Ugh. jndi, not jdni.
I keep swapping those letters...
________________________________
From: Clark, Ash <as....@no...>
Sent: Wednesday, December 15, 2021 10:04 AM
To: Michael Westbay <wes...@ja...>; Pietro Liuzzo <pie...@gm...>
Cc: exist-open <exi...@li...>
Subject: Re: [Exist-open] log4j2 vulnerability
Hi Michael,
Here’s a blog post that explains how the exploit works and an example log message:
https://www.lunasec.io/docs/blog/log4j-zero-day/#how-the-exploit-works<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.lunasec.io%2Fdocs%2Fblog%2Flog4j-zero-day%2F%23how-the-exploit-works&data=04%7C01%7Cas.clark%40northeastern.edu%7C8bfb6c354c4b4c4552dc08d9bfdc5ede%7Ca8eec281aaa34daeac9b9a398b9215e7%7C0%7C0%7C637751775537467065%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=1a6FqthbFtw9SZkoMXId9maftkGZka4yWJyIMNE%2FqGw%3D&reserved=0>
I did a case insensitive search for `jdni` in my own logs (found nothing, thankfully). I’m positive there are other tells that an expert would be able to seek out.
~Ash
________________________________
From: Michael Westbay <wes...@ja...>
Sent: Wednesday, December 15, 2021 3:16 AM
To: Pietro Liuzzo <pie...@gm...>
Cc: Clark, Ash <as....@no...>; exist-open <exi...@li...>
Subject: Re: [Exist-open] log4j2 vulnerability
Extracting from the JAR file worked for me with both the log4j-core-2.14.1.jar included with eXist 5.3.0 and with the log4j-core-2.15.0.jar that I downloaded.
What I want to know is what are the signs of infection? I doubt if my systems are prime targets, but if someone was doing an automated spray to see what caught, what should I be looking for? I remember the PUT vulnerability a few years ago and found some attempts at PUTing PHP files on my server. They went into the eXist database at the /db root where they weren't effective. But their presence had me on edge.
2021年12月15日(水) 16:17 Pietro Liuzzo <pie...@gm...<mailto:pie...@gm...>>:
Thanks!
I have tried to do this as well but I am told that there is nothing to do.
perhaps the location of that class depends on the system?
all best
Pietro
Pietro Maria Liuzzo (egli/lui,he/him,er/ihn)
cel (DE): +49 (0) 176 61 000 606
Skype: pietro.liuzzo (Quingentole)
ORCID: https://orcid.org/0000-0001-5714-4011<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Forcid.org%2F0000-0001-5714-4011&data=04%7C01%7Cas.clark%40northeastern.edu%7C8bfb6c354c4b4c4552dc08d9bfdc5ede%7Ca8eec281aaa34daeac9b9a398b9215e7%7C0%7C0%7C637751775537477025%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=NIp%2FbORTHmxtoZijpfKPvFnv5SqC3HE91vHrm1Wo4VY%3D&reserved=0>
Academia: https://uni-hamburg.academia.edu/PietroMariaLiuzzo<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Funi-hamburg.academia.edu%2FPietroMariaLiuzzo&data=04%7C01%7Cas.clark%40northeastern.edu%7C8bfb6c354c4b4c4552dc08d9bfdc5ede%7Ca8eec281aaa34daeac9b9a398b9215e7%7C0%7C0%7C637751775537486978%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=38ra3QVQSELBXVMxDUAwCkuHeWPH9INl9cKXdbFQqqU%3D&reserved=0>
Il giorno 14 dic 2021, alle ore 22:27, Clark, Ash <as....@no...<mailto:as....@no...>> ha scritto:
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
_______________________________________________
Exist-open mailing list
Exi...@li...<mailto:Exi...@li...>
https://lists.sourceforge.net/lists/listinfo/exist-open<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Fexist-open&data=04%7C01%7Cas.clark%40northeastern.edu%7C8bfb6c354c4b4c4552dc08d9bfdc5ede%7Ca8eec281aaa34daeac9b9a398b9215e7%7C0%7C0%7C637751775537486978%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=uGMn7nmcM06L7XCnlvIOVyKHfMycHrs89pIX%2BIo%2BEGE%3D&reserved=0>
--
Michael Westbay
Writer/System Administrator
http://www.japanesebaseball.com/<https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.japanesebaseball.com%2F&data=04%7C01%7Cas.clark%40northeastern.edu%7C8bfb6c354c4b4c4552dc08d9bfdc5ede%7Ca8eec281aaa34daeac9b9a398b9215e7%7C0%7C0%7C637751775537496937%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=CvWasB2OGbXRTH1UgW8waqdOLerGyAVOIXYuoEQBUDA%3D&reserved=0>
|
