Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Suspicious hacker activity detected?

From: Teo En Ming <teo.en.ming () gmail com>
Date: Wed, 16 Apr 2014 21:52:16 +0800
Further probes by hackers against my HTTPS, POP3S and IMAPS ports for the
OpenSSL heartbleed vulnerability.

Here are the snort alerts:

04/16-05:04:15.741415  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
heartbeat read overrun attempt [**] [Classification: Attempted Information
Leak] [Priority: 2] {TCP} 183.60.244.37:58553 -> 192.168.1.147:993
04/16-05:04:15.986131  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
heartbeat read overrun attempt [**] [Classification: Attempted Information
Leak] [Priority: 2] {TCP} 183.60.244.37:58553 -> 192.168.1.147:993
04/16-06:02:24.878593  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
heartbeat read overrun attempt [**] [Classification: Attempted Information
Leak] [Priority: 2] {TCP} 183.60.243.189:57351 -> 192.168.1.147:995
04/16-06:02:25.101482  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
heartbeat read overrun attempt [**] [Classification: Attempted Information
Leak] [Priority: 2] {TCP} 183.60.243.189:57351 -> 192.168.1.147:995
04/16-06:27:33.667818  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
heartbeat read overrun attempt [**] [Classification: Attempted Information
Leak] [Priority: 2] {TCP} 180.153.198.178:30647 -> 192.168.1.146:443
04/16-06:27:33.937606  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
heartbeat read overrun attempt [**] [Classification: Attempted Information
Leak] [Priority: 2] {TCP} 180.153.198.178:30647 -> 192.168.1.146:443
04/16-08:11:18.960286  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
heartbeat read overrun attempt [**] [Classification: Attempted Information
Leak] [Priority: 2] {TCP} 180.153.195.19:45514 -> 192.168.1.147:993
04/16-08:11:19.227768  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
heartbeat read overrun attempt [**] [Classification: Attempted Information
Leak] [Priority: 2] {TCP} 180.153.195.19:45514 -> 192.168.1.147:993
04/16-08:30:13.406971  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
heartbeat read overrun attempt [**] [Classification: Attempted Information
Leak] [Priority: 2] {TCP} 182.118.48.188:49662 -> 192.168.1.147:995
04/16-08:30:13.576376  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
heartbeat read overrun attempt [**] [Classification: Attempted Information
Leak] [Priority: 2] {TCP} 182.118.48.188:49662 -> 192.168.1.147:995

Teo En Ming



On Wed, Apr 16, 2014 at 1:16 AM, Sandeep Singh <ctrlaltdelngone () gmail com>wrote:


The kind of traffic you are observing will continue to be there for a
while. If you have your servers patched then the best thing would be to
identify the IP ranges that are making noise and block them on your
Firewall as I have seen these IP ranges generating inbound traffic towards
several other networks as well.

Thanks





On Tue, Apr 15, 2014 at 9:26 PM, Joel Esler (jesler) <jesler () cisco com>wrote:


 yes, and it will continue for a long time.

 On Apr 15, 2014, at 11:06 AM, Teo En Ming <teo.en.ming () gmail com> wrote:

  Hackers continue to probe my HTTPS, POP3S, and IMAPS ports for the
heartbleed vulnerability after I have patched openssl in CentOS 6.5 and
RHEL 7 Beta.

