200 html return to log4j exploit

Francis Daly francis at daoine.org
Mon Dec 20 09:19:36 UTC 2021

On Sun, Dec 19, 2021 at 08:02:08PM -0800, lists at lazygranch.com wrote:

Hi there,

> I don't have any service using java so I don't believe I am subject to
> this exploit. Howerver I am confused why a returned a 200 for this
> request. The special characters in the URL are confusing.
> 200 - - [17/Dec/2021:02:58:02 +0000] "GET / HTTP/1.1" 706 "${${lower:jndi}:${lower:rmi}://}" "${${lower:jndi}:${lower:rmi}://}" "-"

The request was "GET / HTTP/1.1".

A 200 return for that is quite normal.

>     log_format  main  '$status $remote_addr - $remote_user
>     [$time_local] "$request" ' '$body_bytes_sent "$http_referer" '
>                       '"$http_user_agent" "$http_x_forwarded_for"';

The "please be exploited" parts are in the $http_referer and
$http_user_agent parts of your log line.

(And so, are presumably in the matching request headers.)


Francis Daly        francis at daoine.org

More information about the nginx mailing list