Snort mailing list archives
Re: Suspicious hacker activity detected?
From: "Nicholas Mavis (nmavis)" <nmavis () cisco com>
Date: Mon, 14 Apr 2014 15:13:22 +0000
Yes, this is a sign and it also looks like you are vulnerable. Nick From: Teo En Ming <teo.en.ming () gmail com<mailto:teo.en.ming () gmail com>> Date: Monday, April 14, 2014 at 11:06 AM To: Snort Users <snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>> Subject: [Snort-users] Suspicious hacker activity detected? Hi, My HTTPS web server, POP3S and IMAPS ports were probed for the OpenSSL heartbleed vulnerability without my knowledge and authorization. Is it a sign of hacker activity? Please look at the Snort alerts below. [root@localhost snort]# grep heartbeat snort.fast | grep -v 161.69.31.4 04/14-04:34:45.168194 [**] [1:30516:6] SERVER-OTHER TLSv1.1 large heartbeat response - possible ssl heartbleed attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.146:443<http://192.168.1.146:443> -> 185.35.61.19:41201<http://185.35.61.19:41201> 04/14-09:31:58.763823 [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 183.60.243.189:46524<http://183.60.243.189:46524> -> 192.168.1.147:993<http://192.168.1.147:993> 04/14-09:31:58.764609 [**] [1:30516:6] SERVER-OTHER TLSv1.1 large heartbeat response - possible ssl heartbleed attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.147:993<http://192.168.1.147:993> -> 183.60.243.189:46524<http://183.60.243.189:46524> 04/14-09:31:59.025988 [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 183.60.243.189:46524<http://183.60.243.189:46524> -> 192.168.1.147:993<http://192.168.1.147:993> 04/14-09:36:47.578766 [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 183.60.244.46:55346<http://183.60.244.46:55346> -> 192.168.1.147:995<http://192.168.1.147:995> 04/14-09:36:47.579841 [**] [1:30516:6] SERVER-OTHER TLSv1.1 large heartbeat response - possible ssl heartbleed attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.147:995<http://192.168.1.147:995> -> 183.60.244.46:55346<http://183.60.244.46:55346> 04/14-09:36:47.775693 [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 183.60.244.46:55346<http://183.60.244.46:55346> -> 192.168.1.147:995<http://192.168.1.147:995> 04/14-09:36:47.775693 [**] [1:30512:5] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 183.60.244.46:55346<http://183.60.244.46:55346> -> 192.168.1.147:995<http://192.168.1.147:995> 04/14-10:13:25.031989 [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 101.226.19.76:31223<http://101.226.19.76:31223> -> 192.168.1.146:443<http://192.168.1.146:443> 04/14-10:13:25.032841 [**] [1:30516:6] SERVER-OTHER TLSv1.1 large heartbeat response - possible ssl heartbleed attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.146:443<http://192.168.1.146:443> -> 101.226.19.76:31223<http://101.226.19.76:31223> 04/14-10:13:25.262897 [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 101.226.19.76:31223<http://101.226.19.76:31223> -> 192.168.1.146:443<http://192.168.1.146:443> 04/14-10:13:25.262897 [**] [1:30512:5] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 101.226.19.76:31223<http://101.226.19.76:31223> -> 192.168.1.146:443<http://192.168.1.146:443> 04/14-11:51:26.034725 [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 180.153.198.190:25521<http://180.153.198.190:25521> -> 192.168.1.147:993<http://192.168.1.147:993> 04/14-11:51:26.035167 [**] [1:30516:6] SERVER-OTHER TLSv1.1 large heartbeat response - possible ssl heartbleed attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.147:993<http://192.168.1.147:993> -> 180.153.198.190:25521<http://180.153.198.190:25521> 04/14-11:51:26.232356 [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 180.153.198.190:25521<http://180.153.198.190:25521> -> 192.168.1.147:993<http://192.168.1.147:993> 04/14-11:51:26.232356 [**] [1:30512:5] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 180.153.198.190:25521<http://180.153.198.190:25521> -> 192.168.1.147:993<http://192.168.1.147:993> 04/14-12:01:46.374268 [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 180.153.198.219:50214<http://180.153.198.219:50214> -> 192.168.1.147:995<http://192.168.1.147:995> 04/14-12:01:46.375062 [**] [1:30516:6] SERVER-OTHER TLSv1.1 large heartbeat response - possible ssl heartbleed attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.147:995<http://192.168.1.147:995> -> 180.153.198.219:50214<http://180.153.198.219:50214> 04/14-12:01:46.597640 [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 180.153.198.219:50214<http://180.153.198.219:50214> -> 192.168.1.147:995<http://192.168.1.147:995> 04/14-12:01:46.597640 [**] [1:30512:5] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 180.153.198.219:50214<http://180.153.198.219:50214> -> 192.168.1.147:995<http://192.168.1.147:995> Yours sincerely, Teo En Ming
------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/NeoTech
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Suspicious hacker activity detected? Teo En Ming (Apr 14)
- Re: Suspicious hacker activity detected? Nicholas Mavis (nmavis) (Apr 14)
- Re: Suspicious hacker activity detected? Michael Brown (Apr 14)
- Re: Suspicious hacker activity detected? Y M (Apr 14)
- Re: Suspicious hacker activity detected? Teo En Ming (Apr 14)
- Re: Suspicious hacker activity detected? Michael Brown (Apr 14)
- Re: Suspicious hacker activity detected? Michael Brown (Apr 14)
- Re: Suspicious hacker activity detected? Teo En Ming (Apr 14)
- Re: Suspicious hacker activity detected? Nicholas Mavis (nmavis) (Apr 14)
- Re: Suspicious hacker activity detected? Teo En Ming (Apr 14)
- Re: Suspicious hacker activity detected? Arvid Van Essche (Apr 14)
- Re: Suspicious hacker activity detected? Teo En Ming (Apr 14)
- Re: Suspicious hacker activity detected? Teo En Ming (Apr 15)
- Re: Suspicious hacker activity detected? Nicholas Mavis (nmavis) (Apr 14)