 Here are the Snort alerts:04/15-05:04:23.266586  [**] [1:30524:1]
SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**]
[Classification: Attempted Information Leak] [Priority: 2] {TCP}
183.60.243.188:52169 -> 192.168.1.147:993
04/15-05:04:23.510253  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
heartbeat read overrun attempt [**] [Classification: Attempted Information
Leak] [Priority: 2] {TCP} 183.60.243.188:52169 -> 192.168.1.147:993
04/15-06:02:28.430789  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
heartbeat read overrun attempt [**] [Classification: Attempted Information
Leak] [Priority: 2] {TCP} 183.60.243.189:58534 -> 192.168.1.147:995
04/15-06:02:28.652725  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
heartbeat read overrun attempt [**] [Classification: Attempted Information
Leak] [Priority: 2] {TCP} 183.60.243.189:58534 -> 192.168.1.147:995
04/15-07:05:21.194097  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
heartbeat read overrun attempt [**] [Classification: Attempted Information
Leak] [Priority: 2] {TCP} 101.226.17.243:36498 -> 192.168.1.146:443
04/15-07:05:21.452853  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
heartbeat read overrun attempt [**] [Classification: Attempted Information
Leak] [Priority: 2] {TCP} 101.226.17.243:36498 -> 192.168.1.146:443
04/15-08:38:08.402528  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
heartbeat read overrun attempt [**] [Classification: Attempted Information
Leak] [Priority: 2] {TCP} 180.153.198.208:24518 -> 192.168.1.147:993
04/15-08:38:08.647470  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
heartbeat read overrun attempt [**] [Classification: Attempted Information
Leak] [Priority: 2] {TCP} 180.153.198.208:24518 -> 192.168.1.147:993
04/15-08:48:29.737142  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
heartbeat read overrun attempt [**] [Classification: Attempted Information
Leak] [Priority: 2] {TCP} 180.153.195.140:29860 -> 192.168.1.147:995
04/15-08:48:29.961892  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
heartbeat read overrun attempt [**] [Classification: Attempted Information
Leak] [Priority: 2] {TCP} 180.153.195.140:29860 -> 192.168.1.147:995

 Regards,

 Teo En Ming

 <http://seclists.org/nmap-dev/2014/q2/83>


On Tue, Apr 15, 2014 at 3:10 AM, Teo En Ming <teo.en.ming () gmail com>wrote:


 I have patched openssl on RHEL 7 Beta and rebooted.

 Teo En Ming


On Tue, Apr 15, 2014 at 12:03 AM, Teo En Ming <teo.en.ming () gmail com>wrote:


 I think downloading OpenSSL 1.0.1g, compiling and installing it will
break OpenSSH. I prefer to install by RPM.

 Regards,

 Teo En Ming


On Mon, Apr 14, 2014 at 11:45 PM, Nicholas Mavis (nmavis) <
nmavis () cisco com> wrote:


 You can download OpenSSL 1.0.1g and compile it.

 Nick

  From: Teo En Ming <teo.en.ming () gmail com>
 Date: Monday, April 14, 2014 at 11:40 AM
To: nmavis <nmavis () cisco com>
Cc: Snort Users <snort-users () lists sourceforge net>, Teo En Ming <
teo.en.ming () gmail com>
Subject: Re: [Snort-users] Suspicious hacker activity detected?


 Dear Nicholas Mavis,

I have patched openssl on Centos 6.5 x86_64. However, I cannot patch
openssl on my RHEL 7 Beta because I don't have a Red Hat Network
subscription. What do you think can be done?

 Thank you.

 Regards,

Teo En Ming


On Mon, Apr 14, 2014 at 11:13 PM, Nicholas Mavis (nmavis) <
nmavis () cisco com> wrote:


 Yes, this is a sign and it also looks like you are vulnerable.

 Nick

  From: Teo En Ming <teo.en.ming () gmail com>
Date: Monday, April 14, 2014 at 11:06 AM
To: Snort Users <snort-users () lists sourceforge net>
Subject: [Snort-users] Suspicious hacker activity detected?

   Hi,

 My HTTPS web server, POP3S and IMAPS ports were probed for the
OpenSSL heartbleed vulnerability without my knowledge and authorization. Is
it a sign of hacker activity? Please look at the Snort alerts below.

