It does: It checks local log files for indicators of exploitation attempts, even heavily obfuscated ones that string or regular expression based patterns wouldn’t detect.
It doesn’t find vulnerable applications
It doesn’t and can’t verify if the exploitation attempts were successful
The problem with the log4j CVE-2021-44228 exploitation is that the string can be heavily obfuscated in many different ways. It is impossible to cover all possible forms with a reasonable regular expression.
The idea behind this detector is that the respective characters have to appear in a log line in a certain order to match.
I call these lists ‘detection pads’ in my script and process each log line character by character. I check if each character matches the first element of the detection pads. If the character matches a character in one of the detection pads, a pointer moves forward.
When the pointer reaches the end of the list, the detection triggered and the script prints the file name, the complete log line, the detected string and the number of the line in the file.
I’ve included a decoder for URL based encodings. If we need more, please let me know.
usage: log4shell-detector.py [-h] [-p path [path ...] | -f path [path ...] | --auto] [-d distance] [--quick] [--debug] [--summary]
Log4Shell Exploitation Detectors
-h, --help show this help message and exit
-p path [path ...] Path to scan
-f path [path ...] File to scan
--auto Automatically evaluate locations to which logs get written and scan these folders recursively (new default if no path is given)
-d distance Maximum distance between each character
-c check_usage Check log4j usage before launching the scan
--debug Debug output
--defaultpaths Scan a set of default paths that should contain relevant log files.
--quick Skip log lines that don't contain a 2021 or 2022 time stamp
--debug Debug output
--summary Show summary only
--silent Silent Mode. Only output on matches and errors
Make sure that the target systems on which you’d like to run log4shell-detector has python installed: python -V and see if Python 3 is available python3 -V
Download this Repo by clicking “Code” > “Download ZIP”
Extract the package and bring othe comlete package to the target system (e.g. with scp)
Run it with python3 log4shell-detector.py -p /var/log (if python3 isn’t available use python)
If your applications log to a different folder than /var/log find out where the log files reside and scan these folders. Find locations to which apps write logs with lsof | grep '\.log'.
Review the results (see FAQs for details)
You can also use the playbook.yml which copies the needed files on the server, runs the script and only shows something if a match was found.
If none of these commands returned a result, you should be safe.
My applications use log4j and I’ve found evidence of exploitation attempts? Am I compromised?
It is possible, yes. First check if the application that you use is actually affected by the vulnerability. Check the JAVA and log4j versions, check the vendor’s blog for an advisory or test the application yourself using canary tokens.
If your application is affected and vulnerable and you plan to do a forensic investigation,
create a memory image of that system (use e.g. VMWare’s snapshots or other tools for that)
create a disk image of that system
check the system’s outgoing network connections in your firewall logs
check the system’s crontab for suspicious new entries (/etc/crontab). If you want and can, use our free tool THOR Lite for a basic compromise assessment.
After some investigations, decide if you want and can disconnect that system from the Internet until you’ve verified that it hasn’t been compromised.
Automatically select file paths to which log files get written. (default: overwrite with -p path or -f file)
Check log4j usage before launching the exploits scan. The usage of this optional flag stop the execution of the script if there is no log4j being used in the current system, the thing that helps saving time especially when it’s about scanning an entire infrastructure.
Only checks log lines that contain a 2021 or 2022 to exclude all scanning of older log entries. We assume that the vulnerability wasn’t exploited in 2019 and earlier.
Prints a summary of matches, with only the filename and line number.
Silent Mode. Only output on matches (stdout) and errors (stderr)
Python 2 or Python 3
No further or special Python modules are required. It should run on any system that runs Python.
There are different ways how you can help.
Test it against the payloads that you find in the wild and let me know if we miss something.
Help me find and fix bugs.
Test if the scripts runs with Python 2; if not, we can add a slightly modified version to the repo.