[Snort-users] Suspicious hacker activity detected?

Bill Bernsen bill.bernsen at ...6823...
Wed Apr 16 10:20:23 EDT 2014


Hi Teo,

I appreciate the enthusiasm for intrusion detection but your constant
emails are becoming a burden on my inbox.  Nearly everyone running Snort in
the last week has been seeing Heartbleed attacks, we don't need to be
updated every time you're probed.

Cheers,

Bill


On Wed, Apr 16, 2014 at 9:52 AM, Teo En Ming <teo.en.ming at ...11827...> wrote:

> Further probes by hackers against my HTTPS, POP3S and IMAPS ports for the
> OpenSSL heartbleed vulnerability.
>
> Here are the snort alerts:
>
> 04/16-05:04:15.741415  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
> heartbeat read overrun attempt [**] [Classification: Attempted Information
> Leak] [Priority: 2] {TCP} 183.60.244.37:58553 -> 192.168.1.147:993
> 04/16-05:04:15.986131  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
> heartbeat read overrun attempt [**] [Classification: Attempted Information
> Leak] [Priority: 2] {TCP} 183.60.244.37:58553 -> 192.168.1.147:993
> 04/16-06:02:24.878593  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
> heartbeat read overrun attempt [**] [Classification: Attempted Information
> Leak] [Priority: 2] {TCP} 183.60.243.189:57351 -> 192.168.1.147:995
> 04/16-06:02:25.101482  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
> heartbeat read overrun attempt [**] [Classification: Attempted Information
> Leak] [Priority: 2] {TCP} 183.60.243.189:57351 -> 192.168.1.147:995
> 04/16-06:27:33.667818  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
> heartbeat read overrun attempt [**] [Classification: Attempted Information
> Leak] [Priority: 2] {TCP} 180.153.198.178:30647 -> 192.168.1.146:443
> 04/16-06:27:33.937606  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
> heartbeat read overrun attempt [**] [Classification: Attempted Information
> Leak] [Priority: 2] {TCP} 180.153.198.178:30647 -> 192.168.1.146:443
> 04/16-08:11:18.960286  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
> heartbeat read overrun attempt [**] [Classification: Attempted Information
> Leak] [Priority: 2] {TCP} 180.153.195.19:45514 -> 192.168.1.147:993
> 04/16-08:11:19.227768  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
> heartbeat read overrun attempt [**] [Classification: Attempted Information
> Leak] [Priority: 2] {TCP} 180.153.195.19:45514 -> 192.168.1.147:993
> 04/16-08:30:13.406971  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
> heartbeat read overrun attempt [**] [Classification: Attempted Information
> Leak] [Priority: 2] {TCP} 182.118.48.188:49662 -> 192.168.1.147:995
> 04/16-08:30:13.576376  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
> heartbeat read overrun attempt [**] [Classification: Attempted Information
> Leak] [Priority: 2] {TCP} 182.118.48.188:49662 -> 192.168.1.147:995
>
> Teo En Ming
>
>
>
> On Wed, Apr 16, 2014 at 1:16 AM, Sandeep Singh <ctrlaltdelngone at ...11827...>wrote:
>
>> The kind of traffic you are observing will continue to be there for a
>> while. If you have your servers patched then the best thing would be to
>> identify the IP ranges that are making noise and block them on your
>> Firewall as I have seen these IP ranges generating inbound traffic towards
>> several other networks as well.
>>
>> Thanks
>>
>>
>>
>>
>>
>> On Tue, Apr 15, 2014 at 9:26 PM, Joel Esler (jesler) <jesler at ...589...>wrote:
>>
>>>  yes, and it will continue for a long time.
>>>
>>>  On Apr 15, 2014, at 11:06 AM, Teo En Ming <teo.en.ming at ...11827...>
>>> wrote:
>>>
>>>   Hackers continue to probe my HTTPS, POP3S, and IMAPS ports for the
>>> heartbleed vulnerability after I have patched openssl in CentOS 6.5 and
>>> RHEL 7 Beta.
>>>
>>>  Here are the Snort alerts:04/15-05:04:23.266586  [**] [1:30524:1]
