Read about the vulnerability and decided to check out the site. Receiving a response from the php code was surprised. Look at the screenshot.
Perl-script: http://pastebin.com/rL0XkewP
Hackers have already got down to business?
Asked
Active
Viewed 285 times
2
-
1Why do you believe that anything of what you see means that the server was compromised and that an exploit of the heartbleed-bug was part of the attack? – Philipp Apr 13 '14 at 00:06
-
@Philipp, Heartbleed-bug allows them to run your code, is not it? – user44425 Apr 13 '14 at 00:11
-
[No, it does not!](http://security.stackexchange.com/questions/55343/how-to-explain-heartbleed-without-technical-terms) – Philipp Apr 13 '14 at 00:13
1 Answers
2
What's your question? Yes, its been widely described and the attack is trivial to do once it was disclosed that heartbeats were flawed and you looked at the patched section of OpenSSL. You change the payload_length of a heartbeats request to something like ffff to get 64K back; or something else bigger than the payload.
More interesting is that the heartbleed attack was apparently used in the wild last year from IP addresses associated with a botnet that appears to systematically log IRC:
The second log seems much more troubling. We have spoken to Ars Technica's second source, Terrence Koeman, who reports finding some inbound packets, immediately following the setup and termination of a normal handshake, containing another Client Hello message followed by the TCP payload bytes 18 03 02 00 03 01 40 00 in ingress packet logs from November 2013. These bytes are a TLS Heartbeat with contradictory length fields, and are the same as those in the widely circulated proof-of-concept exploit.
Koeman's logs had been stored on magnetic tape in a vault. The source IP addresses for the attack were 193.104.110.12 and 193.104.110.20. Interestingly, those two IP addresses appear to be part of a larger botnet that has been systematically attempting to record most or all of the conversations on Freenode and a number of other IRC networks. This is an activity that makes a little more sense for intelligence agencies than for commercial or lifestyle malware developers.
