[Snort-users] Suspicious hacker activity detected?

Nicholas Mavis (nmavis) nmavis at ...589...
Mon Apr 14 11:45:14 EDT 2014


You can download OpenSSL 1.0.1g and compile it.

Nick

From: Teo En Ming <teo.en.ming at ...11827...<mailto:teo.en.ming at ...11827...>>
Date: Monday, April 14, 2014 at 11:40 AM
To: nmavis <nmavis at ...589...<mailto:nmavis at ...589...>>
Cc: Snort Users <snort-users at lists.sourceforge.net<mailto:snort-users at ...7287....sourceforge.net>>, Teo En Ming <teo.en.ming at ...11827...<mailto:teo.en.ming at ...11827...>>
Subject: Re: [Snort-users] Suspicious hacker activity detected?


Dear Nicholas Mavis,

I have patched openssl on Centos 6.5 x86_64. However, I cannot patch openssl on my RHEL 7 Beta because I don't have a Red Hat Network subscription. What do you think can be done?

Thank you.

Regards,

Teo En Ming


On Mon, Apr 14, 2014 at 11:13 PM, Nicholas Mavis (nmavis) <nmavis at ...589...<mailto:nmavis at ...589...>> wrote:
Yes, this is a sign and it also looks like you are vulnerable.

Nick

From: Teo En Ming <teo.en.ming at ...11827...<mailto:teo.en.ming at ...11827...>>
Date: Monday, April 14, 2014 at 11:06 AM
To: Snort Users <snort-users at lists.sourceforge.net<mailto:snort-users at ...7287....sourceforge.net>>
Subject: [Snort-users] Suspicious hacker activity detected?

Hi,

My HTTPS web server, POP3S and IMAPS ports were probed for the OpenSSL heartbleed vulnerability without my knowledge and authorization. Is it a sign of hacker activity? Please look at the Snort alerts below.

[root at ...274... snort]# grep heartbeat snort.fast | grep -v 161.69.31.4
04/14-04:34:45.168194  [**] [1:30516:6] SERVER-OTHER TLSv1.1 large heartbeat response - possible ssl heartbleed attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.146:443<http://192.168.1.146:443> -> 185.35.61.19:41201<http://185.35.61.19:41201>
04/14-09:31:58.763823  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 183.60.243.189:46524<http://183.60.243.189:46524> -> 192.168.1.147:993<http://192.168.1.147:993>
04/14-09:31:58.764609  [**] [1:30516:6] SERVER-OTHER TLSv1.1 large heartbeat response - possible ssl heartbleed attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.147:993<http://192.168.1.147:993> -> 183.60.243.189:46524<http://183.60.243.189:46524>
04/14-09:31:59.025988  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 183.60.243.189:46524<http://183.60.243.189:46524> -> 192.168.1.147:993<http://192.168.1.147:993>
04/14-09:36:47.578766  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 183.60.244.46:55346<http://183.60.244.46:55346> -> 192.168.1.147:995<http://192.168.1.147:995>
04/14-09:36:47.579841  [**] [1:30516:6] SERVER-OTHER TLSv1.1 large heartbeat response - possible ssl heartbleed attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.147:995<http://192.168.1.147:995> -> 183.60.244.46:55346<http://183.60.244.46:55346>
04/14-09:36:47.775693  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 183.60.244.46:55346<http://183.60.244.46:55346> -> 192.168.1.147:995<http://192.168.1.147:995>
04/14-09:36:47.775693  [**] [1:30512:5] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 183.60.244.46:55346<http://183.60.244.46:55346> -> 192.168.1.147:995<http://192.168.1.147:995>
04/14-10:13:25.031989  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 101.226.19.76:31223<http://101.226.19.76:31223> -> 192.168.1.146:443<http://192.168.1.146:443>
04/14-10:13:25.032841  [**] [1:30516:6] SERVER-OTHER TLSv1.1 large heartbeat response - possible ssl heartbleed attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.146:443<http://192.168.1.146:443> -> 101.226.19.76:31223<http://101.226.19.76:31223>
04/14-10:13:25.262897  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 101.226.19.76:31223<http://101.226.19.76:31223> -> 192.168.1.146:443<http://192.168.1.146:443>
04/14-10:13:25.262897  [**] [1:30512:5] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 101.226.19.76:31223<http://101.226.19.76:31223> -> 192.168.1.146:443<http://192.168.1.146:443>
04/14-11:51:26.034725  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 180.153.198.190:25521<http://180.153.198.190:25521> -> 192.168.1.147:993<http://192.168.1.147:993>
04/14-11:51:26.035167  [**] [1:30516:6] SERVER-OTHER TLSv1.1 large heartbeat response - possible ssl heartbleed attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.147:993<http://192.168.1.147:993> -> 180.153.198.190:25521<http://180.153.198.190:25521>
04/14-11:51:26.232356  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 180.153.198.190:25521<http://180.153.198.190:25521> -> 192.168.1.147:993<http://192.168.1.147:993>
04/14-11:51:26.232356  [**] [1:30512:5] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 180.153.198.190:25521<http://180.153.198.190:25521> -> 192.168.1.147:993<http://192.168.1.147:993>
04/14-12:01:46.374268  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 180.153.198.219:50214<http://180.153.198.219:50214> -> 192.168.1.147:995<http://192.168.1.147:995>
04/14-12:01:46.375062  [**] [1:30516:6] SERVER-OTHER TLSv1.1 large heartbeat response - possible ssl heartbleed attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.147:995<http://192.168.1.147:995> -> 180.153.198.219:50214<http://180.153.198.219:50214>
04/14-12:01:46.597640  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 180.153.198.219:50214<http://180.153.198.219:50214> -> 192.168.1.147:995<http://192.168.1.147:995>
04/14-12:01:46.597640  [**] [1:30512:5] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 180.153.198.219:50214<http://180.153.198.219:50214> -> 192.168.1.147:995<http://192.168.1.147:995>

Yours sincerely,

Teo En Ming

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140414/8adb3f28/attachment.html>


More information about the Snort-users mailing list