>>> SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**]
>>> [Classification: Attempted Information Leak] [Priority: 2] {TCP}
>>> 183.60.243.188:52169 -> 192.168.1.147:993
>>> 04/15-05:04:23.510253  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
>>> heartbeat read overrun attempt [**] [Classification: Attempted Information
>>> Leak] [Priority: 2] {TCP} 183.60.243.188:52169 -> 192.168.1.147:993
>>> 04/15-06:02:28.430789  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
>>> heartbeat read overrun attempt [**] [Classification: Attempted Information
>>> Leak] [Priority: 2] {TCP} 183.60.243.189:58534 -> 192.168.1.147:995
>>> 04/15-06:02:28.652725  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
>>> heartbeat read overrun attempt [**] [Classification: Attempted Information
>>> Leak] [Priority: 2] {TCP} 183.60.243.189:58534 -> 192.168.1.147:995
>>> 04/15-07:05:21.194097  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
>>> heartbeat read overrun attempt [**] [Classification: Attempted Information
>>> Leak] [Priority: 2] {TCP} 101.226.17.243:36498 -> 192.168.1.146:443
>>> 04/15-07:05:21.452853  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
>>> heartbeat read overrun attempt [**] [Classification: Attempted Information
>>> Leak] [Priority: 2] {TCP} 101.226.17.243:36498 -> 192.168.1.146:443
>>> 04/15-08:38:08.402528  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
>>> heartbeat read overrun attempt [**] [Classification: Attempted Information
>>> Leak] [Priority: 2] {TCP} 180.153.198.208:24518 -> 192.168.1.147:993
>>> 04/15-08:38:08.647470  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
>>> heartbeat read overrun attempt [**] [Classification: Attempted Information
>>> Leak] [Priority: 2] {TCP} 180.153.198.208:24518 -> 192.168.1.147:993
>>> 04/15-08:48:29.737142  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
>>> heartbeat read overrun attempt [**] [Classification: Attempted Information
>>> Leak] [Priority: 2] {TCP} 180.153.195.140:29860 -> 192.168.1.147:995
>>> 04/15-08:48:29.961892  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
>>> heartbeat read overrun attempt [**] [Classification: Attempted Information
>>> Leak] [Priority: 2] {TCP} 180.153.195.140:29860 -> 192.168.1.147:995
>>>
>>>  Regards,
>>>
>>>  Teo En Ming
>>>
>>>  <http://seclists.org/nmap-dev/2014/q2/83>
>>>
>>>
>>> On Tue, Apr 15, 2014 at 3:10 AM, Teo En Ming <teo.en.ming at ...11827...>wrote:
>>>
>>>>  I have patched openssl on RHEL 7 Beta and rebooted.
>>>>
>>>>  Teo En Ming
>>>>
>>>>
>>>> On Tue, Apr 15, 2014 at 12:03 AM, Teo En Ming <teo.en.ming at ...11827...>wrote:
>>>>
>>>>>  I think downloading OpenSSL 1.0.1g, compiling and installing it will
>>>>> break OpenSSH. I prefer to install by RPM.
>>>>>
>>>>>  Regards,
>>>>>
>>>>>  Teo En Ming
>>>>>
>>>>>
>>>>> On Mon, Apr 14, 2014 at 11:45 PM, Nicholas Mavis (nmavis) <
>>>>> nmavis at ...589...> wrote:
>>>>>
>>>>>>  You can download OpenSSL 1.0.1g and compile it.
>>>>>>
>>>>>>  Nick
>>>>>>
>>>>>>   From: Teo En Ming <teo.en.ming at ...11827...>
>>>>>>  Date: Monday, April 14, 2014 at 11:40 AM
>>>>>> To: nmavis <nmavis at ...589...>
>>>>>> Cc: Snort Users <snort-users at lists.sourceforge.net>, Teo En Ming <
>>>>>> teo.en.ming at ...11827...>
>>>>>> Subject: Re: [Snort-users] Suspicious hacker activity detected?
>>>>>>
>>>>>>
>>>>>>  Dear Nicholas Mavis,
>>>>>>
>>>>>> I have patched openssl on Centos 6.5 x86_64. However, I cannot patch
>>>>>> openssl on my RHEL 7 Beta because I don't have a Red Hat Network
>>>>>> subscription. What do you think can be done?
>>>>>>
>>>>>>  Thank you.
>>>>>>
>>>>>>  Regards,
>>>>>>
>>>>>> Teo En Ming
>>>>>>
>>>>>>
>>>>>> On Mon, Apr 14, 2014 at 11:13 PM, Nicholas Mavis (nmavis) <
>>>>>> nmavis at ...589...> wrote:
