[Snort-users] Suspicious hacker activity detected?

Joel Esler (jesler) jesler at ...589...
Mon Apr 14 11:46:19 EDT 2014


Sounds like a question for Red Hat support.

--
Joel Esler
Sent from my iPhone

> On Apr 14, 2014, at 11:41, "Teo En Ming" <teo.en.ming at ...11827...> wrote:
> 
> 
> Dear Nicholas Mavis,
> 
> I have patched openssl on Centos 6.5 x86_64. However, I cannot patch openssl on my RHEL 7 Beta because I don't have a Red Hat Network subscription. What do you think can be done?
> 
> Thank you.
> 
> Regards,
> 
> Teo En Ming
> 
> 
>> On Mon, Apr 14, 2014 at 11:13 PM, Nicholas Mavis (nmavis) <nmavis at ...16686......> wrote:
>> Yes, this is a sign and it also looks like you are vulnerable.
>> 
>> Nick
>> 
>> From: Teo En Ming <teo.en.ming at ...11827...>
>> Date: Monday, April 14, 2014 at 11:06 AM
>> To: Snort Users <snort-users at lists.sourceforge.net>
>> Subject: [Snort-users] Suspicious hacker activity detected?
>> 
>> Hi,
>> 
>> My HTTPS web server, POP3S and IMAPS ports were probed for the OpenSSL heartbleed vulnerability without my knowledge and authorization. Is it a sign of hacker activity? Please look at the Snort alerts below.
>> 
>> [root at ...274... snort]# grep heartbeat snort.fast | grep -v 161.69.31.4
>> 04/14-04:34:45.168194  [**] [1:30516:6] SERVER-OTHER TLSv1.1 large heartbeat response - possible ssl heartbleed attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.146:443 -> 185.35.61.19:41201
>> 04/14-09:31:58.763823  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 183.60.243.189:46524 -> 192.168.1.147:993
>> 04/14-09:31:58.764609  [**] [1:30516:6] SERVER-OTHER TLSv1.1 large heartbeat response - possible ssl heartbleed attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.147:993 -> 183.60.243.189:46524
>> 04/14-09:31:59.025988  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 183.60.243.189:46524 -> 192.168.1.147:993
>> 04/14-09:36:47.578766  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 183.60.244.46:55346 -> 192.168.1.147:995
>> 04/14-09:36:47.579841  [**] [1:30516:6] SERVER-OTHER TLSv1.1 large heartbeat response - possible ssl heartbleed attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.147:995 -> 183.60.244.46:55346
>> 04/14-09:36:47.775693  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 183.60.244.46:55346 -> 192.168.1.147:995
>> 04/14-09:36:47.775693  [**] [1:30512:5] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 183.60.244.46:55346 -> 192.168.1.147:995
>> 04/14-10:13:25.031989  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 101.226.19.76:31223 -> 192.168.1.146:443
>> 04/14-10:13:25.032841  [**] [1:30516:6] SERVER-OTHER TLSv1.1 large heartbeat response - possible ssl heartbleed attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.146:443 -> 101.226.19.76:31223
>> 04/14-10:13:25.262897  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 101.226.19.76:31223 -> 192.168.1.146:443
>> 04/14-10:13:25.262897  [**] [1:30512:5] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 101.226.19.76:31223 -> 192.168.1.146:443
>> 04/14-11:51:26.034725  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 180.153.198.190:25521 -> 192.168.1.147:993
>> 04/14-11:51:26.035167  [**] [1:30516:6] SERVER-OTHER TLSv1.1 large heartbeat response - possible ssl heartbleed attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.147:993 -> 180.153.198.190:25521
>> 04/14-11:51:26.232356  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 180.153.198.190:25521 -> 192.168.1.147:993
>> 04/14-11:51:26.232356  [**] [1:30512:5] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 180.153.198.190:25521 -> 192.168.1.147:993
>> 04/14-12:01:46.374268  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 180.153.198.219:50214 -> 192.168.1.147:995
>> 04/14-12:01:46.375062  [**] [1:30516:6] SERVER-OTHER TLSv1.1 large heartbeat response - possible ssl heartbleed attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.147:995 -> 180.153.198.219:50214
>> 04/14-12:01:46.597640  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 180.153.198.219:50214 -> 192.168.1.147:995
>> 04/14-12:01:46.597640  [**] [1:30512:5] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 180.153.198.219:50214 -> 192.168.1.147:995
>> 
>> Yours sincerely,
>> 
>> Teo En Ming
> 
> ------------------------------------------------------------------------------
> Learn Graph Databases - Download FREE O'Reilly Book
> "Graph Databases" is the definitive new guide to graph databases and their
> applications. Written by three acclaimed leaders in the field,
> this first edition is now available. Download your free book today!
> http://p.sf.net/sfu/NeoTech
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140414/520b0bb2/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2322 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140414/520b0bb2/attachment.bin>


More information about the Snort-users mailing list