OpenSSL leaks server-Keys / The Heartbleed Bug
mdounin at mdounin.ru
Tue Apr 15 11:43:19 UTC 2014
On Mon, Apr 14, 2014 at 03:03:54PM -0400, itpp2012 wrote:
> Fyi. if you are running a ssl tunnel like stunnel with openssl 0.9.x, this
> attack is logged as "SSL3_GET_RECORD:wrong version number" as opposed to no
> nginx/openssl logging.
> If you have logging going back 2 years and you are seeing these log entries
> now, you may be able to detect attacks from before 7-4-2014.
> Here we have many stunnels with openssl 0.9.x and found the first attacks
> at: 2014.04.08 22:19:14 (CET) in more then 2 years of logging.
I suspect that this is just a particular script to exploit the
vulnerability, which doesn't care much about being correct and
is seen this way due to incorrect handshake. Proper exploitation
shouldn't be detectable this way.
And yes, it's seen on more or less any 0.9.x OpenSSL
installation, including nginx:
2014/04/15 04:02:57 [info] 48738#0: *2785200 SSL_do_handshake() failed (SSL: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number) while SSL handshaking, client: 220.127.116.11, server: 0.0.0.0:443
More information about the nginx