HeartBleed in the Wild

As most of you probably already know, ten days ago security Researchers disclosed a very serious vulnerability in the OpenSSL library, which is used to power HTTPS on most websites nowadays. The bug allowed an attacker to extract information that was supposed to be private, including SSL private keys, login data or any other information transmitted via the web site.

It was one the first security vulnerabilities (code named HeartBleed) to receive massive media attention and every webmaster in the world has probably heard about it (at least we hope so).

HeartBleed Vulnerable Servers in the Wild

After 10 days of massive coverage, we expected to see every server out there patched against it. To confirm our expectations, we scanned every web site listed in the Alexa top 1 million rank. Yes, we scanned the top web sites in the world to see how many were still infected.

The results were interesting:

Top 1,000 sites: 0 sites vulnerable (all of them patched)
Top 10,000 sites: 53 sites vulnerable (only 0.53% vulnerable)
Top 100,000 sites: 1595 sites vulnerable (1.5% still vulnerable)
Top 1,000,000 sites: 20320 sites vulnerable (2% still vulnerable)

We were glad to see that the top 1,000 sites in the world were all properly patched, and that just 0.53% of the top 10k still had issues. However, as we went to less popular (and smaller) sites, the number of unpatched servers grew to 2%. That is not surprising, but we expected better.

Do you own a web site? Did you check if your server is vulnerable? If not, please check to see if your server is vulnerable by clicking this link: https://filippo.io/Heartbleed/.

We also wrote a blog post with some suggestions on how to patch your server if you have access to it: Patching HeartBleed

HeartBleed Attacks in the Wild

With that many vulnerable servers, it’s a given that people will attempt to exploit them. To combat that, we added some detection signatures on our servers to alert us any time we detected an attempt to trigger the HeartBleed vulnerability. It flagged the pattern used by the public HeartBleed exploit tools, which have a similar format.

Over the last week, our servers detected 48,417 attacks against this specific vulnerability. The bulk of them coming from Amazon EC2 instances, likely setup to do these scans. These were the top attacking IP addresses and their counts:

Update: Some of these scans, specifically those coming from an IP address starting with 54., are coming from Amazon EC2. These scans are part of the online tool referenced above to check your site to see if it’s vulnerable to the Heartbleed bug. The scans attempt to exploit Heartbleed to see if a site is vulnerable and are very unlikely to be malicious. However, if they reveal a vulnerability in a website, they illustrate that a website is susceptible to further attacks, like the 20,320 websites in the top million that are still exposed.

   3809 SRC=
   1393 SRC=
   1084 SRC=
    974 SRC=
    954 SRC=
    929 SRC=
    926 SRC=
    925 SRC=
    921 SRC=
    919 SRC=
    912 SRC=
    905 SRC=
    891 SRC=
    877 SRC=
    867 SRC=
    865 SRC=
    862 SRC=
    860 SRC=
    827 SRC=
    639 SRC=

If you are not patched, be aware that people are out there trying to test and exploit this vulnerability and get your server patched as quickly as possible.

Scan your website for free:
About Daniel Cid

Daniel is the Founder & CTO of Sucuri and also the founder of the open source project - OSSEC HIDS. His interests range from intrusion detection, log analysis (log-based intrusion detection), web-based malware research and secure development.

You can find more about Daniel at his site dcid.me or on Twitter: @danielcid

  • http://josephscott.org/ Joseph Scott

    Over the last week, our servers detected 48,417 attacks against this specific vulnerability

    But that doesn’t include the 1,111,000 attack scans against sites that you ran right?

    • Piero

      A scan to test the vulnerability doesn’t run the exploit for the vulnerability.
      It’ s a probe packet, banner captured based, to retrieve information about version and configuration exposed.