search

adrian154 / blog

My blog.
https://blog.bithole.dev
MIT License
6 stars 0 forks source link

Dissecting a Log4Shell Attack #3

Open utterances-bot opened 2 years ago

utterances-bot commented 2 years ago

Dissecting a Log4Shell Attack

Ever since the beginning, Log4Shell has been inseperably tied to Minecraft servers. In this post, I take apart one such attack and see what makes it tick.

https://blog.bithole.dev/log4shell-mc.html

cocus commented 2 years ago

Seems like he went dead. LDAP server is still up, but the http is dead. I saw this on my Windows modded server but I'm not even sure it'd have worked anyway. Also, I tried the vulnerability test from log4shell.huntress.com, and nothing came out of it. If I ran that specific ldap url and token they provide for my session thru ldapsearch, it doesn't show anything nor on its output, nor on the web interface itself. Not sure if that works or not.

adrian154 commented 2 years ago

The HTTP server running on port 8000 does appear to be down. Interestingly enough, an observant Redditor managed to identify the binary an open-source reverse ssh daemon, originally written for CTF challenges.

All in all, the rather sloppy execution of the attack leaves me a little confused as to what the attacker's goal might be.

cocus commented 2 years ago

Interesting. Well, seems like my modded server is safe because the owners of the mod pack told me that this version doesn't have any of these issues (I have to believe them!) on https://github.com/TeamAOF/All-of-Fabric-4/issues/158. Do you reckon any other tool to check for this besides log4shell.huntress.com? Also, should an ldapsearch query from my local machine appear on these kind of test sites? Because I don't see it after using ldapsearch.

adrian154 commented 2 years ago

one wouldn't really expect ldapsearch to yield anything on your local machine - in log4shell the attacker is the one who hosts the malicious LDAP server that leads clients to download the exploit class. as for testing for the vulnerability, I haven't used the log4shell.huntress.com tool, but it appears to work in a similar way to most other scanners. If it returns a negative and you've also confirmed that the server JARs you're using are patched, I think it is reasonably safe to say that you are not vulnerable.

ArhanChaudhary commented 2 years ago

bitcraft

nu11une commented 2 years ago

fyi this is the ip they're using as of now https://www.abuseipdb.com/check/185.233.105.120