Snort mailing list archives
Re: Suspicious hacker activity detected?
From: Arvid Van Essche <arvid () vanessche be>
Date: Mon, 14 Apr 2014 18:28:34 +0200
Hi Teo, Just a guess as you are using rpm files. If you are using RedHat or a compatible OS like CentOS/Fedora. The epel repository has a fixed package for the 1.0.1e to be backwards compatible The heartbleed bug fixed starting from: openssl-1.0.1e-16.el6_5.7.x86_64 Don't forget to restart EVERY service that is using openssl to load the latest version. If possible scheduling a full security maintenance reboot is best to be sure you don't miss a service like some VPN software. In most cases management will approve it when you explain the consequences of Heartbleed. Have fun fixing! Best regards Arvid Van Essche Op 14-apr.-2014 18:04 schreef "Teo En Ming" <teo.en.ming () gmail com>:
I think downloading OpenSSL 1.0.1g, compiling and installing it will break OpenSSH. I prefer to install by RPM. Regards, Teo En Ming On Mon, Apr 14, 2014 at 11:45 PM, Nicholas Mavis (nmavis) < nmavis () cisco com> wrote:You can download OpenSSL 1.0.1g and compile it. Nick From: Teo En Ming <teo.en.ming () gmail com> Date: Monday, April 14, 2014 at 11:40 AM To: nmavis <nmavis () cisco com> Cc: Snort Users <snort-users () lists sourceforge net>, Teo En Ming < teo.en.ming () gmail com> Subject: Re: [Snort-users] Suspicious hacker activity detected? Dear Nicholas Mavis, I have patched openssl on Centos 6.5 x86_64. However, I cannot patch openssl on my RHEL 7 Beta because I don't have a Red Hat Network subscription. What do you think can be done? Thank you. Regards, Teo En Ming On Mon, Apr 14, 2014 at 11:13 PM, Nicholas Mavis (nmavis) < nmavis () cisco com> wrote:Yes, this is a sign and it also looks like you are vulnerable. Nick From: Teo En Ming <teo.en.ming () gmail com> Date: Monday, April 14, 2014 at 11:06 AM To: Snort Users <snort-users () lists sourceforge net> Subject: [Snort-users] Suspicious hacker activity detected? Hi, My HTTPS web server, POP3S and IMAPS ports were probed for the OpenSSL heartbleed vulnerability without my knowledge and authorization. Is it a sign of hacker activity? Please look at the Snort alerts below. [root@localhost snort]# grep heartbeat snort.fast | grep -v 161.69.31.4 04/14-04:34:45.168194 [**] [1:30516:6] SERVER-OTHER TLSv1.1 large heartbeat response - possible ssl heartbleed attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.146:443 -> 185.35.61.19:41201 04/14-09:31:58.763823 [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 183.60.243.189:46524 -> 192.168.1.147:993 04/14-09:31:58.764609 [**] [1:30516:6] SERVER-OTHER TLSv1.1 large heartbeat response - possible ssl heartbleed attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.147:993 -> 183.60.243.189:46524 04/14-09:31:59.025988 [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 183.60.243.189:46524 -> 192.168.1.147:993 04/14-09:36:47.578766 [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 183.60.244.46:55346 -> 192.168.1.147:995 04/14-09:36:47.579841 [**] [1:30516:6] SERVER-OTHER TLSv1.1 large heartbeat response - possible ssl heartbleed attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.147:995 -> 183.60.244.46:55346 04/14-09:36:47.775693 [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 183.60.244.46:55346 -> 192.168.1.147:995 04/14-09:36:47.775693 [**] [1:30512:5] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 183.60.244.46:55346 -> 192.168.1.147:995 04/14-10:13:25.031989 [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 101.226.19.76:31223 -> 192.168.1.146:443 04/14-10:13:25.032841 [**] [1:30516:6] SERVER-OTHER TLSv1.1 large heartbeat response - possible ssl heartbleed attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.146:443 -> 101.226.19.76:31223 04/14-10:13:25.262897 [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 101.226.19.76:31223 -> 192.168.1.146:443 04/14-10:13:25.262897 [**] [1:30512:5] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 101.226.19.76:31223 -> 192.168.1.146:443 04/14-11:51:26.034725 [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 180.153.198.190:25521 -> 192.168.1.147:993 04/14-11:51:26.035167 [**] [1:30516:6] SERVER-OTHER TLSv1.1 large heartbeat response - possible ssl heartbleed attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.147:993 -> 180.153.198.190:25521 04/14-11:51:26.232356 [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 180.153.198.190:25521 -> 192.168.1.147:993 04/14-11:51:26.232356 [**] [1:30512:5] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 180.153.198.190:25521 -> 192.168.1.147:993 04/14-12:01:46.374268 [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 180.153.198.219:50214 -> 192.168.1.147:995 04/14-12:01:46.375062 [**] [1:30516:6] SERVER-OTHER TLSv1.1 large heartbeat response - possible ssl heartbleed attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.147:995 -> 180.153.198.219:50214 04/14-12:01:46.597640 [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 180.153.198.219:50214 -> 192.168.1.147:995 04/14-12:01:46.597640 [**] [1:30512:5] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 180.153.198.219:50214 -> 192.168.1.147:995 Yours sincerely, Teo En Ming------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/NeoTech _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/NeoTech
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Suspicious hacker activity detected? Teo En Ming (Apr 14)
- Re: Suspicious hacker activity detected? Nicholas Mavis (nmavis) (Apr 14)
- Re: Suspicious hacker activity detected? Michael Brown (Apr 14)
- Re: Suspicious hacker activity detected? Y M (Apr 14)
- Re: Suspicious hacker activity detected? Teo En Ming (Apr 14)
- Re: Suspicious hacker activity detected? Michael Brown (Apr 14)
- Re: Suspicious hacker activity detected? Michael Brown (Apr 14)
- Re: Suspicious hacker activity detected? Teo En Ming (Apr 14)
- Re: Suspicious hacker activity detected? Nicholas Mavis (nmavis) (Apr 14)
- Re: Suspicious hacker activity detected? Teo En Ming (Apr 14)
- Re: Suspicious hacker activity detected? Arvid Van Essche (Apr 14)
- Re: Suspicious hacker activity detected? Teo En Ming (Apr 14)
- Re: Suspicious hacker activity detected? Teo En Ming (Apr 15)
- Re: Suspicious hacker activity detected? Joel Esler (jesler) (Apr 15)
- Re: Suspicious hacker activity detected? Sandeep Singh (Apr 15)
- Re: Suspicious hacker activity detected? Teo En Ming (Apr 16)
- Re: Suspicious hacker activity detected? Bill Bernsen (Apr 16)
- Re: Suspicious hacker activity detected? Nicholas Mavis (nmavis) (Apr 14)
- Re: Suspicious hacker activity detected? Joel Esler (jesler) (Apr 14)