Opened 4 years ago

Closed 4 years ago

#12109 closed defect (fixed)

somebody on the Internet is asking me to respond to ssl heartbeat messages

Reported by: cypherpunks Owned by:
Priority: Medium Milestone: Tor: unspecified
Component: Core Tor/Tor Version: Tor: 0.2.4.22
Severity: Keywords: Tor suspicious activity
Cc: inf0 Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Possible malicious relay using the heartbleed exploit. Or a false positive ID flag. Or a user with no heartbleed patch installed. I am a non-exit relay.

LOG from the IDS-built-in (Norton):

23/5/2014 05:59:57 pm,High,An intrusion attempt by 109.201.138.201 was blocked.,Blocked, ,Attack: OpenSSL Heartbleed CVE-2014-0160, , ,"109.201.138.201, 57244"," (xxx.xxx.xxx.xxx, 443)",109.201.138.201,"TCP, Port 57244"

23/5/2014 05:59:57 pm,High,An intrusion attempt by 109.201.138.201 was blocked.,Blocked, ,Attack: OpenSSL Heartbleed CVE-2014-0160 3, , ,"109.201.138.201, 57244"," (xxx.xxx.xxx.xxx, 443)",109.201.138.201,"TCP, Port 57244"

23/5/2014 04:59:59 pm,High,An intrusion attempt by 109.201.138.201 was blocked.,Blocked, ,Attack: OpenSSL Heartbleed CVE-2014-0160, , ,"109.201.138.201, 52269"," (xxx.xxx.xxx.xxx, 443)",109.201.138.201,"TCP, Port 52269"

23/5/2014 04:59:59 pm,High,An intrusion attempt by 109.201.138.201 was blocked.,Blocked, ,Attack: OpenSSL Heartbleed CVE-2014-0160 3, , ,"109.201.138.201, 52269"," (xxx.xxx.xxx.xxx, 443)",109.201.138.201,"TCP, Port 52269"

23/5/2014 06:00:00 am,High,An intrusion attempt by 109.201.138.201 was blocked.,Blocked, ,Attack: OpenSSL Heartbleed CVE-2014-0160, , ,"109.201.138.201, 53919"," (xxx.xxx.xxx.xxx, 443)",109.201.138.201,"TCP, Port 53919"

23/5/2014 06:00:00 am,Info,Intrusion Prevention Signature Auto Block has blocked IP: 109.201.138.201 for a period of: 30 minutes,Detected, No

23/5/2014 06:00:00 am,High,An intrusion attempt by 109.201.138.201 was blocked.,Blocked, ,Attack: OpenSSL Heartbleed CVE-2014-0160 3, , ,"109.201.138.201, 53919"," (xxx.xxx.xxx.xxx, 443)",109.201.138.201,"TCP, Port 53919"

23/5/2014 05:00:01 am,High,An intrusion attempt by 109.201.138.201 was blocked.,Blocked, ,Attack: OpenSSL Heartbleed CVE-2014-0160, , ,"109.201.138.201, 48941"," (xxx.xxx.xxx.xxx, 443)",109.201.138.201,"TCP, Port 48941"

23/5/2014 05:00:01 am,Info,Intrusion Prevention Signature Auto Block has blocked IP: 109.201.138.201 for a period of: 30 minutes,Detected, No

23/5/2014 05:00:01 am,High,An intrusion attempt by 109.201.138.201 was blocked.,Blocked, ,Attack: OpenSSL Heartbleed CVE-2014-0160 3, , ,"109.201.138.201, 48941"," (xxx.xxx.xxx.xxx, 443)",109.201.138.201,"TCP, Port 48941"

23/5/2014 04:00:01 am,High,An intrusion attempt by 109.201.138.201 was blocked.,Blocked, ,Attack: OpenSSL Heartbleed CVE-2014-0160, , ,"109.201.138.201, 43936"," (xxx.xxx.xxx.xxx, 443)",109.201.138.201,"TCP, Port 43936"

23/5/2014 04:00:01 am,High,An intrusion attempt by 109.201.138.201 was blocked.,Blocked, ,Attack: OpenSSL Heartbleed CVE-2014-0160 3, , ,"109.201.138.201, 43936"," (xxx.xxx.xxx.xxx, 443)",109.201.138.201,"TCP, Port 43936"

23/5/2014 03:00:01 am,High,An intrusion attempt by 109.201.138.201 was blocked.,Blocked, ,Attack: OpenSSL Heartbleed CVE-2014-0160, , ,"109.201.138.201, 38913"," (xxx.xxx.xxx.xxx, 443)",109.201.138.201,"TCP, Port 38913"

<etc>

Child Tickets

Change History (2)

comment:1 Changed 4 years ago by arma

Cc: inf0 added

This looks like the periodic scans that inf0 is running, that aim to help us track vulnerable relays. The whois record for that IP address looks like him at least.

So to paraphrase the ticket, "somebody on the Internet is asking me to respond to ssl heartbeat messages".

Ok to close?

comment:2 Changed 4 years ago by cypherpunks

Keywords: suspicious added; bad removed
Resolution: fixed
Status: newclosed
Summary: malicious relay suspectsomebody on the Internet is asking me to respond to ssl heartbeat messages

Thanks for your response.

Note: See TracTickets for help on using tickets.