[Snort-users] Suspicious hacker activity detected?

Joel Esler (jesler) jesler at ...589...
Tue Apr 15 11:56:43 EDT 2014


yes, and it will continue for a long time.

On Apr 15, 2014, at 11:06 AM, Teo En Ming <teo.en.ming at ...11827...<mailto:teo.en.ming at ...11827...>> wrote:

Hackers continue to probe my HTTPS, POP3S, and IMAPS ports for the heartbleed vulnerability after I have patched openssl in CentOS 6.5 and RHEL 7 Beta.

Here are the Snort alerts:04/15-05:04:23.266586  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 183.60.243.188:52169<http://183.60.243.188:52169/> -> 192.168.1.147:993<http://192.168.1.147:993/>
04/15-05:04:23.510253  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 183.60.243.188:52169<http://183.60.243.188:52169/> -> 192.168.1.147:993<http://192.168.1.147:993/>
04/15-06:02:28.430789  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 183.60.243.189:58534<http://183.60.243.189:58534/> -> 192.168.1.147:995<http://192.168.1.147:995/>
04/15-06:02:28.652725  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 183.60.243.189:58534<http://183.60.243.189:58534/> -> 192.168.1.147:995<http://192.168.1.147:995/>
04/15-07:05:21.194097  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 101.226.17.243:36498<http://101.226.17.243:36498/> -> 192.168.1.146:443<http://192.168.1.146:443/>
04/15-07:05:21.452853  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 101.226.17.243:36498<http://101.226.17.243:36498/> -> 192.168.1.146:443<http://192.168.1.146:443/>
04/15-08:38:08.402528  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 180.153.198.208:24518<http://180.153.198.208:24518/> -> 192.168.1.147:993<http://192.168.1.147:993/>
04/15-08:38:08.647470  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 180.153.198.208:24518<http://180.153.198.208:24518/> -> 192.168.1.147:993<http://192.168.1.147:993/>
04/15-08:48:29.737142  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 180.153.195.140:29860<http://180.153.195.140:29860/> -> 192.168.1.147:995<http://192.168.1.147:995/>
04/15-08:48:29.961892  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 180.153.195.140:29860<http://180.153.195.140:29860/> -> 192.168.1.147:995<http://192.168.1.147:995/>

Regards,

Teo En Ming

<http://seclists.org/nmap-dev/2014/q2/83>


On Tue, Apr 15, 2014 at 3:10 AM, Teo En Ming <teo.en.ming at ...11827...<mailto:teo.en.ming at ...11827...>> wrote:
I have patched openssl on RHEL 7 Beta and rebooted.

Teo En Ming


On Tue, Apr 15, 2014 at 12:03 AM, Teo En Ming <teo.en.ming at ...11827...<mailto:teo.en.ming at ...11827...>> wrote:
I think downloading OpenSSL 1.0.1g, compiling and installing it will break OpenSSH. I prefer to install by RPM.

Regards,

Teo En Ming


On Mon, Apr 14, 2014 at 11:45 PM, Nicholas Mavis (nmavis) <nmavis at ...589...<mailto:nmavis at ...589...>> wrote:
You can download OpenSSL 1.0.1g and compile it.

Nick

From: Teo En Ming <teo.en.ming at ...11827...<mailto:teo.en.ming at ...11827...>>
Date: Monday, April 14, 2014 at 11:40 AM
To: nmavis <nmavis at ...589...<mailto:nmavis at ...589...>>
Cc: Snort Users <snort-users at lists.sourceforge.net<mailto:snort-users at ...7287....sourceforge.net>>, Teo En Ming <teo.en.ming at ...11827...<mailto:teo.en.ming at ...11827...>>
Subject: Re: [Snort-users] Suspicious hacker activity detected?


Dear Nicholas Mavis,

I have patched openssl on Centos 6.5 x86_64. However, I cannot patch openssl on my RHEL 7 Beta because I don't have a Red Hat Network subscription. What do you think can be done?

Thank you.

Regards,

Teo En Ming


On Mon, Apr 14, 2014 at 11:13 PM, Nicholas Mavis (nmavis) <nmavis at ...589...<mailto:nmavis at ...589...>> wrote:
Yes, this is a sign and it also looks like you are vulnerable.

Nick

From: Teo En Ming <teo.en.ming at ...11827...<mailto:teo.en.ming at ...11827...>>
Date: Monday, April 14, 2014 at 11:06 AM
To: Snort Users <snort-users at lists.sourceforge.net<mailto:snort-users at ...7287....sourceforge.net>>
Subject: [Snort-users] Suspicious hacker activity detected?

