打log4j2补丁了?黑客有没有捷足先登?
TAG: Log4j2 远程代码执行漏洞
TLP: 白 (公开)
日期: 2021-12-11
log4j2 漏洞爆发,企业打补丁可能需要几小时到几天时间,但黑客攻击却只需要几分钟时间!到底是打补丁更快还是黑客攻击更快?如何确定自己的服务是否已经被攻击了?
为帮助广大企业自查是否遭到 log4j2 漏洞攻击,现提供一款检测工具及黑客攻击 IP 情报,用于检测服务器是否曾被 log4j2 漏洞利用攻击(注:但无法判定是否攻击成功),下载链接:https://static.threatbook.cn/tools/detect.py。若运行工具后发现告警提示,需要协助研判,请联系微步专业工程师协助您确认排查问题。电话:400-030-1051 转 3。
工具使用方式:
命令行格式为:Python tools_py2_py2.py -p xxxxxx/logs,即 -p 后接的参数为需要扫描的 log 目录,默认扫描目录为 /var/log,建议用户扫描的目录有 [tomcat 日志目录 ($TOMCAT_HOME/logs),log4j2 应用日志目录 (log4j.properties 文件中 log4j.appender.*.File 的值),Redis 日志目录($REDIS_HOME/log),kafka($KAFKA_HOME/logs),Apache(/var/log/apache2),ES(/usr/share/elasticsearch/logs)]
需要扫描的日志,包括但不限于:
Struts2
Apache Solr Apache Druid Apache Flink ElasticSearch Kafka Flume Dubbo Redis Logstash
工具原理:
如下是我们对部署在公网中的蜜罐日志进行分析的示例:
如下是我们捕获到的利用 log4j2 漏洞进行攻击的部分 IP 列表,有需要的用户可根据该列表进行自查:
104.244.72.115, 104.244.74.211, 104.244.74.57, 104.244.76.170, 107.189.1.160, 107.189.1.178, 107.189.12.135, 107.189.14.98, 109.237.96.124, 109.70.100.34, 116.24.67.213, 122.161.50.23, 131.153.4.122, 134.122.34.28, 137.184.102.82, 137.184.106.119, 142.93.34.250, 143.198.32.72, 143.198.45.117, 147.182.167.165, 147.182.169.254, 147.182.219.9, 151.115.60.113, 159.65.155.208, 159.65.58.66, 164.90.199.216, 167.71.13.196, 167.99.164.201, 167.99.172.213, 167.99.172.58, 171.25.193.20, 171.25.193.25, 171.25.193.77, 171.25.193.78, 178.62.79.49, 181.214.39.2, 18.27.197.252, 185.100.87.202, 185.100.87.41, 185.100.87.41, 185.107.47.171, 185.107.47.171, 185.129.61.1, 185.220.100.240, 185.220.100.241, 185.220.100.242, 185.220.100.243, 185.220.100.244, 185.220.100.245, 185.220.100.246, 185.220.100.247, 185.220.100.248, 185.220.100.249, 185.220.100.252, 185.220.100.253, 185.220.100.254, 185.220.100.255, 185.220.101.129, 185.220.101.134, 185.220.101.134, 185.220.101.138, 185.220.101.139, 185.220.101.141, 185.220.101.142, 185.220.101.143, 185.220.101.144, 185.220.101.145, 185.220.101.147, 185.220.101.148, 185.220.101.149, 185.220.101.153, 185.220.101.154, 185.220.101.154, 185.220.101.156, 185.220.101.157, 185.220.101.158, 185.220.101.160, 185.220.101.161, 185.220.101.163, 185.220.101.168, 185.220.101.169, 185.220.101.171, 185.220.101.172, 185.220.101.175, 185.220.101.177, 185.220.101.179, 185.220.101.180, 185.220.101.181, 185.220.101.182, 185.220.101.185, 185.220.101.186, 185.220.101.189, 185.220.101.191, 185.220.101.33, 185.220.101.34, 185.220.101.35, 185.220.101.36, 185.220.101.37, 185.220.101.41, 185.220.101.42, 185.220.101.43, 185.220.101.45, 185.220.101.46, 185.220.101.49, 185.220.101.54, 185.220.101.55, 185.220.101.56, 185.220.101.57, 185.220.101.61, 185.220.101.61, 185.220.102.242, 185.220.102.249, 185.220.102.8, 185.38.175.132, 185.83.214.69, 188.166.122.43, 188.166.48.55, 188.166.92.228, 193.189.100.195, 193.189.100.203, 193.218.118.183, 193.218.118.231, 193.31.24.154, 194.48.199.78, 195.176.3.24, 195.19.192.26, 195.254.135.76, 198.98.51.189, 199.195.250.77, 204.8.156.142, 205.185.117.149, 20.71.156.146, 209.127.17.242, 209.141.41.103, 2.10.206.71, 212.193.57.225, 217.163.23.58, 23.129.64.131, 23.129.64.131, 23.129.64.141, 23.129.64.146, 23.129.64.148, 45.12.134.108, 45.137.21.9, 45.153.160.131, 45.153.160.138, 45.155.205.233, 46.166.139.111, 46.182.21.248, 51.15.43.205, 51.255.106.85, 54.173.99.121, 62.102.148.69, 62.76.41.46, 68.183.198.247, 68.183.44.143, 72.223.168.73, 81.17.18.60, 88.80.20.86
微步在线安全产品全线支持检测和拦截log4j漏洞攻击
微步在线威胁感知平台(TDP)
微步在线 TDP 已于数月前支持该漏洞的攻击检测,且支持最新各种 bypass 攻击,相关用户可以持续关注 TDP 上关于 JNDI 漏洞的相关告警,一旦攻击成功,则需要进行快速的处置响应。
微步在线终端检测平台(OneEDR)
微步在线 OneEDR 目前已经支持从终端检测正在运行的各种应用和服务是否加载并使用了存在该漏洞的 log4j2 的组件,并且会直接资产风险的方式展示出来。此外,OneEDR 会进一步利用行为分析、威胁情报、AI 等技术检测后续的攻击行为,包括不限于提权、驻留、横移等各种恶意行为,快速帮助企业进行响应和处置。微步在线安全DNS(OneDNS)
微步在线 OneDNS 平台目前已经集成微步在线高可信威胁情报,包括当前用于活跃探测该漏洞是否存在的相关 DNSlog 域名情报,使用 OneDNS 的用户,一旦有攻击者利用 DNSlog 进行漏洞探测,即可被 OneDNS 拦截,导致攻击者的探测行为失败。☞ 免费!Log4j2漏洞资产排查工具公开下载
☞ 起床!史诗级Log4j漏洞已引起大规模入侵,猛击查看快速检测技巧
戳“阅读原文”,立即下载检测工具
↙↙↙