The EFF has called on admins to check any historical packet capture logs for evidence of Heartbleed attacks in 2013 and earlier. They examined reports from Ars Technica of people coming forward with logs potentially showing in-the-wild Heartbleed attacks long before the recent public disclosure. Perhaps most intersting-
[the] logs had been stored on magnetic tape in a vault. The source IP addresses for the attack were 193.104.110.12 and 193.104.110.20. Interestingly, those two IP addresses appear to be part of a larger botnet that has been systematically attempting to record most or all of the conversations on Freenode and a number of other IRC networks. This is an activity that makes a little more sense for intelligence agencies than for commercial or lifestyle malware developers.
Coincidentally, a few hours prior to this news, I was lamenting here in comments how disinformative the mainstream reporting was when it made claims that "what makes it even worse is the heartbleed attack leaves no trace". Of course it leaves a trace- perhaps not in stock os/webserver log files, but remote attackers always have to carry the attack out via networks, which can notice and/or log the traffic if they take the trouble to. Not to put too fine a point on it, but the same thing is also relevant to the recent slashcode issue with portscans. It may be exhausting work inspecting packet capture logs, but if you make a habit of not doing it, you should be prepared to find some gremlins when you finally get around to it.
Related Stories
I'm f****** seething; this is unacceptable for any site, and this behaviour isn't documented anywhere; we've been portscanning since day one and were completely unaware of it. My guess is almost everyone here was unaware of this "feature" as well. Our submitter reports slashdot did this as well. There is no notification or link in the FAQ that this is done, unless you were checking your firewall rules religiously, this would have been completely unnoticed.
I'm seething and furious at the moment. How on earth is this acceptable behaviour? I understand proxy scanning; most IRC networks do it, but they notify you that they are doing so. Furthermore, a basic web application should not be probing their end users; I'm absolutely flabbergasted that this exists, as were most of the staff when it was brought to our attention. On behalf of the site, I want to offer a formal apology for this clusterf***.
Addendum: Since writing this, I've written a follow up on why this got me so upset in my journal. I've got journal replies set to on, and will respond to anyone both here and there.
Ars Technica reports that four weeks after its disclosure huge swaths of the Internet remain vulnerable to Heartbleed. The article suggests that over 300,000 servers remain vulnerable.
What steps have you taken to protect yourself from this bug? What browser addons have you installed? Have you checked/updated the firmware on your home router? If you work in IT, what has the reaction been? Has your site been compromised? Has vulnerable code been updated, new keys genned, new certificates obtained, and old ones revoked?
Since the OpenSSL library is now undergoing a security review and a fork of it is underway as LibreSSL, it is possible that other vulnerabilities will be discovered. Then what? How likely is it that we will need to repeat this cleanup effort?
(more after the break)
(Score: 2) by c0lo on Friday April 11 2014, @11:03PM
Should look into the commit logs for traces.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by mrbluze on Friday April 11 2014, @11:25PM
Judging by the self satisfied smiles on the faces of NSA employees, I'd agree with you there.
Do it yourself, 'cause no one else will do it yourself.
(Score: 3, Informative) by fliptop on Friday April 11 2014, @11:37PM
Bloomberg reported today [bloomberg.com] that the NSA knew about the flaw for at least 2 years and used it to gather intelligence.
Our Constitution was made only for a moral and religious people. It is wholly inadequate to the government of any other.
(Score: 3, Insightful) by c0lo on Saturday April 12 2014, @02:12AM
Seems it has been a honest error [smh.com.au] after all.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 3, Interesting) by tynin on Saturday April 12 2014, @02:35AM
All this time, for decades even, we've all sat around and poked fun at how you cannot really just sit down at a computer and hack through layers of defense, al la the movie Hackers. That modern firewalls/security measures prevent such intrusion. Yet here we are in a world where someone could literally write up a fancy Hollywood UI for this exploit and go hack the Gibson. Hell, they could hack the planet.
MIND == BLOWN
(Score: 3, Interesting) by c0lo on Friday April 11 2014, @11:11PM
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by fliptop on Friday April 11 2014, @11:34PM
I experienced a port 110 dovecot dictionary attack from a bunch of IPs in that class C in March but didn't see anything older than that. Lately there has been a lot of scanning and dictionary attacks coming from that area of Europe.
Our Constitution was made only for a moral and religious people. It is wholly inadequate to the government of any other.
(Score: 0) by Anonymous Coward on Saturday April 12 2014, @03:44AM
that's not a class C. please go read about classful networking, how there's no such thing as "that class C," and stop calling it that.
(Score: 2) by frojack on Saturday April 12 2014, @05:07AM
Where an IP is supposedly assigned has no bearing on from where it is used.
Using a foreign IP is something every wannabe hacker does.
No, you are mistaken. I've always had this sig.
(Score: 0) by Anonymous Coward on Saturday April 12 2014, @06:21AM
$ whois 193.104.110.12|grep -i country
country: CZ
(Score: 5, Interesting) by zim on Friday April 11 2014, @11:34PM
Now multiply it by a factor of ten.
You're still not even close to guessing their total scope.
On the one hand, I say string them all up.
On the other hand...
Have you SEEN some of the people in the world?
I damm well hope someone is watching them.
Because. crazy! so much crazy!
On the 3rd hand... They seem to be incompetent at it.
SO not only are they violating everyones rights. They're not even doing the job effectively that they're not even supposed to be doing!
Everyone loses. Yay!
(Score: 1) by lajos on Saturday April 12 2014, @12:57AM
Just go straight to the people that know. Ask the NSA.
(Score: 3) by Dunbal on Saturday April 12 2014, @01:46AM
After being stonewalled someone will say "national security" and that will be that.
(Score: 2) by frojack on Saturday April 12 2014, @05:09AM
No, they will just deny it, and they have already denied it.
But that seems hardly germane. They lie directly to congress, why would lying to the press be any impediment?
No, you are mistaken. I've always had this sig.
(Score: 0) by Anonymous Coward on Saturday April 12 2014, @02:53AM
Good luck with that. This was a major screw up and we have to bear the consequences now.
(Score: 2) by isostatic on Saturday April 12 2014, @10:28AM
Even captures from a month ago would do the trick
7 years ago I was capturing traffic into one of our systems, 6TB a day, and keepin it for a week, with barely any budget.
(Score: 4, Interesting) by Reziac on Saturday April 12 2014, @03:13AM
TFS says: "...systematically attempting to record most or all of the conversations on Freenode and a number of other IRC networks."
That would be damning against various 3-letter agencies IF that were the primary or only focus. But what's the rest of the picture? What if hitting Freenode and IRC is only incidental?
And there is no Alkibiades to come back and save us from ourselves.