New post: Broke Dumbass Attempts To Web3 Once More

blog/2023/february/utopia.html

@@ -118,7 +118,7 @@
 				<p><code>tshark -T fields -e ip.dst -r /home/lethe/Documents/wireshark_enp0s3Y4PGY1.pcapng | grep -Ev "10.0.2" &gt; /home/lethe/Documents/ip.txt</code></p>
 				<p>About twenty minutes or so (I wasn't counting because I was eating dinner) later, I had condensed the two-gigabyte packet capture into a twelve-megabyte list of only the IPs that the VM had talked to, minus any LAN traffic. I then had to create two new lists: one with each IP address ranked by the number of times Utopia had connected to it, and one with only unique IPs so that I could see how many people Utopia had connected to. As it turns out, <code>uniq</code>, the command-line tool that can do both of those jobs, has a bug where it only counts a line as a duplicate of another line if those two lines are adjacent to each other. Thus I had to run <code>sort</code> twice.</p>
 				<p>For the first list, I ran <code>cat ~/Documents/ip.txt | sort | uniq -c | sort -gr | head -n 15</code>, and it gave me the following data for the fifteen most connected-to IPs:</p>
-				<p><table>
+				<table>
 					<thead>
 						<th>Number of connections</th>
 						<th>IP address</th>
@@ -202,12 +202,10 @@
 						</tr>
 					</tbody>
 				</table>
-				<pre><code>	
-				</code></pre>
 				<p><a href="https://web.archive.org/web/20230113001915/https://www.abuseipdb.com/user/26767">All (but one) of the top IPs seem to really hate AbuseIPDB user Tha_14</a>, as this user has reported each one at least once within the past year for port scanning. While this isn't definitive evidence of a botnet, the fact that each one was active in Utopia within a day or two of my test (otherwise my device would not have connected to them) <em>and</em> port-scanned the same person definitely implies some kind of coordinated attack.</p>
 				</p>
 				<p>For the second list, I ran <code>cat ~/Documents/ip.txt | sort | uniq | wc -l</code> and fed the results of that list to a custom script that queries the AbuseIPDB API for the purpose of each IP. (Well, it gives the full information about each IP, so I could see that Russia only showed up once or twice, but I had it filtered further with <code>jq</code>.) The list only returned about three hundred and eighty unique IP addresses, which was well within the daily limits for AbuseIPDB's free tier of membership.</p>
-				<p><table>
+				<table>
 					<thead>
 						<th>IP allocation</td>
 						<th>Number of occurrences</td>
@@ -230,7 +228,7 @@
 							<td>4</td>
 						</tr>
 					</tbody>
-				</table></p>
+				</table>
 				<p>As shown in the table, the vast majority of IP addresses that Utopia connected to during the tests were owned by VPS hosting companies, not residential ISPs as I would have first guessed. I have three hypotheses as to why this is the case.</p>
 				<p>Firstly, as I wrote in the beginning of this post, Utopia's devs nowadays mainly focus on their cryptocurrency, Cryptons. When attempting to debug why no sites were loading in Idyll, I forgot to mention that there was a "Console" feature, which I thought would allow me to run tools like <code>ping</code>, but instead it was a glorified log viewer that showed that Utopia was making thousands of connections a minute to fetch "mining history updates" and "finance balance requests". The vast majority of these mackets were marked "skipped", but that doesn't negate that they were sent to my node in the first place. Given how gung-ho the Utopia devs are about crypto, and considering that the <a href="https://archive.md/fwvAG#selection-2577.0-2577.46">official mining bot apparently requires four gigabytes of RAM <em>at minimum</em> and a public IP</a>, it's not that far of a stretch to assume that these VPSes were running the Crypton mining bot. Please note that the bot is also closed-source, so these people trying to scrape pennies together have effectively given the Utopia devs access to lots of VPSes trusting that they won't become part of a botnet.</p>
 				<p>Secondly, if these are potential command-and-control centers for a Utopia botnet, then it would make sense to have as many IPs as possible in case of some of them going down from seizure and to get them from virtual private server providers to reduce the cost of quickly rotating IPs. But that doesn't explain why so many of the IP addresses are owned by the same company. In the case of an active botnet, that company would have the power to kill a large part of the infected machines.</p>