Am I under attack?

tennis · November 26, 2025, 11:14am

Hey I noticed somebody is attempting to login to my RPC. I run a clearnet BTC Lightning node.

These are the logs from Bitcoin Knots. The only exposed port to the clearnet is 9735 (from Start9).

I’m not worried too much and I know the implications of running a Clearnet node. I’m still wondering though. I noticed that Mempool was not able to connect for block sync, so I cannot rule out that this would be the mempool service. The IP and the changing ports are confusing me though.

2025-11-26T12:09:30+01:00  2025-11-26T11:09:30Z ThreadRPCServer incorrect password attempt from 172.18.0.9:32774
2025-11-26T12:09:30+01:00  2025-11-26T11:09:30Z ThreadRPCServer incorrect password attempt from 172.18.0.9:32788
2025-11-26T12:09:31+01:00  2025-11-26T11:09:31Z ThreadRPCServer incorrect password attempt from 172.18.0.9:32792
2025-11-26T12:09:32+01:00  2025-11-26T11:09:32Z ThreadRPCServer incorrect password attempt from 172.18.0.9:32794
2025-11-26T12:09:33+01:00  2025-11-26T11:09:33Z ThreadRPCServer incorrect password attempt from 172.18.0.9:32796
2025-11-26T12:09:33+01:00  2025-11-26T11:09:33Z ThreadRPCServer incorrect password attempt from 172.18.0.9:32800
2025-11-26T12:09:34+01:00  2025-11-26T11:09:34Z ThreadRPCServer incorrect password attempt from 172.18.0.9:32812
2025-11-26T12:09:35+01:00  2025-11-26T11:09:35Z ThreadRPCServer incorrect password attempt from 172.18.0.9:32814
2025-11-26T12:09:36+01:00  2025-11-26T11:09:36Z ThreadRPCServer incorrect password attempt from 172.18.0.9:32826
2025-11-26T12:09:36+01:00  2025-11-26T11:09:36Z ThreadRPCServer incorrect password attempt from 172.18.0.9:32830
2025-11-26T12:09:37+01:00  2025-11-26T11:09:37Z ThreadRPCServer incorrect password attempt from 172.18.0.9:32832
2025-11-26T12:09:38+01:00  2025-11-26T11:09:38Z ThreadRPCServer incorrect password attempt from 172.18.0.9:53880
2025-11-26T12:09:39+01:00  2025-11-26T11:09:39Z ThreadRPCServer incorrect password attempt from 172.18.0.9:53888
2025-11-26T12:09:39+01:00  2025-11-26T11:09:39Z ThreadRPCServer incorrect password attempt from 172.18.0.9:53898
2025-11-26T12:09:40+01:00  2025-11-26T11:09:40Z ThreadRPCServer incorrect password attempt from 172.18.0.9:53910
2025-11-26T12:09:41+01:00  2025-11-26T11:09:41Z ThreadRPCServer incorrect password attempt from 172.18.0.9:53922
2025-11-26T12:09:42+01:00  2025-11-26T11:09:42Z ThreadRPCServer incorrect password attempt from 172.18.0.9:53934
2025-11-26T12:09:42+01:00  2025-11-26T11:09:42Z ThreadRPCServer incorrect password attempt from 172.18.0.9:53950
2025-11-26T12:09:43+01:00  2025-11-26T11:09:43Z ThreadRPCServer incorrect password attempt from 172.18.0.9:53964
2025-11-26T12:09:44+01:00  2025-11-26T11:09:44Z ThreadRPCServer incorrect password attempt from 172.18.0.9:53976
2025-11-26T12:09:45+01:00  2025-11-26T11:09:45Z ThreadRPCServer incorrect password attempt from 172.18.0.9:53990
2025-11-26T12:09:45+01:00  2025-11-26T11:09:45Z ThreadRPCServer incorrect password attempt from 172.18.0.9:53998
2025-11-26T12:09:46+01:00  2025-11-26T11:09:46Z ThreadRPCServer incorrect password attempt from 172.18.0.9:54000
2025-11-26T12:09:46+01:00  2025-11-26T11:09:46Z ThreadRPCServer incorrect password attempt from 172.18.0.9:54012
2025-11-26T12:09:47+01:00  2025-11-26T11:09:47Z ThreadRPCServer incorrect password attempt from 172.18.0.9:54014
2025-11-26T12:09:47+01:00  2025-11-26T11:09:47Z ThreadRPCServer incorrect password attempt from 172.18.0.9:54018
2025-11-26T12:09:47+01:00  2025-11-26T11:09:47Z ThreadRPCServer incorrect password attempt from 172.18.0.9:54024
2025-11-26T12:09:48+01:00  2025-11-26T11:09:48Z ThreadRPCServer incorrect password attempt from 172.18.0.9:36522
2025-11-26T12:09:48+01:00  2025-11-26T11:09:48Z ThreadRPCServer incorrect password attempt from 172.18.0.9:36538
2025-11-26T12:09:50+01:00  2025-11-26T11:09:50Z ThreadRPCServer incorrect password attempt from 172.18.0.9:36542
2025-11-26T12:09:50+01:00  2025-11-26T11:09:50Z ThreadRPCServer incorrect password attempt from 172.18.0.9:36558

Rexter · November 26, 2025, 2:31pm

The “ThreadRPCServer incorrect password” message in Bitcoin Knots usually indicates that the application is trying to connect with incorrect authentication

Since you mentions that mempool is not working correctly, these two things probably are related. Stop all of the Bitcoin related services. On the service page for each service, starting with Bitcoin, click config, and then save without making any changes. Start the service. Then the same with electrs, lnd, or cln, and then mempool.

system · November 28, 2025, 2:31pm

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.