[root@localhost snort]# grep heartbeat snort.fast | grep -v
161.69.31.4
04/14-04:34:45.168194  [**] [1:30516:6] SERVER-OTHER TLSv1.1 large
heartbeat response - possible ssl heartbleed attempt [**] [Classification:
Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.146:443 ->
185.35.61.19:41201
04/14-09:31:58.763823  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
heartbeat read overrun attempt [**] [Classification: Attempted Information
Leak] [Priority: 2] {TCP} 183.60.243.189:46524 -> 192.168.1.147:993
04/14-09:31:58.764609  [**] [1:30516:6] SERVER-OTHER TLSv1.1 large
heartbeat response - possible ssl heartbleed attempt [**] [Classification:
Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.147:993 ->
183.60.243.189:46524
04/14-09:31:59.025988  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
heartbeat read overrun attempt [**] [Classification: Attempted Information
Leak] [Priority: 2] {TCP} 183.60.243.189:46524 -> 192.168.1.147:993
04/14-09:36:47.578766  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
heartbeat read overrun attempt [**] [Classification: Attempted Information
Leak] [Priority: 2] {TCP} 183.60.244.46:55346 -> 192.168.1.147:995
04/14-09:36:47.579841  [**] [1:30516:6] SERVER-OTHER TLSv1.1 large
heartbeat response - possible ssl heartbleed attempt [**] [Classification:
Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.147:995 ->
183.60.244.46:55346
04/14-09:36:47.775693  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
heartbeat read overrun attempt [**] [Classification: Attempted Information
Leak] [Priority: 2] {TCP} 183.60.244.46:55346 -> 192.168.1.147:995
04/14-09:36:47.775693  [**] [1:30512:5] SERVER-OTHER OpenSSL TLSv1.1
heartbeat read overrun attempt [**] [Classification: Attempted Information
Leak] [Priority: 2] {TCP} 183.60.244.46:55346 -> 192.168.1.147:995
04/14-10:13:25.031989  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
heartbeat read overrun attempt [**] [Classification: Attempted Information
Leak] [Priority: 2] {TCP} 101.226.19.76:31223 -> 192.168.1.146:443
04/14-10:13:25.032841  [**] [1:30516:6] SERVER-OTHER TLSv1.1 large
heartbeat response - possible ssl heartbleed attempt [**] [Classification:
Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.146:443 ->
101.226.19.76:31223
04/14-10:13:25.262897  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
heartbeat read overrun attempt [**] [Classification: Attempted Information
Leak] [Priority: 2] {TCP} 101.226.19.76:31223 -> 192.168.1.146:443
04/14-10:13:25.262897  [**] [1:30512:5] SERVER-OTHER OpenSSL TLSv1.1
heartbeat read overrun attempt [**] [Classification: Attempted Information
Leak] [Priority: 2] {TCP} 101.226.19.76:31223 -> 192.168.1.146:443
04/14-11:51:26.034725  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
heartbeat read overrun attempt [**] [Classification: Attempted Information
Leak] [Priority: 2] {TCP} 180.153.198.190:25521 -> 192.168.1.147:993
04/14-11:51:26.035167  [**] [1:30516:6] SERVER-OTHER TLSv1.1 large
heartbeat response - possible ssl heartbleed attempt [**] [Classification:
Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.147:993 ->
180.153.198.190:25521
04/14-11:51:26.232356  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
heartbeat read overrun attempt [**] [Classification: Attempted Information
Leak] [Priority: 2] {TCP} 180.153.198.190:25521 -> 192.168.1.147:993
04/14-11:51:26.232356  [**] [1:30512:5] SERVER-OTHER OpenSSL TLSv1.1
heartbeat read overrun attempt [**] [Classification: Attempted Information
Leak] [Priority: 2] {TCP} 180.153.198.190:25521 -> 192.168.1.147:993
04/14-12:01:46.374268  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
heartbeat read overrun attempt [**] [Classification: Attempted Information
Leak] [Priority: 2] {TCP} 180.153.198.219:50214 -> 192.168.1.147:995
04/14-12:01:46.375062  [**] [1:30516:6] SERVER-OTHER TLSv1.1 large
heartbeat response - possible ssl heartbleed attempt [**] [Classification:
Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.147:995 ->
180.153.198.219:50214
04/14-12:01:46.597640  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
heartbeat read overrun attempt [**] [Classification: Attempted Information
Leak] [Priority: 2] {TCP} 180.153.198.219:50214 -> 192.168.1.147:995
04/14-12:01:46.597640  [**] [1:30512:5] SERVER-OTHER OpenSSL TLSv1.1
heartbeat read overrun attempt [**] [Classification: Attempted Information
Leak] [Priority: 2] {TCP} 180.153.198.219:50214 -> 192.168.1.147:995

 Yours sincerely,

 Teo En Ming









------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!




------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!





------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: