heartbleeder can detect your server whether the presence of the OpenSSL CVE-2 0 1 4-0 1 6 0 vulnerability, the heartbleed vulnerability is.
CVE-2 0 1 4-0 1 6 0, the heartbleed vulnerability is a very serious OpenSSL vulnerability. This vulnerability so that attackers can be from the presence of the vulnerability on the server to read the 64KB size of the memory information. These information might contain very sensitive information, including user request, a password, or even certificate the private key.
Allegedly, there have been an attacker at some treasure on the attempt to use the vulnerability to read data in the Read 2 0 0 times, and obtain a 4 0 multiple usernames and 7 passwords.
In gobuild. io download the compiled binary files to the compressed package. Including Windows, Linux, MacOSX and.
Because the serveroperating systemthe most commonly used is Linux, so here provide download a Linux binary tarball command:
wget http://gobuild.io/github.com/titanous/heartbleeder/master/linux/amd64 -O output.zip
wget http://gobuild.io/github.com/titanous/heartbleeder/master/linux/386 -O output.zip
Download after decompression can be.
You can compile and install the Go version you in 1. 2 above, use the following command:
go get github.com/titanous/heartbleeder
The binary file will be placed in $GOPATH/bin/heartbleeder it.
$ heartbleeder example.com INSECURE - example. com:4 4 3 has the heartbeat extension enabled and is vulnerable
Postgres default in 5 4 3 2 port using OpenSSL, if you use the Postgres server, you need to use the following command:
$ heartbleeder-pg example.com SECURE - example:5 4 3 2 does not have the heartbeat extension enabled
If it is inconvenient to install heartbleeder, or do not trust the automatic detection results, it can also be manually detected.
First determine the server's Openssl version is vulnerable versions. There are currently vulnerability version: 1.0.1-1.0.1 f contain 1. 0. 1 f and 1.0.2-beta. You can use the following command to see the server on the current version:
Next you need to determine whether to open the heartbeat extension:
openssl s_client-connect your website:4 4 3-tlsextdebug 2>&1| grep 'TLS server extension "heartbeat" (id=1 5), len=1'
If the above two conditions you are satisfied, then, unfortunately, your server is affected by this vulnerability and need to fix ASAP.