Hi,

My HTTPS web server, POP3S and IMAPS ports were probed for the OpenSSL heartbleed vulnerability without my knowledge and authorization. Is it a sign of hacker activity? Please look at the Snort alerts below.

[root at ...274... snort]# grep heartbeat snort.fast | grep -v 161.69.31.4
04/14-04:34:45.168194  [**] [1:30516:6] SERVER-OTHER TLSv1.1 large heartbeat response - possible ssl heartbleed attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.146:443<http://192.168.1.146:443/> -> 185.35.61.19:41201<http://185.35.61.19:41201/>
04/14-09:31:58.763823  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 183.60.243.189:46524<http://183.60.243.189:46524/> -> 192.168.1.147:993<http://192.168.1.147:993/>
04/14-09:31:58.764609  [**] [1:30516:6] SERVER-OTHER TLSv1.1 large heartbeat response - possible ssl heartbleed attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.147:993<http://192.168.1.147:993/> -> 183.60.243.189:46524<http://183.60.243.189:46524/>
04/14-09:31:59.025988  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 183.60.243.189:46524<http://183.60.243.189:46524/> -> 192.168.1.147:993<http://192.168.1.147:993/>
04/14-09:36:47.578766  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 183.60.244.46:55346<http://183.60.244.46:55346/> -> 192.168.1.147:995<http://192.168.1.147:995/>
04/14-09:36:47.579841  [**] [1:30516:6] SERVER-OTHER TLSv1.1 large heartbeat response - possible ssl heartbleed attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.147:995<http://192.168.1.147:995/> -> 183.60.244.46:55346<http://183.60.244.46:55346/>
04/14-09:36:47.775693  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 183.60.244.46:55346<http://183.60.244.46:55346/> -> 192.168.1.147:995<http://192.168.1.147:995/>
04/14-09:36:47.775693  [**] [1:30512:5] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 183.60.244.46:55346<http://183.60.244.46:55346/> -> 192.168.1.147:995<http://192.168.1.147:995/>
04/14-10:13:25.031989  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 101.226.19.76:31223<http://101.226.19.76:31223/> -> 192.168.1.146:443<http://192.168.1.146:443/>
04/14-10:13:25.032841  [**] [1:30516:6] SERVER-OTHER TLSv1.1 large heartbeat response - possible ssl heartbleed attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.146:443<http://192.168.1.146:443/> -> 101.226.19.76:31223<http://101.226.19.76:31223/>
04/14-10:13:25.262897  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 101.226.19.76:31223<http://101.226.19.76:31223/> -> 192.168.1.146:443<http://192.168.1.146:443/>
04/14-10:13:25.262897  [**] [1:30512:5] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 101.226.19.76:31223<http://101.226.19.76:31223/> -> 192.168.1.146:443<http://192.168.1.146:443/>
04/14-11:51:26.034725  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 180.153.198.190:25521<http://180.153.198.190:25521/> -> 192.168.1.147:993<http://192.168.1.147:993/>
04/14-11:51:26.035167  [**] [1:30516:6] SERVER-OTHER TLSv1.1 large heartbeat response - possible ssl heartbleed attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.147:993<http://192.168.1.147:993/> -> 180.153.198.190:25521<http://180.153.198.190:25521/>
04/14-11:51:26.232356  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 180.153.198.190:25521<http://180.153.198.190:25521/> -> 192.168.1.147:993<http://192.168.1.147:993/>
04/14-11:51:26.232356  [**] [1:30512:5] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 180.153.198.190:25521<http://180.153.198.190:25521/> -> 192.168.1.147:993<http://192.168.1.147:993/>
04/14-12:01:46.374268  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 180.153.198.219:50214<http://180.153.198.219:50214/> -> 192.168.1.147:995<http://192.168.1.147:995/>
04/14-12:01:46.375062  [**] [1:30516:6] SERVER-OTHER TLSv1.1 large heartbeat response - possible ssl heartbleed attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.147:995<http://192.168.1.147:995/> -> 180.153.198.219:50214<http://180.153.198.219:50214/>
04/14-12:01:46.597640  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 180.153.198.219:50214<http://180.153.198.219:50214/> -> 192.168.1.147:995<http://192.168.1.147:995/>
04/14-12:01:46.597640  [**] [1:30512:5] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 180.153.198.219:50214<http://180.153.198.219:50214/> -> 192.168.1.147:995<http://192.168.1.147:995/>

Yours sincerely,

Teo En Ming




------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140415/63875f96/attachment.html>


More information about the Snort-users mailing list