>>>>>>
>>>>>>>  Yes, this is a sign and it also looks like you are vulnerable.
>>>>>>>
>>>>>>>  Nick
>>>>>>>
>>>>>>>   From: Teo En Ming <teo.en.ming at ...11827...>
>>>>>>> Date: Monday, April 14, 2014 at 11:06 AM
>>>>>>> To: Snort Users <snort-users at lists.sourceforge.net>
>>>>>>> Subject: [Snort-users] Suspicious hacker activity detected?
>>>>>>>
>>>>>>>    Hi,
>>>>>>>
>>>>>>>  My HTTPS web server, POP3S and IMAPS ports were probed for the
>>>>>>> OpenSSL heartbleed vulnerability without my knowledge and authorization. Is
>>>>>>> it a sign of hacker activity? Please look at the Snort alerts below.
>>>>>>>
>>>>>>> [root at ...274... snort]# grep heartbeat snort.fast | grep -v
>>>>>>> 161.69.31.4
>>>>>>> 04/14-04:34:45.168194  [**] [1:30516:6] SERVER-OTHER TLSv1.1 large
>>>>>>> heartbeat response - possible ssl heartbleed attempt [**] [Classification:
>>>>>>> Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.146:443->
>>>>>>> 185.35.61.19:41201
>>>>>>> 04/14-09:31:58.763823  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
>>>>>>> heartbeat read overrun attempt [**] [Classification: Attempted Information
>>>>>>> Leak] [Priority: 2] {TCP} 183.60.243.189:46524 -> 192.168.1.147:993
>>>>>>> 04/14-09:31:58.764609  [**] [1:30516:6] SERVER-OTHER TLSv1.1 large
>>>>>>> heartbeat response - possible ssl heartbleed attempt [**] [Classification:
>>>>>>> Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.147:993->
>>>>>>> 183.60.243.189:46524
>>>>>>> 04/14-09:31:59.025988  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
>>>>>>> heartbeat read overrun attempt [**] [Classification: Attempted Information
>>>>>>> Leak] [Priority: 2] {TCP} 183.60.243.189:46524 -> 192.168.1.147:993
>>>>>>> 04/14-09:36:47.578766  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
>>>>>>> heartbeat read overrun attempt [**] [Classification: Attempted Information
>>>>>>> Leak] [Priority: 2] {TCP} 183.60.244.46:55346 -> 192.168.1.147:995
>>>>>>> 04/14-09:36:47.579841  [**] [1:30516:6] SERVER-OTHER TLSv1.1 large
>>>>>>> heartbeat response - possible ssl heartbleed attempt [**] [Classification:
>>>>>>> Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.147:995->
>>>>>>> 183.60.244.46:55346
>>>>>>> 04/14-09:36:47.775693  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
>>>>>>> heartbeat read overrun attempt [**] [Classification: Attempted Information
>>>>>>> Leak] [Priority: 2] {TCP} 183.60.244.46:55346 -> 192.168.1.147:995
>>>>>>> 04/14-09:36:47.775693  [**] [1:30512:5] SERVER-OTHER OpenSSL TLSv1.1
>>>>>>> heartbeat read overrun attempt [**] [Classification: Attempted Information
>>>>>>> Leak] [Priority: 2] {TCP} 183.60.244.46:55346 -> 192.168.1.147:995
>>>>>>> 04/14-10:13:25.031989  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
>>>>>>> heartbeat read overrun attempt [**] [Classification: Attempted Information
>>>>>>> Leak] [Priority: 2] {TCP} 101.226.19.76:31223 -> 192.168.1.146:443
>>>>>>> 04/14-10:13:25.032841  [**] [1:30516:6] SERVER-OTHER TLSv1.1 large
>>>>>>> heartbeat response - possible ssl heartbleed attempt [**] [Classification:
>>>>>>> Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.146:443->
>>>>>>> 101.226.19.76:31223
>>>>>>> 04/14-10:13:25.262897  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
>>>>>>> heartbeat read overrun attempt [**] [Classification: Attempted Information
>>>>>>> Leak] [Priority: 2] {TCP} 101.226.19.76:31223 -> 192.168.1.146:443
>>>>>>> 04/14-10:13:25.262897  [**] [1:30512:5] SERVER-OTHER OpenSSL TLSv1.1
>>>>>>> heartbeat read overrun attempt [**] [Classification: Attempted Information
>>>>>>> Leak] [Priority: 2] {TCP} 101.226.19.76:31223 -> 192.168.1.146:443
>>>>>>> 04/14-11:51:26.034725  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
