As most of you probably already know, ten days ago security Researchers disclosed a very serious vulnerability in the OpenSSL library, which is used to power HTTPS on most websites nowadays. The bug allowed an attacker to extract information that was supposed to be private, including SSL private keys, login data or any other information transmitted via the web site.

It was one the first security vulnerabilities (code named HeartBleed) to receive massive media attention and every webmaster in the world has probably heard about it (at least we hope so).

HeartBleed Vulnerable Servers in the Wild

After 10 days of massive coverage, we expected to see every server out there patched against it. To confirm our expectations, we scanned every web site listed in the Alexa top 1 million rank. Yes, we scanned the top web sites in the world to see how many were still infected.

The results were interesting:

Top 1,000 sites: 0 sites vulnerable (all of them patched)
Top 10,000 sites: 53 sites vulnerable (only 0.53% vulnerable)
Top 100,000 sites: 1595 sites vulnerable (1.5% still vulnerable)
Top 1,000,000 sites: 20320 sites vulnerable (2% still vulnerable)

We were glad to see that the top 1,000 sites in the world were all properly patched, and that just 0.53% of the top 10k still had issues. However, as we went to less popular (and smaller) sites, the number of unpatched servers grew to 2%. That is not surprising, but we expected better.

Do you own a web site? Did you check if your server is vulnerable? If not, please check to see if your server is vulnerable by clicking this link: https://filippo.io/Heartbleed/.

We also wrote a blog post with some suggestions on how to patch your server if you have access to it: Patching HeartBleed

HeartBleed Attacks in the Wild

With that many vulnerable servers, it’s a given that people will attempt to exploit them. To combat that, we added some detection signatures on our servers to alert us any time we detected an attempt to trigger the HeartBleed vulnerability. It flagged the pattern used by the public HeartBleed exploit tools, which have a similar format.

Over the last week, our servers detected 48,417 attacks against this specific vulnerability. The bulk of them coming from Amazon EC2 instances, likely setup to do these scans. These were the top attacking IP addresses and their counts:

   3809 SRC=141.212.121.193
   1393 SRC=107.3.148.68
   1084 SRC=216.200.166.3
    974 SRC=54.82.84.163
    954 SRC=54.82.248.65
    929 SRC=54.242.172.173
    926 SRC=50.16.96.85
    925 SRC=54.82.248.31
    921 SRC=54.221.162.7
    919 SRC=75.101.243.125
    912 SRC=54.221.166.250
    905 SRC=54.81.153.80
    891 SRC=54.227.161.5
    877 SRC=54.198.5.96
    867 SRC=54.82.205.119
    865 SRC=54.234.12.248
    862 SRC=54.227.94.136
    860 SRC=54.82.249.111
    827 SRC=213.175.105.1
    639 SRC=23.22.245.215

If you are not patched, be aware that people are out there trying to test and exploit this vulnerability and get your server patched as quickly as possible.

Via Sucuri.net