04h 49m 50s 0 peer 128.199.223.23 prodcics12.imaginarycoin.info good 50001 50002 ElectrumX 1.8.12 1.2 1.4 04h 50m 00s 04h 50m 02s 0 peer 128.199.223.22 sysadmin12.23734430190.pro good 50001 50002 ElectrumX 1.8.12 1.2 1.4 04h 50m 04s 04h 50m 05s 0 peer 128.199.225.8 computer12.krypto-familar.fun good 50001 50002 ElectrumX 1.8.12 1.2 1.4 04h 50m 23s 04h 50m 25s 0 peer 128.199.225.13 gregoire12.mldlab-works.space good 50001 50002 ElectrumX 1.8.12 1.2 1.4 04h 50m 54s 04h 50m 55s 0 peer 128.199.218.24 quaternion.tech good 50001 50002 ElectrumX 1.8.12 1.2 1.4 04h 58m 38s 04h 58m 39s 0 peer 104.244.222.239 btc.smsys.me good 995 ElectrumX 1.8.12 1.2 1.4 04h 59m 50s 04h 59m 52s 0 peer 50.198.167.205 helicarrier.bauerj.eu good 50001 50002 ElectrumX 1.8.7 1.1 1.4 05h 00m 12s 05h 00m 12s 0 peer 178.32.88.133 bfav33xnleliriow.onion good 50001 50002 ElectrumX 1.8.12 1.2 1.4 05h 26m 47s 05h 26m 52s 0 peer 128.199.223.10 good 50001 50002 ElectrumX 1.8.12 1.2 1.4 05h 43m 10s 05h 43m 11s 0 peer 128.199.223.10 utilities12.pebwindkraft.space good 50001 50002 ElectrumX 1.8.12 1.2 1.4 05h 48m 13s 05h 48m 14s 0 peer 52.221.249.16 security12.cryptoplayer.fun good 50001 50002 ElectrumX 1.8.12 1.2 1.4 06h 04m 33s 06h 04m 36s 0 peer 13.229.97.230 museadmin12.imaginarycoin.info good 50001 50002 ElectrumX 1.8.12 1.2 1.4 06h 04m 55s 06h 04m 56s 0 peer 3.0.98.224 qtmhhttp12.mldlab-works.space good 50001 50002 ElectrumX 1.8.12 1.2 1.4 06h 05m 17s 06h 05m 19s 0 peer 13.229.197.132 qautprof12.coinucopiaspace.xyz good 50001 50002 ElectrumX 1.8.12 1.2 1.4 06h 05m 38s 06h 05m 39s 0 peer 54.255.206.0 politcally12.23734430190.pro good 50001 50002 ElectrumX 1.8.12 1.2 1.4 06h 07m 29s 06h 07m 30s 0 peer 13.229.130.59 wlseuser12.bitcoinplug.website good 50001 50002 ElectrumX 1.8.12 1.2 1.4 06h 08m 07s 06h 08m 08s 0 peer 18.136.203.167 pacslinkip12.krypto-familar.fu good 50001 50002 ElectrumX 1.8.12 1.2 1.4 06h 08m 10s 06h 08m 11s 0 peer 3.0.139.42 wireless12.bitquantum.space good 50001 50002 ElectrumX 1.8.12 1.2 1.4 06h 08m 18s 06h 08m 19s 0 peer 13.229.224.194 walle.dedyn.io good 50002 ElectrumX 1.8.12 1.2 1.4 06h 25m 12s 06h 25m 12s 0 peer 79.148.156.226 daedalus.bauerj.eu good 50001 50002 ElectrumX 1.8.12 1.2 1.4 06h 45m 56s 06h 45m 56s 0 peer 5.230.24.38 db2admin1.krypto-familar.fun good 50001 50002 ElectrumX 1.8.12 1.2 1.4 06h 49m 42s 06h 49m 44s 0 peer 172.104.57.12 oraprobe.23734430190.pro good 50001 50002 ElectrumX 1.8.12 1.2 1.4 06h 54m 09s 06h 54m 11s 0 peer 45.76.70.111 videouser.bitcoinplug.website good 50001 50002 ElectrumX 1.8.12 1.2 1.4 06h 54m 44s 06h 54m 47s 0 peer 108.61.218.93 vcoadmin.23734430190.pro good 50001 50002 ElectrumX 1.8.12 1.2 1.4 06h 54m 46s 06h 54m 49s 0 peer 66.42.103.16 openspirit.cryptoplayer.fun good 50001 50002 ElectrumX 1.8.12 1.2 1.4 06h 55m 31s 06h 55m 32s 0 peer 45.77.241.145 security1.bitcoinplug.website good 50001 50002 ElectrumX 1.8.12 1.2 1.4 06h 55m 43s 06h 55m 45s 0 peer 103.3.63.9 anonymous.bitcoinplug.website good 50001 50002 ElectrumX 1.8.12 1.2 1.4 