Heart Bleed Attack

We are being told by our ISP that we have a computer/device on our network performing Heart Bleed attacks.  We have performed AV scans with multiple AV products but the attacks are still happening.  The client has Wi-Fi so we don't have complete control of what devices can connect to the network.  We have tried to track down the attack as the traffic passes through the WatchGuard firewall but haven't had any luck.  So basically I'm asking how can I track down the source of the heart bleed attack?
FOSnetAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

KimputerCommented:
Mostly attacks happen on port 443 (HTTPS) or port 22 (SSH). Scan for that traffic, especially, if you see it's a LOT and going everywhere.
0
btanExec ConsultantCommented:
those channel are encrypted hence it bypass the WG unless you can sinkhole and decrypt (for example) SSL to inspect for HB trails. But to stay straightforward to simply detect any SSL that attempts to do SSLv3 (not TLS1.0 above) and trace those source IP (which can be faked or the X-Forwarded-For in the HTTP header if managed to decrypt the SSL packet) though there can be false positive due to . btw, make sure the WG is XTM 11.8.3 above to guard against HB attacking the WG.

there are other sharing BPF (py) script to detect such HB in PCAP - should ask WG support for eqv
https://splash.riverbed.com/docs/DOC-4083
(see further down blog for the detection signature criteria ..)
http://www.riverbed.com/blogs/Retroactively-detecting-a-prior-Heartbleed-exploitation-from-stored-packets-using-a-BPF-expression.html
(WG has diagnostic)
http://www.watchguard.com/help/docs/wsm/xtm_11/en-US/index.html#cshid=en-US/fsm/log_message_learn_more_wsm.html
At the same time detect for any compromised or alert from the clients as infection can be due to Heartbleed but if AV is latest signature, the machine should be alright and get sample of the quarantine malware and check on its callback to C&C server (not really the source but bring us to near - hopely - on tracing)...
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Vulnerabilities

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.