Suspicious hacker activity detected?

[Teo En Ming <teo.en.ming () gmail com>]

Hi,

My HTTPS web server, POP3S and IMAPS ports were probed for the OpenSSL
heartbleed vulnerability without my knowledge and authorization. Is it a
sign of hacker activity? Please look at the Snort alerts below.

[root@localhost snort]# grep heartbeat snort.fast | grep -v 161.69.31.4
04/14-04:34:45.168194  [**] [1:30516:6] SERVER-OTHER TLSv1.1 large
heartbeat response - possible ssl heartbleed attempt [**] [Classification:
Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.146:443 ->
185.35.61.19:41201
04/14-09:31:58.763823  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
heartbeat read overrun attempt [**] [Classification: Attempted Information
Leak] [Priority: 2] {TCP} 183.60.243.189:46524 -> 192.168.1.147:993
04/14-09:31:58.764609  [**] [1:30516:6] SERVER-OTHER TLSv1.1 large
heartbeat response - possible ssl heartbleed attempt [**] [Classification:
Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.147:993 ->
183.60.243.189:46524
04/14-09:31:59.025988  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
heartbeat read overrun attempt [**] [Classification: Attempted Information
Leak] [Priority: 2] {TCP} 183.60.243.189:46524 -> 192.168.1.147:993
04/14-09:36:47.578766  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
heartbeat read overrun attempt [**] [Classification: Attempted Information
Leak] [Priority: 2] {TCP} 183.60.244.46:55346 -> 192.168.1.147:995
04/14-09:36:47.579841  [**] [1:30516:6] SERVER-OTHER TLSv1.1 large
heartbeat response - possible ssl heartbleed attempt [**] [Classification:
Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.147:995 ->
183.60.244.46:55346
04/14-09:36:47.775693  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
heartbeat read overrun attempt [**] [Classification: Attempted Information
Leak] [Priority: 2] {TCP} 183.60.244.46:55346 -> 192.168.1.147:995
04/14-09:36:47.775693  [**] [1:30512:5] SERVER-OTHER OpenSSL TLSv1.1
heartbeat read overrun attempt [**] [Classification: Attempted Information
Leak] [Priority: 2] {TCP} 183.60.244.46:55346 -> 192.168.1.147:995
04/14-10:13:25.031989  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
heartbeat read overrun attempt [**] [Classification: Attempted Information
Leak] [Priority: 2] {TCP} 101.226.19.76:31223 -> 192.168.1.146:443
04/14-10:13:25.032841  [**] [1:30516:6] SERVER-OTHER TLSv1.1 large
heartbeat response - possible ssl heartbleed attempt [**] [Classification:
Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.146:443 ->
101.226.19.76:31223
04/14-10:13:25.262897  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
heartbeat read overrun attempt [**] [Classification: Attempted Information
Leak] [Priority: 2] {TCP} 101.226.19.76:31223 -> 192.168.1.146:443
04/14-10:13:25.262897  [**] [1:30512:5] SERVER-OTHER OpenSSL TLSv1.1
heartbeat read overrun attempt [**] [Classification: Attempted Information
Leak] [Priority: 2] {TCP} 101.226.19.76:31223 -> 192.168.1.146:443
04/14-11:51:26.034725  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
heartbeat read overrun attempt [**] [Classification: Attempted Information
Leak] [Priority: 2] {TCP} 180.153.198.190:25521 -> 192.168.1.147:993
04/14-11:51:26.035167  [**] [1:30516:6] SERVER-OTHER TLSv1.1 large
heartbeat response - possible ssl heartbleed attempt [**] [Classification:
Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.147:993 ->
180.153.198.190:25521
04/14-11:51:26.232356  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
heartbeat read overrun attempt [**] [Classification: Attempted Information
Leak] [Priority: 2] {TCP} 180.153.198.190:25521 -> 192.168.1.147:993
04/14-11:51:26.232356  [**] [1:30512:5] SERVER-OTHER OpenSSL TLSv1.1
heartbeat read overrun attempt [**] [Classification: Attempted Information
Leak] [Priority: 2] {TCP} 180.153.198.190:25521 -> 192.168.1.147:993
04/14-12:01:46.374268  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
heartbeat read overrun attempt [**] [Classification: Attempted Information
Leak] [Priority: 2] {TCP} 180.153.198.219:50214 -> 192.168.1.147:995
04/14-12:01:46.375062  [**] [1:30516:6] SERVER-OTHER TLSv1.1 large
heartbeat response - possible ssl heartbleed attempt [**] [Classification:
Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.147:995 ->
180.153.198.219:50214
04/14-12:01:46.597640  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
heartbeat read overrun attempt [**] [Classification: Attempted Information
Leak] [Priority: 2] {TCP} 180.153.198.219:50214 -> 192.168.1.147:995
04/14-12:01:46.597640  [**] [1:30512:5] SERVER-OTHER OpenSSL TLSv1.1
heartbeat read overrun attempt [**] [Classification: Attempted Information
Leak] [Priority: 2] {TCP} 180.153.198.219:50214 -> 192.168.1.147:995

Yours sincerely,

Teo En Ming

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!