HeartBleed in the Wild
As most of you probably already know, ten days ago security Researchers disclosed a very serious vulnerability in the OpenSSL library, which is used to power HTTPS on most websites nowadays. The bug allowed an attacker to extract information that was supposed to be private, including SSL private keys, login data or any other information transmitted via the web site.
It was one the first security vulnerabilities (code named HeartBleed) to receive massive media attention and every webmaster in the world has probably heard about it (at least we hope so).
HeartBleed Vulnerable Servers in the Wild
After 10 days of massive coverage, we expected to see every server out there patched against it. To confirm our expectations, we scanned every web site listed in the Alexa top 1 million rank. Yes, we scanned the top web sites in the world to see how many were still infected.
The results were interesting:
Top 1,000 sites: 0 sites vulnerable (all of them patched)
Top 10,000 sites: 53 sites vulnerable (only 0.53% vulnerable)
Top 100,000 sites: 1595 sites vulnerable (1.5% still vulnerable)
Top 1,000,000 sites: 20320 sites vulnerable (2% still vulnerable)
We were glad to see that the top 1,000 sites in the world were all properly patched, and that just 0.53% of the top 10k still had issues. However, as we went to less popular (and smaller) sites, the number of unpatched servers grew to 2%. That is not surprising, but we expected better.
Do you own a web site? Did you check if your server is vulnerable? If not, please check to see if your server is vulnerable by clicking this link: https://filippo.io/Heartbleed/.
We also wrote a blog post with some suggestions on how to patch your server if you have access to it: Patching HeartBleed
HeartBleed Attacks in the Wild
With that many vulnerable servers, it’s a given that people will attempt to exploit them. To combat that, we added some detection signatures on our servers to alert us any time we detected an attempt to trigger the HeartBleed vulnerability. It flagged the pattern used by the public HeartBleed exploit tools, which have a similar format.
Over the last week, our servers detected 48,417 attacks against this specific vulnerability. The bulk of them coming from Amazon EC2 instances, likely setup to do these scans. These were the top attacking IP addresses and their counts:
Update: Some of these scans, specifically those coming from an IP address starting with 54., are coming from Amazon EC2. These scans are part of the online tool referenced above to check your site to see if it’s vulnerable to the Heartbleed bug. The scans attempt to exploit Heartbleed to see if a site is vulnerable and are very unlikely to be malicious. However, if they reveal a vulnerability in a website, they illustrate that a website is susceptible to further attacks, like the 20,320 websites in the top million that are still exposed.
3809 SRC=220.127.116.11 1393 SRC=18.104.22.168 1084 SRC=22.214.171.124 974 SRC=126.96.36.199 954 SRC=188.8.131.52 929 SRC=184.108.40.206 926 SRC=220.127.116.11 925 SRC=18.104.22.168 921 SRC=22.214.171.124 919 SRC=126.96.36.199 912 SRC=188.8.131.52 905 SRC=184.108.40.206 891 SRC=220.127.116.11 877 SRC=18.104.22.168 867 SRC=22.214.171.124 865 SRC=126.96.36.199 862 SRC=188.8.131.52 860 SRC=184.108.40.206 827 SRC=220.127.116.11 639 SRC=18.104.22.168
If you are not patched, be aware that people are out there trying to test and exploit this vulnerability and get your server patched as quickly as possible.