Re: Suspicious hacker activity detected?

["Joel Esler (jesler)" <jesler () cisco com>]

Sounds like a question for Red Hat support.

--
Joel Esler
Sent from my iPhone

> On Apr 14, 2014, at 11:41, "Teo En Ming" <teo.en.ming () gmail com> wrote:
>
>
> Dear Nicholas Mavis,
>
> I have patched openssl on Centos 6.5 x86_64. However, I cannot patch openssl on my RHEL 7 Beta because I don't have a 
> Red Hat Network subscription. What do you think can be done?
>
> Thank you.
>
> Regards,
>
> Teo En Ming
>
>
> > On Mon, Apr 14, 2014 at 11:13 PM, Nicholas Mavis (nmavis) <nmavis () cisco com> wrote:
> > Yes, this is a sign and it also looks like you are vulnerable.
> >
> > Nick
> >
> > From: Teo En Ming <teo.en.ming () gmail com>
> > Date: Monday, April 14, 2014 at 11:06 AM
> > To: Snort Users <snort-users () lists sourceforge net>
> > Subject: [Snort-users] Suspicious hacker activity detected?
> >
> > Hi,
> >
> > My HTTPS web server, POP3S and IMAPS ports were probed for the OpenSSL heartbleed vulnerability without my knowledge 
> > and authorization. Is it a sign of hacker activity? Please look at the Snort alerts below.
> >
> > [root@localhost snort]# grep heartbeat snort.fast | grep -v 161.69.31.4
> > 04/14-04:34:45.168194  [**] [1:30516:6] SERVER-OTHER TLSv1.1 large heartbeat response - possible ssl heartbleed 
> > attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.146:443 -> 185.35.61.19:41201
> > 04/14-09:31:58.763823  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] 
> > [Classification: Attempted Information Leak] [Priority: 2] {TCP} 183.60.243.189:46524 -> 192.168.1.147:993
> > 04/14-09:31:58.764609  [**] [1:30516:6] SERVER-OTHER TLSv1.1 large heartbeat response - possible ssl heartbleed 
> > attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.147:993 -> 
> > 183.60.243.189:46524
> > 04/14-09:31:59.025988  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] 
> > [Classification: Attempted Information Leak] [Priority: 2] {TCP} 183.60.243.189:46524 -> 192.168.1.147:993
> > 04/14-09:36:47.578766  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] 
> > [Classification: Attempted Information Leak] [Priority: 2] {TCP} 183.60.244.46:55346 -> 192.168.1.147:995
> > 04/14-09:36:47.579841  [**] [1:30516:6] SERVER-OTHER TLSv1.1 large heartbeat response - possible ssl heartbleed 
> > attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.147:995 -> 
> > 183.60.244.46:55346
> > 04/14-09:36:47.775693  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] 
> > [Classification: Attempted Information Leak] [Priority: 2] {TCP} 183.60.244.46:55346 -> 192.168.1.147:995
> > 04/14-09:36:47.775693  [**] [1:30512:5] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] 
> > [Classification: Attempted Information Leak] [Priority: 2] {TCP} 183.60.244.46:55346 -> 192.168.1.147:995
> > 04/14-10:13:25.031989  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] 
> > [Classification: Attempted Information Leak] [Priority: 2] {TCP} 101.226.19.76:31223 -> 192.168.1.146:443
> > 04/14-10:13:25.032841  [**] [1:30516:6] SERVER-OTHER TLSv1.1 large heartbeat response - possible ssl heartbleed 
> > attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.146:443 -> 
> > 101.226.19.76:31223
> > 04/14-10:13:25.262897  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] 
> > [Classification: Attempted Information Leak] [Priority: 2] {TCP} 101.226.19.76:31223 -> 192.168.1.146:443
> > 04/14-10:13:25.262897  [**] [1:30512:5] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] 
> > [Classification: Attempted Information Leak] [Priority: 2] {TCP} 101.226.19.76:31223 -> 192.168.1.146:443
> > 04/14-11:51:26.034725  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] 
> > [Classification: Attempted Information Leak] [Priority: 2] {TCP} 180.153.198.190:25521 -> 192.168.1.147:993
> > 04/14-11:51:26.035167  [**] [1:30516:6] SERVER-OTHER TLSv1.1 large heartbeat response - possible ssl heartbleed 
> > attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.147:993 -> 
> > 180.153.198.190:25521
> > 04/14-11:51:26.232356  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] 
> > [Classification: Attempted Information Leak] [Priority: 2] {TCP} 180.153.198.190:25521 -> 192.168.1.147:993
> > 04/14-11:51:26.232356  [**] [1:30512:5] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] 
> > [Classification: Attempted Information Leak] [Priority: 2] {TCP} 180.153.198.190:25521 -> 192.168.1.147:993
> > 04/14-12:01:46.374268  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] 
> > [Classification: Attempted Information Leak] [Priority: 2] {TCP} 180.153.198.219:50214 -> 192.168.1.147:995
> > 04/14-12:01:46.375062  [**] [1:30516:6] SERVER-OTHER TLSv1.1 large heartbeat response - possible ssl heartbleed 
> > attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.147:995 -> 
> > 180.153.198.219:50214
> > 04/14-12:01:46.597640  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] 
> > [Classification: Attempted Information Leak] [Priority: 2] {TCP} 180.153.198.219:50214 -> 192.168.1.147:995
> > 04/14-12:01:46.597640  [**] [1:30512:5] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] 
> > [Classification: Attempted Information Leak] [Priority: 2] {TCP} 180.153.198.219:50214 -> 192.168.1.147:995
> >
> > Yours sincerely,
> >
> > Teo En Ming
>
> ------------------------------------------------------------------------------
> Learn Graph Databases - Download FREE O'Reilly Book
> "Graph Databases" is the definitive new guide to graph databases and their
> applications. Written by three acclaimed leaders in the field,
> this first edition is now available. Download your free book today!
> http://p.sf.net/sfu/NeoTech
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

Attachment: smime.p7s
Description:

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!