[Snort-users] Suspicious hacker activity detected?

Teo En Ming teo.en.ming at ...11827...
Mon Apr 14 11:06:21 EDT 2014


Hi,

My HTTPS web server, POP3S and IMAPS ports were probed for the OpenSSL
heartbleed vulnerability without my knowledge and authorization. Is it a
sign of hacker activity? Please look at the Snort alerts below.

[root at ...274... snort]# grep heartbeat snort.fast | grep -v 161.69.31.4
04/14-04:34:45.168194  [**] [1:30516:6] SERVER-OTHER TLSv1.1 large
heartbeat response - possible ssl heartbleed attempt [**] [Classification:
Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.146:443 ->
185.35.61.19:41201
04/14-09:31:58.763823  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
heartbeat read overrun attempt [**] [Classification: Attempted Information
Leak] [Priority: 2] {TCP} 183.60.243.189:46524 -> 192.168.1.147:993
04/14-09:31:58.764609  [**] [1:30516:6] SERVER-OTHER TLSv1.1 large
heartbeat response - possible ssl heartbleed attempt [**] [Classification:
Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.147:993 ->
183.60.243.189:46524
04/14-09:31:59.025988  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
heartbeat read overrun attempt [**] [Classification: Attempted Information
Leak] [Priority: 2] {TCP} 183.60.243.189:46524 -> 192.168.1.147:993
04/14-09:36:47.578766  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
heartbeat read overrun attempt [**] [Classification: Attempted Information
Leak] [Priority: 2] {TCP} 183.60.244.46:55346 -> 192.168.1.147:995
04/14-09:36:47.579841  [**] [1:30516:6] SERVER-OTHER TLSv1.1 large
heartbeat response - possible ssl heartbleed attempt [**] [Classification:
Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.147:995 ->
183.60.244.46:55346
04/14-09:36:47.775693  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
heartbeat read overrun attempt [**] [Classification: Attempted Information
Leak] [Priority: 2] {TCP} 183.60.244.46:55346 -> 192.168.1.147:995
04/14-09:36:47.775693  [**] [1:30512:5] SERVER-OTHER OpenSSL TLSv1.1
heartbeat read overrun attempt [**] [Classification: Attempted Information
Leak] [Priority: 2] {TCP} 183.60.244.46:55346 -> 192.168.1.147:995
04/14-10:13:25.031989  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
heartbeat read overrun attempt [**] [Classification: Attempted Information
Leak] [Priority: 2] {TCP} 101.226.19.76:31223 -> 192.168.1.146:443
04/14-10:13:25.032841  [**] [1:30516:6] SERVER-OTHER TLSv1.1 large
heartbeat response - possible ssl heartbleed attempt [**] [Classification:
Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.146:443 ->
101.226.19.76:31223
04/14-10:13:25.262897  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
heartbeat read overrun attempt [**] [Classification: Attempted Information
Leak] [Priority: 2] {TCP} 101.226.19.76:31223 -> 192.168.1.146:443
04/14-10:13:25.262897  [**] [1:30512:5] SERVER-OTHER OpenSSL TLSv1.1
heartbeat read overrun attempt [**] [Classification: Attempted Information
Leak] [Priority: 2] {TCP} 101.226.19.76:31223 -> 192.168.1.146:443
04/14-11:51:26.034725  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
heartbeat read overrun attempt [**] [Classification: Attempted Information
Leak] [Priority: 2] {TCP} 180.153.198.190:25521 -> 192.168.1.147:993
04/14-11:51:26.035167  [**] [1:30516:6] SERVER-OTHER TLSv1.1 large
heartbeat response - possible ssl heartbleed attempt [**] [Classification:
Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.147:993 ->
180.153.198.190:25521
04/14-11:51:26.232356  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
heartbeat read overrun attempt [**] [Classification: Attempted Information
Leak] [Priority: 2] {TCP} 180.153.198.190:25521 -> 192.168.1.147:993
04/14-11:51:26.232356  [**] [1:30512:5] SERVER-OTHER OpenSSL TLSv1.1
heartbeat read overrun attempt [**] [Classification: Attempted Information
Leak] [Priority: 2] {TCP} 180.153.198.190:25521 -> 192.168.1.147:993
04/14-12:01:46.374268  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
heartbeat read overrun attempt [**] [Classification: Attempted Information
Leak] [Priority: 2] {TCP} 180.153.198.219:50214 -> 192.168.1.147:995
04/14-12:01:46.375062  [**] [1:30516:6] SERVER-OTHER TLSv1.1 large
heartbeat response - possible ssl heartbleed attempt [**] [Classification:
Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.147:995 ->
180.153.198.219:50214
04/14-12:01:46.597640  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
heartbeat read overrun attempt [**] [Classification: Attempted Information
Leak] [Priority: 2] {TCP} 180.153.198.219:50214 -> 192.168.1.147:995
04/14-12:01:46.597640  [**] [1:30512:5] SERVER-OTHER OpenSSL TLSv1.1
heartbeat read overrun attempt [**] [Classification: Attempted Information
Leak] [Priority: 2] {TCP} 180.153.198.219:50214 -> 192.168.1.147:995

Yours sincerely,

Teo En Ming
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140414/8b65fcdf/attachment.html>


More information about the Snort-users mailing list