06h 55m 47s 06h 55m 49s 0 peer 66.42.104.125 adminstat.imaginarycoin.info good 50001 50002 ElectrumX 1.8.12 1.2 1.4 06h 55m 48s 06h 55m 50s 0 peer 45.32.101.251 siteminder.23734430190.pro good 50001 50002 ElectrumX 1.8.12 1.2 1.4 06h 56m 11s 06h 56m 14s 0 peer 45.76.70.99 operatns.imaginarycoin.info good 50001 50002 ElectrumX 1.8.12 1.2 1.4 06h 56m 26s 06h 56m 27s 0 peer 207.148.75.252 username.cryptoplayer.fun good 50001 50002 ElectrumX 1.8.12 1.2 1.4 06h 56m 26s 06h 56m 27s 0 peer 45.77.242.185 lessonuser2.cryptoplayer.fun good 50001 50002 ElectrumX 1.8.12 1.2 1.4 06h 56m 32s 06h 56m 33s 0 peer 139.180.132.139 adminstat1.bitquantum.space good 50001 50002 ElectrumX 1.8.12 1.2 1.4 06h 57m 11s 06h 57m 12s 0 peer 172.104.164.217 btc.xskyx.net good 50001 50002 ElectrumX 1.8.7 1.1 1.4 08h 01m 13s 08h 01m 13s 0 peer 185.183.158.170 oaihub902.imaginarycoin.info good 50001 50002 ElectrumX 1.8.12 1.2 1.4 09h 04m 39s 09h 04m 40s 0 peer 54.169.204.38 username.bitcoinplug.website good 50001 50002 ElectrumX 1.8.12 1.2 1.4 09h 05m 08s 09h 05m 09s 0 peer 13.229.98.142 topicres.imaginarycoin.info good 50001 50002 ElectrumX 1.8.12 1.2 1.4 09h 05m 14s 09h 05m 15s 0 peer 13.250.37.215 scientific.23734430190.pro good 50001 50002 ElectrumX 1.8.12 1.2 1.4 09h 05m 29s 09h 05m 30s 0 peer 54.169.192.215 security.cryptoplayer.fun good 50001 50002 ElectrumX 1.8.12 1.2 1.4 09h 05m 32s 09h 05m 33s 0 peer 3.0.59.204 plmimservice.bitcoinplug.websi good 50001 50002 ElectrumX 1.8.12 1.2 1.4 09h 05m 41s 09h 05m 42s 0 peer 18.136.102.143 readonly.23734430190.pro good 50001 50002 ElectrumX 1.8.12 1.2 1.4 09h 05m 58s 09h 06m 00s 0 peer 54.255.195.58 qlpinstall.krypto-familar.fun good 50001 50002 ElectrumX 1.8.12 1.2 1.4 09h 06m 04s 09h 06m 06s 0 peer 3.0.19.36 superman.cryptoplayer.fun good 50001 50002 ElectrumX 1.8.12 1.2 1.4 09h 06m 15s 09h 06m 16s 0 peer 54.169.53.21 lucent01.23734430190.pro good 50001 50002 ElectrumX 1.8.12 1.2 1.4 09h 08m 00s 09h 08m 01s 0 peer 52.74.115.7 erbium1.sytes.net good 50001 50002 ElectrumX 1.8.12 1.2 1.4 09h 58m 02s 09h 58m 03s 0 peer 46.246.49.225 superuser.23734430190.pro good 50001 50002 ElectrumX 1.8.12 1.2 1.4 12h 00m 33s 12h 00m 34s 0 peer 54.254.191.195 VPS.hsmiths.com good 50001 50002 ElectrumX 1.8.12 1.2 1.4 12h 14m 29s 12h 14m 31s 0 peer 51.15.77.78 electrum2.villocq.com good 50001 50002 ElectrumX 1.8.5 1.1 1.4 12h 30m 08s 12h 30m 09s 0 peer 88.81.143.198 electrumx.schmoock.net good 50001 50002 ElectrumX 1.8.12 1.2 1.4 17h 44m 18s 17h 44m 18s 0 peer 46.4.92.21 e.keff.org good 50001 50002 ElectrumX 1.8.12 1.2 1.4 19h 07m 57s 19h 07m 57s 0 peer 194.71.109.91 electrum3.everynothing.net good 50001 50002 ElectrumX 1.8.12 1.2 1.4 20h 59m 59s 21h 00m 00s 0 peer 198.23.152.179 electrumx.strangled.net good 50002 ElectrumX 1.8.12 1.2 1.4 22h 49m 55s 22h 49m 57s 0 peer 69.30.215.42 62.210.170.57 good 50002 ElectrumX 1.8.12 1.2 1.4 23h 02m 38s 23h 02m 38s 0 peer 62.210.170.57 s7clinmo4cazmhul.onion good 50001 ElectrumX 1.8.12 1.2 1.4 23h 21m 28s 23h 21m 35s 0 