somebody on the Internet is asking me to respond to ssl heartbeat messages
Possible malicious relay using the heartbleed exploit. Or a false positive ID flag. Or a user with no heartbleed patch installed. I am a non-exit relay.
LOG from the IDS-built-in (Norton):
23/5/2014 05:59:57 pm,High,An intrusion attempt by 109.201.138.201 was blocked.,Blocked, ,Attack: OpenSSL Heartbleed CVE-2014-0160, , ,"109.201.138.201, 57244"," (xxx.xxx.xxx.xxx, 443)",109.201.138.201,"TCP, Port 57244",,
23/5/2014 05:59:57 pm,High,An intrusion attempt by 109.201.138.201 was blocked.,Blocked, ,Attack: OpenSSL Heartbleed CVE-2014-0160 3, , ,"109.201.138.201, 57244"," (xxx.xxx.xxx.xxx, 443)",109.201.138.201,"TCP, Port 57244",,
23/5/2014 04:59:59 pm,High,An intrusion attempt by 109.201.138.201 was blocked.,Blocked, ,Attack: OpenSSL Heartbleed CVE-2014-0160, , ,"109.201.138.201, 52269"," (xxx.xxx.xxx.xxx, 443)",109.201.138.201,"TCP, Port 52269",,
23/5/2014 04:59:59 pm,High,An intrusion attempt by 109.201.138.201 was blocked.,Blocked, ,Attack: OpenSSL Heartbleed CVE-2014-0160 3, , ,"109.201.138.201, 52269"," (xxx.xxx.xxx.xxx, 443)",109.201.138.201,"TCP, Port 52269",,
23/5/2014 06:00:00 am,High,An intrusion attempt by 109.201.138.201 was blocked.,Blocked, ,Attack: OpenSSL Heartbleed CVE-2014-0160, , ,"109.201.138.201, 53919"," (xxx.xxx.xxx.xxx, 443)",109.201.138.201,"TCP, Port 53919",,
23/5/2014 06:00:00 am,Info,Intrusion Prevention Signature Auto Block has blocked IP: 109.201.138.201 for a period of: 30 minutes,Detected, ,,No
23/5/2014 06:00:00 am,High,An intrusion attempt by 109.201.138.201 was blocked.,Blocked, ,Attack: OpenSSL Heartbleed CVE-2014-0160 3, , ,"109.201.138.201, 53919"," (xxx.xxx.xxx.xxx, 443)",109.201.138.201,"TCP, Port 53919",,
23/5/2014 05:00:01 am,High,An intrusion attempt by 109.201.138.201 was blocked.,Blocked, ,Attack: OpenSSL Heartbleed CVE-2014-0160, , ,"109.201.138.201, 48941"," (xxx.xxx.xxx.xxx, 443)",109.201.138.201,"TCP, Port 48941",,
23/5/2014 05:00:01 am,Info,Intrusion Prevention Signature Auto Block has blocked IP: 109.201.138.201 for a period of: 30 minutes,Detected, ,,No
23/5/2014 05:00:01 am,High,An intrusion attempt by 109.201.138.201 was blocked.,Blocked, ,Attack: OpenSSL Heartbleed CVE-2014-0160 3, , ,"109.201.138.201, 48941"," (xxx.xxx.xxx.xxx, 443)",109.201.138.201,"TCP, Port 48941",,
23/5/2014 04:00:01 am,High,An intrusion attempt by 109.201.138.201 was blocked.,Blocked, ,Attack: OpenSSL Heartbleed CVE-2014-0160, , ,"109.201.138.201, 43936"," (xxx.xxx.xxx.xxx, 443)",109.201.138.201,"TCP, Port 43936",,
23/5/2014 04:00:01 am,High,An intrusion attempt by 109.201.138.201 was blocked.,Blocked, ,Attack: OpenSSL Heartbleed CVE-2014-0160 3, , ,"109.201.138.201, 43936"," (xxx.xxx.xxx.xxx, 443)",109.201.138.201,"TCP, Port 43936",,
23/5/2014 03:00:01 am,High,An intrusion attempt by 109.201.138.201 was blocked.,Blocked, ,Attack: OpenSSL Heartbleed CVE-2014-0160, , ,"109.201.138.201, 38913"," (xxx.xxx.xxx.xxx, 443)",109.201.138.201,"TCP, Port 38913",,