[Snort-users] Suspicious hacker activity detected?

Teo En Ming teo.en.ming at ...11827...
Wed Apr 16 09:52:16 EDT 2014


Further probes by hackers against my HTTPS, POP3S and IMAPS ports for the
OpenSSL heartbleed vulnerability.

Here are the snort alerts:

04/16-05:04:15.741415  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
heartbeat read overrun attempt [**] [Classification: Attempted Information
Leak] [Priority: 2] {TCP} 183.60.244.37:58553 -> 192.168.1.147:993
04/16-05:04:15.986131  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
heartbeat read overrun attempt [**] [Classification: Attempted Information
Leak] [Priority: 2] {TCP} 183.60.244.37:58553 -> 192.168.1.147:993
04/16-06:02:24.878593  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
heartbeat read overrun attempt [**] [Classification: Attempted Information
Leak] [Priority: 2] {TCP} 183.60.243.189:57351 -> 192.168.1.147:995
04/16-06:02:25.101482  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
heartbeat read overrun attempt [**] [Classification: Attempted Information
Leak] [Priority: 2] {TCP} 183.60.243.189:57351 -> 192.168.1.147:995
04/16-06:27:33.667818  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
heartbeat read overrun attempt [**] [Classification: Attempted Information
Leak] [Priority: 2] {TCP} 180.153.198.178:30647 -> 192.168.1.146:443
04/16-06:27:33.937606  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
heartbeat read overrun attempt [**] [Classification: Attempted Information
Leak] [Priority: 2] {TCP} 180.153.198.178:30647 -> 192.168.1.146:443
04/16-08:11:18.960286  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
heartbeat read overrun attempt [**] [Classification: Attempted Information
Leak] [Priority: 2] {TCP} 180.153.195.19:45514 -> 192.168.1.147:993
04/16-08:11:19.227768  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
heartbeat read overrun attempt [**] [Classification: Attempted Information
Leak] [Priority: 2] {TCP} 180.153.195.19:45514 -> 192.168.1.147:993
04/16-08:30:13.406971  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
heartbeat read overrun attempt [**] [Classification: Attempted Information
Leak] [Priority: 2] {TCP} 182.118.48.188:49662 -> 192.168.1.147:995
04/16-08:30:13.576376  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
heartbeat read overrun attempt [**] [Classification: Attempted Information
Leak] [Priority: 2] {TCP} 182.118.48.188:49662 -> 192.168.1.147:995

Teo En Ming



On Wed, Apr 16, 2014 at 1:16 AM, Sandeep Singh <ctrlaltdelngone at ...11827...>wrote:

