You can use these commands and rules to search for exploitation attempts against log4j RCE vulnerability CVE-2021-44228
This command searches for exploitation attempts in uncompressed files in folder /var/log and all sub folders
sudo egrep -i -r '\$\{jndi:(ldap[s]?|rmi)://[^\n]+' /var/logThis command searches for exploitation attempts in compressed files in folder /var/log and all sub folders
sudo find /var/log -name \*.gz -print0 | xargs -0 zgrep -E -i '\$\{jndi:(ldap[s]?|rmi)://[^\n]+'Preliminary YARA rules (work in progress)
rule EXPL_Log4j_CVE_2021_44228_Dec21_Soft {
meta:
description = "Detects indicators in server logs that indicate an exploitation attempt of CVE-2021-44228"
author = "Florian Roth"
reference = "https://twitter.com/h113sdx/status/1469010902183661568?s=20"
date = "2021-12-10"
score = 60
strings:
$x1 = "${jndi:ldap://"
$x2 = "${jndi:rmi://"
$x3 = "${jndi:ldaps://"
condition:
1 of them
}
rule EXPL_Log4j_CVE_2021_44228_Dec21_Hard {
meta:
description = "Detects indicators in server logs that indicate the exploitation of CVE-2021-44228"
author = "Florian Roth"
reference = "https://twitter.com/h113sdx/status/1469010902183661568?s=20"
date = "2021-12-10"
score = 80
strings:
$x1 = /\$\{jndi:(ldap|ldaps|rmi):\/\/[a-z-\.0-9]{3,42}:[0-9]{2,5}\/[a-zA-Z\.]{1,32}\}/
$fp1 = "ldap://127.0.0.1"
$fp2 = "ldaps://127.0.0.1"
$fp3 = "rmi://127.0.0.1"
condition:
$x1 and not 1 of ($fp*)
}I got help and ideas from
- @matthias_kaiser
- @daphiel