log4shell-detector

Detector for Log4Shell exploitation attempts

What it does and doesn't do

It does: It checks local log files for indicators of exploitation attempts, even heavily obfuscated ones that string or regular expression based patterns wouldn't detect.

• It doesn't find vulnerable applications
• It doesn't and can't verify if the exploitation attempts were successful

Idea

The problem with the log4j CVE-2021-44228 exploitation is that the string can be heavily obfuscated in many different ways. It is impossible to cover all possible forms with a reasonable regular expression.

The idea behind this detector is that the respective characters have to appear in a log line in a certain order to match.

${jndi:ldap:

Split up into a list it would look like this:

['$', '{', 'j', 'n', 'd', 'i', ':', 'l', 'd', 'a', 'p', ':']

I call these lists 'detection pads' in my script and process each log line character by character. I check if each character matches the first element of the detection pads. If the character matches a character in one of the detection pads, a pointer moves forward.

When the pointer reaches the end of the list, the detection triggered and the script prints the file name, the complete log line, the detected string and the number of the line in the file.

I've included a decoder for URL based encodings. If we need more, please let me know.

Usage

usage: log4shell-detector.py [-h] [-p path [path ...]] [-d maxdis] [--quick] [--defaultpaths] [--debug]

Log4Shell Exploitation Detectors

optional arguments:
  -h, --help          show this help message and exit
  -p path [path ...]  Path to scan
  -d distance         Maximum distance between each character
  --debug             Debug output
  --defaultpaths      Scan a set of default paths that should contain relevant log files.
  --quick             Skip log lines that don't contain a 2021 or 2022 time stamp
  --summary           Show summary only

Get started

1. Make sure that the target systems on which you'd like to run log4shell-detector has python installed: python -V and see if Python 3 is available python3 -V

2. Download this Repo by clicking "Code" > "Download ZIP"

3. Extract the package and bring only log4shell-detector.py to the target system (e.g. with scp)

4. Run it with python3 log4shell-detector.py -p /var/log (if python3 isn't available use python)

5. If your applications log to a different folder than /var/log find out where the log files reside and scan these folders. Find locations to which apps write logs with lsof | grep '\.log'.

6. Review the results (see FAQs for details)

FAQs

I don't use log4j on that server but the scanner reports exploitation attempts. Am I affected?

No. But can you be sure that no application uses log4j?

You can try to find evidence of log4j usage running these commands:

ps aux | egrep '[l]og4j'
find / -iname "log4j*"
lsof | grep log4j

If none of these commands returned a result, you should be safe.

My applications use log4j and I've found evidence of exploitation attempts? Am I compromised?

It is possible, yes. First check if the application that you use is actually affected by the vulnerability. Check the JAVA and log4j versions, check the vendor's blog for an advisory or test the application yourself using canary tokens.

If your application is affected and vulnerable and you plan to do a forensic investigation,

1. create a memory image of that system (use e.g. VMWare's snapshots or other tools for that)

2. create a disk image of that system

3. check the system's outgoing network connections in your firewall logs

4. check the system's crontab for suspicious new entries (/etc/crontab). If you want and can, use our free tool THOR Lite for a basic compromise assessment.

5. After some investigations, decide if you want and can disconnect that system from the Internet until you've verified that it hasn't been compromised.

Special Flags

--defaultpaths

Check a list of default log paths used by different software products.

--quick

Only checks log lines that contain a 2021 or 2022 to exclude all scanning of older log entries. We assume that the vulnerability wasn't exploited in 2019 and earlier.

--summary

Prints a summary of matches, with only the filename and line number.

Requirements

• Python 2 or Python 3

No further or special Python modules are required. It should run on any system that runs Python.

Screenshots

Help

There are different ways how you can help.

1. Test it against the payloads that you find in the wild and let me know if we miss something.
2. Help me find and fix bugs.
3. Test if the scripts runs with Python 2; if not, we can add a slightly modified version to the repo.

Contact

Twitter: @cyberops