Print
Contents[Show]

 

 

 

 

 

1. Intro

This is how I checked for log4j on my systems.

Since the log4j jar file can be included in so many places, the best one can do is to scan the web server logs and see if anybody has taken interest in your system and checking if there log4j has been installed as a stand-alone app on the server.

Apps may include integrated log4j bits and this is a thing you may need to check with the app manufacturer instead, for hidden pieces of log4j.

 

2. Checking for scanners

Create a file with this content, and run it as root.

log4j_check.sh:

#!/bin/bash

#This command searches for exploitation attempts in uncompressed files in folder /var/log and all sub folders
sudo egrep -i -r '\$\{jndi:(ldap[s]?|rmi|dns):/[^\n]+' /var/log

#This command searches for exploitation attempts in compressed files in folder /var/log and all sub folders
sudo find /var/log -name \*.gz -print0 | xargs -0 zgrep -E -i '\$\{jndi:(ldap[s]?|rmi|dns):/[^\n]+'

exit 

 

 

3. Checking for log4j instances on the system

Create a file with this content, and run it as root.

check_for_log4j.sh:

#!/bin/bash

echo "checking for log4j vulnerability...";
if [ "$(locate log4j|grep -v log4js)" ]; then
echo "### maybe vulnerable, those files contain the name:";
locate log4j|grep -v log4js;
fi;
if [ "$(dpkg -l|grep log4j|grep -v log4js)" ]; then
echo "### maybe vulnerable, installed packages:";
dpkg -l|grep log4j;
fi;
if [ "$(which java)" ]; then
echo "java is installed, so note that Java applications often bundle their libraries inside jar/war/ear files, so there still could be log4j in such applications.";
fi;
echo "If you see no output above this line, you are safe. Otherwise check the listed files and packages.";

 

 

4. Sources

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228
https://logging.apache.org/log4j/2.x/
https://www.lunasec.io/docs/blog/log4j-zero-day/
https://www.randori.com/blog/cve-2021-44228/
https://serverfault.com/questions/1086065/how-do-i-check-if-log4j-is-installed-on-my-server
https://www.govcert.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/

 

 

 

 

 

 

 

 

Hits: 204