>>>>>>> heartbeat read overrun attempt [**] [Classification: Attempted Information
>>>>>>> Leak] [Priority: 2] {TCP} 180.153.198.190:25521 -> 192.168.1.147:993
>>>>>>> 04/14-11:51:26.035167  [**] [1:30516:6] SERVER-OTHER TLSv1.1 large
>>>>>>> heartbeat response - possible ssl heartbleed attempt [**] [Classification:
>>>>>>> Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.147:993->
>>>>>>> 180.153.198.190:25521
>>>>>>> 04/14-11:51:26.232356  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
>>>>>>> heartbeat read overrun attempt [**] [Classification: Attempted Information
>>>>>>> Leak] [Priority: 2] {TCP} 180.153.198.190:25521 -> 192.168.1.147:993
>>>>>>> 04/14-11:51:26.232356  [**] [1:30512:5] SERVER-OTHER OpenSSL TLSv1.1
>>>>>>> heartbeat read overrun attempt [**] [Classification: Attempted Information
>>>>>>> Leak] [Priority: 2] {TCP} 180.153.198.190:25521 -> 192.168.1.147:993
>>>>>>> 04/14-12:01:46.374268  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
>>>>>>> heartbeat read overrun attempt [**] [Classification: Attempted Information
>>>>>>> Leak] [Priority: 2] {TCP} 180.153.198.219:50214 -> 192.168.1.147:995
>>>>>>> 04/14-12:01:46.375062  [**] [1:30516:6] SERVER-OTHER TLSv1.1 large
>>>>>>> heartbeat response - possible ssl heartbleed attempt [**] [Classification:
>>>>>>> Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.147:995->
>>>>>>> 180.153.198.219:50214
>>>>>>> 04/14-12:01:46.597640  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
>>>>>>> heartbeat read overrun attempt [**] [Classification: Attempted Information
>>>>>>> Leak] [Priority: 2] {TCP} 180.153.198.219:50214 -> 192.168.1.147:995
>>>>>>> 04/14-12:01:46.597640  [**] [1:30512:5] SERVER-OTHER OpenSSL TLSv1.1
>>>>>>> heartbeat read overrun attempt [**] [Classification: Attempted Information
>>>>>>> Leak] [Priority: 2] {TCP} 180.153.198.219:50214 -> 192.168.1.147:995
>>>>>>>
>>>>>>>  Yours sincerely,
>>>>>>>
>>>>>>>  Teo En Ming
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>> ------------------------------------------------------------------------------
>>> Learn Graph Databases - Download FREE O'Reilly Book
>>> "Graph Databases" is the definitive new guide to graph databases and
>>> their
>>> applications. Written by three acclaimed leaders in the field,
>>> this first edition is now available. Download your free book today!
>>>
>>> http://p.sf.net/sfu/NeoTech_______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>
>>> Please visit http://blog.snort.org to stay current on all the latest
>>> Snort news!
>>>
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Learn Graph Databases - Download FREE O'Reilly Book
>>> "Graph Databases" is the definitive new guide to graph databases and
>>> their
>>> applications. Written by three acclaimed leaders in the field,
>>> this first edition is now available. Download your free book today!
>>> http://p.sf.net/sfu/NeoTech
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>
>>> Please visit http://blog.snort.org to stay current on all the latest
>>> Snort news!
>>>
>>
>>
>
>
> ------------------------------------------------------------------------------
> Learn Graph Databases - Download FREE O'Reilly Book
> "Graph Databases" is the definitive new guide to graph databases and their
> applications. Written by three acclaimed leaders in the field,
> this first edition is now available. Download your free book today!
> http://p.sf.net/sfu/NeoTech
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>



-- 
Bill Bernsen                                                    Network
Security Analyst
 ITS Technology Security Services, New York University
http://www.nyu.edu/its/security
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140416/f2f1abe7/attachment.html>


More information about the Snort-users mailing list