peer bitcoin-server.cf good 50002 ElectrumX 1.8.12 1.2 1.4 23h 21m 46s 23h 21m 47s 0 peer 185.181.61.140 n3o2hpi5xnf3o356.onion stale 50001 50002 ElectrumX 1.3 0.9 1.2 1d 02h 02m 01h 02m 30s 4 peer electrum.coineuskal.com stale 50001 50002 ElectrumX 1.3 0.9 1.2 1d 02h 09m 01h 09m 57s 4 peer 34.207.56.59 54.179.187.114 stale 50001 50002 ElectrumX 1.8.12 1.2 1.4 1d 02h 25m 34s 5 peer 54.179.187.114 bauerjhejlv6di7s.onion stale 50001 50002 ElectrumX 1.8.7 1.1 1.4 1d 04h 47m 04h 55m 27s 1 peer 54.251.183.105 stale 50001 50002 ElectrumX 1.8.12 1.2 1.4 1d 09h 28m 04h 22m 43s 6 peer 54.251.183.105 159.65.137.67 stale 50001 50002 ElectrumX 1.8.12 1.2 1.4 1d 09h 41m 04h 41m 22s 6 peer 159.65.137.67 128.199.206.38 stale 50001 50002 ElectrumX 1.8.12 1.2 1.4 2d 01h 41m 04h 34m 48s 8 peer 128.199.206.38 81-7-10-251.blue.kundencontrol stale 50002 ElectrumX 1.8.12 1.2 1.4 3d 12h 00m 17h 40m 09s 9 peer 81.7.10.251 electrum.mindspot.org stale 50002 ElectrumX 1.8.12 1.2 1.4 4d 01h 39m 1d 07h 19m 9 peer 172.103.153.90 84.197.110.145 stale 50001 50002 ElectrumX 1.8.12 1.2 1.4 4d 12h 58m 1d 18h 38m 9 peer 84.197.110.145 node.ispol.sk stale 50001 50002 ElectrumX 1.3+ 0.9 1.2 10d 00h 40m 9d 00h 49m 1 peer 193.58.196.212 3smoooajg7qqac2y.onion stale 50001 50002 ElectrumX 1.8.12 1.2 1.4 15d 23h 39m 14d 22h 59m 3 peer such.ninja never 50001 50002 ElectrumX 1.2 0.9 1.1 Never 07m 51s 2 163.172.61.154 163.172.61.154 ip120.ip-54-37-91.eu never 50001 50002 ElectrumX 1.2.1 0.9 1.1 Never 08m 38s 1 54.37.91.120 54.37.91.120 electrum.dk never 50001 50002 ElectrumX 1.2 0.9 1.1 Never 13d 09h 00m 3 92.246.24.225 92.246.24.225 13.250.108.34 never 50001 50002 ElectrumX 1.8.12 1.2 1.4 Never 10d 03h 50m 2 13.250.108.34 13.250.108.34 ip119.ip-54-37-91.eu never 50001 50002 ElectrumX 1.2.1 0.9 1.1 Never 15m 04s 2 54.37.91.119 54.37.91.119 165.227.22.180 never 50001 50002 ElectrumX 1.2 0.9 1.1 Never 09m 46s 1 165.227.22.180 165.227.22.180 104.250.141.242 never 50002 ElectrumX 1.2 0.9 1.1 Never 16m 52s 2 104.250.141.242 104.250.141.242 ip239.ip-54-36-234.eu never 50001 50002 ElectrumX 1.2.1 0.9 1.1 Never 17m 24s 2 54.36.234.239 54.36.234.239 ip101.ip-54-37-91.eu never 50001 50002 ElectrumX 1.2.1 0.9 1.1 Never 05m 10s 2 54.37.91.101 54.37.91.101 xray587.startdedicated.de bad 50002 ElectrumX 1.8.12 1.2 1.4 42m 00s 42m 01s 0 peer 188.138.88.42 electrumx.ga bad 50002 ElectrumX 1.8.12 1.2 1.4 01h 20m 11s 01h 20m 11s 0 peer 178.32.223.22 7jwtirwsaogb6jv2.onion bad 50001 50002 ElectrumX 1.3+ 0.9 1.2 10d 00h 39m 9d 00h 34m 2 peer ```Notice there are 7
*.bitcoinplug.website
domains. There are 6*.imaginarycoin.info
domains. There are 9*.23734430190.pro
domains. There are 7*.cryptoplayer.fun
domains. There are 4*.krypto-familar.fun
domains.(EDIT1: noticed at 2018-12-27 14:48 UTC that these domains are no longer DNS resolving)
@ecdsa @ysangkok
EDIT4: For longer term resolution of this issue, see https://github.com/spesmilo/electrum/issues/4968#issuecomment-455557296 and https://github.com/spesmilo/electrum/pull/5011