> The kind of traffic you are observing will continue to be there for a
> while. If you have your servers patched then the best thing would be to
> identify the IP ranges that are making noise and block them on your
> Firewall as I have seen these IP ranges generating inbound traffic towards
> several other networks as well.
>
> Thanks
>
>
>
>
>
> On Tue, Apr 15, 2014 at 9:26 PM, Joel Esler (jesler) <jesler at ...589...>wrote:
>
>>  yes, and it will continue for a long time.
>>
>>  On Apr 15, 2014, at 11:06 AM, Teo En Ming <teo.en.ming at ...11827...> wrote:
>>
>>   Hackers continue to probe my HTTPS, POP3S, and IMAPS ports for the
>> heartbleed vulnerability after I have patched openssl in CentOS 6.5 and
>> RHEL 7 Beta.
>>
>>  Here are the Snort alerts:04/15-05:04:23.266586  [**] [1:30524:1]
>> SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**]
>> [Classification: Attempted Information Leak] [Priority: 2] {TCP}
>> 183.60.243.188:52169 -> 192.168.1.147:993
>> 04/15-05:04:23.510253  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
>> heartbeat read overrun attempt [**] [Classification: Attempted Information
>> Leak] [Priority: 2] {TCP} 183.60.243.188:52169 -> 192.168.1.147:993
>> 04/15-06:02:28.430789  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
>> heartbeat read overrun attempt [**] [Classification: Attempted Information
>> Leak] [Priority: 2] {TCP} 183.60.243.189:58534 -> 192.168.1.147:995
>> 04/15-06:02:28.652725  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
>> heartbeat read overrun attempt [**] [Classification: Attempted Information
>> Leak] [Priority: 2] {TCP} 183.60.243.189:58534 -> 192.168.1.147:995
>> 04/15-07:05:21.194097  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
>> heartbeat read overrun attempt [**] [Classification: Attempted Information
>> Leak] [Priority: 2] {TCP} 101.226.17.243:36498 -> 192.168.1.146:443
>> 04/15-07:05:21.452853  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
>> heartbeat read overrun attempt [**] [Classification: Attempted Information
>> Leak] [Priority: 2] {TCP} 101.226.17.243:36498 -> 192.168.1.146:443
>> 04/15-08:38:08.402528  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
>> heartbeat read overrun attempt [**] [Classification: Attempted Information
>> Leak] [Priority: 2] {TCP} 180.153.198.208:24518 -> 192.168.1.147:993
>> 04/15-08:38:08.647470  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
>> heartbeat read overrun attempt [**] [Classification: Attempted Information
>> Leak] [Priority: 2] {TCP} 180.153.198.208:24518 -> 192.168.1.147:993
>> 04/15-08:48:29.737142  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
>> heartbeat read overrun attempt [**] [Classification: Attempted Information
>> Leak] [Priority: 2] {TCP} 180.153.195.140:29860 -> 192.168.1.147:995
>> 04/15-08:48:29.961892  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
>> heartbeat read overrun attempt [**] [Classification: Attempted Information
>> Leak] [Priority: 2] {TCP} 180.153.195.140:29860 -> 192.168.1.147:995
>>
>>  Regards,
>>
>>  Teo En Ming
>>
>>  <http://seclists.org/nmap-dev/2014/q2/83>
>>
>>
>> On Tue, Apr 15, 2014 at 3:10 AM, Teo En Ming <teo.en.ming at ...11827...>wrote:
>>
>>>  I have patched openssl on RHEL 7 Beta and rebooted.
>>>
>>>  Teo En Ming
>>>
>>>
>>> On Tue, Apr 15, 2014 at 12:03 AM, Teo En Ming <teo.en.ming at ...11827...>wrote:
>>>
>>>>  I think downloading OpenSSL 1.0.1g, compiling and installing it will
>>>> break OpenSSH. I prefer to install by RPM.
>>>>
>>>>  Regards,
>>>>
>>>>  Teo En Ming
>>>>
>>>>
>>>> On Mon, Apr 14, 2014 at 11:45 PM, Nicholas Mavis (nmavis) <
>>>> nmavis at ...589...> wrote:
>>>>
>>>>>  You can download OpenSSL 1.0.1g and compile it.
>>>>>
>>>>>  Nick
>>>>>
>>>>>   From: Teo En Ming <teo.en.ming at ...11827...>
>>>>>  Date: Monday, April 14, 2014 at 11:40 AM
>>>>> To: nmavis <nmavis at ...589...>
>>>>> Cc: Snort Users <snort-users at lists.sourceforge.net>, Teo En Ming <
>>>>> teo.en.ming at ...11827...>
>>>>> Subject: Re: [Snort-users] Suspicious hacker activity detected?
>>>>>
>>>>>
>>>>>  Dear Nicholas Mavis,
>>>>>
>>>>> I have patched openssl on Centos 6.5 x86_64. However, I cannot patch
>>>>> openssl on my RHEL 7 Beta because I don't have a Red Hat Network
>>>>> subscription. What do you think can be done?
>>>>>
>>>>>  Thank you.
>>>>>
>>>>>  Regards,
>>>>>
>>>>> Teo En Ming
>>>>>
>>>>>
>>>>> On Mon, Apr 14, 2014 at 11:13 PM, Nicholas Mavis (nmavis) <
>>>>> nmavis at ...589...> wrote:
>>>>>
>>>>>>  Yes, this is a sign and it also looks like you are vulnerable.
>>>>>>
>>>>>>  Nick
>>>>>>
>>>>>>   From: Teo En Ming <teo.en.ming at ...11827...>
>>>>>> Date: Monday, April 14, 2014 at 11:06 AM
>>>>>> To: Snort Users <snort-users at lists.sourceforge.net>
>>>>>> Subject: [Snort-users] Suspicious hacker activity detected?
>>>>>>
>>>>>>    Hi,
>>>>>>
>>>>>>  My HTTPS web server, POP3S and IMAPS ports were probed for the
>>>>>> OpenSSL heartbleed vulnerability without my knowledge and authorization. Is
>>>>>> it a sign of hacker activity? Please look at the Snort alerts below.
>>>>>>
>>>>>> [root at ...274... snort]# grep heartbeat snort.fast | grep -v
>>>>>> 161.69.31.4
>>>>>> 04/14-04:34:45.168194  [**] [1:30516:6] SERVER-OTHER TLSv1.1 large
>>>>>> heartbeat response - possible ssl heartbleed attempt [**] [Classification:
>>>>>> Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.146:443 ->
>>>>>> 185.35.61.19:41201
>>>>>> 04/14-09:31:58.763823  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
>>>>>> heartbeat read overrun attempt [**] [Classification: Attempted Information
>>>>>> Leak] [Priority: 2] {TCP} 183.60.243.189:46524 -> 192.168.1.147:993
>>>>>> 04/14-09:31:58.764609  [**] [1:30516:6] SERVER-OTHER TLSv1.1 large
>>>>>> heartbeat response - possible ssl heartbleed attempt [**] [Classification:
>>>>>> Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.147:993 ->
>>>>>> 183.60.243.189:46524
>>>>>> 04/14-09:31:59.025988  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
>>>>>> heartbeat read overrun attempt [**] [Classification: Attempted Information
>>>>>> Leak] [Priority: 2] {TCP} 183.60.243.189:46524 -> 192.168.1.147:993
>>>>>> 04/14-09:36:47.578766  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
>>>>>> heartbeat read overrun attempt [**] [Classification: Attempted Information
>>>>>> Leak] [Priority: 2] {TCP} 183.60.244.46:55346 -> 192.168.1.147:995
>>>>>> 04/14-09:36:47.579841  [**] [1:30516:6] SERVER-OTHER TLSv1.1 large
>>>>>> heartbeat response - possible ssl heartbleed attempt [**] [Classification:
>>>>>> Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.147:995 ->
>>>>>> 183.60.244.46:55346
>>>>>> 04/14-09:36:47.775693  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
>>>>>> heartbeat read overrun attempt [**] [Classification: Attempted Information
>>>>>> Leak] [Priority: 2] {TCP} 183.60.244.46:55346 -> 192.168.1.147:995
>>>>>> 04/14-09:36:47.775693  [**] [1:30512:5] SERVER-OTHER OpenSSL TLSv1.1
>>>>>> heartbeat read overrun attempt [**] [Classification: Attempted Information
>>>>>> Leak] [Priority: 2] {TCP} 183.60.244.46:55346 -> 192.168.1.147:995
>>>>>> 04/14-10:13:25.031989  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
>>>>>> heartbeat read overrun attempt [**] [Classification: Attempted Information
>>>>>> Leak] [Priority: 2] {TCP} 101.226.19.76:31223 -> 192.168.1.146:443
>>>>>> 04/14-10:13:25.032841  [**] [1:30516:6] SERVER-OTHER TLSv1.1 large
>>>>>> heartbeat response - possible ssl heartbleed attempt [**] [Classification:
>>>>>> Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.146:443 ->
>>>>>> 101.226.19.76:31223
>>>>>> 04/14-10:13:25.262897  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
>>>>>> heartbeat read overrun attempt [**] [Classification: Attempted Information
>>>>>> Leak] [Priority: 2] {TCP} 101.226.19.76:31223 -> 192.168.1.146:443
>>>>>> 04/14-10:13:25.262897  [**] [1:30512:5] SERVER-OTHER OpenSSL TLSv1.1
>>>>>> heartbeat read overrun attempt [**] [Classification: Attempted Information
>>>>>> Leak] [Priority: 2] {TCP} 101.226.19.76:31223 -> 192.168.1.146:443
>>>>>> 04/14-11:51:26.034725  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
>>>>>> heartbeat read overrun attempt [**] [Classification: Attempted Information
>>>>>> Leak] [Priority: 2] {TCP} 180.153.198.190:25521 -> 192.168.1.147:993
>>>>>> 04/14-11:51:26.035167  [**] [1:30516:6] SERVER-OTHER TLSv1.1 large
>>>>>> heartbeat response - possible ssl heartbleed attempt [**] [Classification:
>>>>>> Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.147:993 ->
>>>>>> 180.153.198.190:25521
>>>>>> 04/14-11:51:26.232356  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
>>>>>> heartbeat read overrun attempt [**] [Classification: Attempted Information
>>>>>> Leak] [Priority: 2] {TCP} 180.153.198.190:25521 -> 192.168.1.147:993
>>>>>> 04/14-11:51:26.232356  [**] [1:30512:5] SERVER-OTHER OpenSSL TLSv1.1
>>>>>> heartbeat read overrun attempt [**] [Classification: Attempted Information
>>>>>> Leak] [Priority: 2] {TCP} 180.153.198.190:25521 -> 192.168.1.147:993
>>>>>> 04/14-12:01:46.374268  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
>>>>>> heartbeat read overrun attempt [**] [Classification: Attempted Information
>>>>>> Leak] [Priority: 2] {TCP} 180.153.198.219:50214 -> 192.168.1.147:995
>>>>>> 04/14-12:01:46.375062  [**] [1:30516:6] SERVER-OTHER TLSv1.1 large
>>>>>> heartbeat response - possible ssl heartbleed attempt [**] [Classification:
>>>>>> Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.147:995 ->
>>>>>> 180.153.198.219:50214
>>>>>> 04/14-12:01:46.597640  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
>>>>>> heartbeat read overrun attempt [**] [Classification: Attempted Information
>>>>>> Leak] [Priority: 2] {TCP} 180.153.198.219:50214 -> 192.168.1.147:995
>>>>>> 04/14-12:01:46.597640  [**] [1:30512:5] SERVER-OTHER OpenSSL TLSv1.1
>>>>>> heartbeat read overrun attempt [**] [Classification: Attempted Information
>>>>>> Leak] [Priority: 2] {TCP} 180.153.198.219:50214 -> 192.168.1.147:995
>>>>>>
>>>>>>  Yours sincerely,
>>>>>>
>>>>>>  Teo En Ming
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>> ------------------------------------------------------------------------------
>> Learn Graph Databases - Download FREE O'Reilly Book
>> "Graph Databases" is the definitive new guide to graph databases and their
>> applications. Written by three acclaimed leaders in the field,
>> this first edition is now available. Download your free book today!
>> http://p.sf.net/sfu/NeoTech_______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Learn Graph Databases - Download FREE O'Reilly Book
>> "Graph Databases" is the definitive new guide to graph databases and their
>> applications. Written by three acclaimed leaders in the field,
>> this first edition is now available. Download your free book today!
>> http://p.sf.net/sfu/NeoTech
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140416/05275906/attachment.html>


More information about the Snort-users mailing list