{toc}  

 

 

 

Intro

This is how I checked for log4j on my systems.

Since the log4j jar file can be included in so many places, the best one can do is to scan the web server logs and see if anybody has taken interest in your system and checking if there log4j has been installed as a stand-alone app on the server.

Apps may include integrated log4j bits and this is a thing you may need to check with the app manufacturer instead, for hidden pieces of log4j.

 

Checking for scanners

Create a file with this content, and run it as root.

log4j_check.sh:

#!/bin/bash

#This command searches for exploitation attempts in uncompressed files in folder /var/log and all sub folders
sudo egrep -i -r '\$\{jndi:(ldap[s]?|rmi|dns):/[^\n]+' /var/log

#This command searches for exploitation attempts in compressed files in folder /var/log and all sub folders
sudo find /var/log -name \*.gz -print0 | xargs -0 zgrep -E -i '\$\{jndi:(ldap[s]?|rmi|dns):/[^\n]+'

exit 

 

 

Checking for log4j instances on the system

Create a file with this content, and run it as root.

check_for_log4j.sh:

#!/bin/bash

echo "checking for log4j vulnerability...";
if [ "$(locate log4j|grep -v log4js)" ]; then
echo "### maybe vulnerable, those files contain the name:";
locate log4j|grep -v log4js;
fi;
if [ "$(dpkg -l|grep log4j|grep -v log4js)" ]; then
echo "### maybe vulnerable, installed packages:";
dpkg -l|grep log4j;
fi;
if [ "$(which java)" ]; then
echo "java is installed, so note that Java applications often bundle their libraries inside jar/war/ear files, so there still could be log4j in such applications.";
fi;
echo "If you see no output above this line, you are safe. Otherwise check the listed files and packages.";

 

 

Sources

https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228
https://logging.apache.org/log4j/2.x/
https://www.lunasec.io/docs/blog/log4j-zero-day/
https://www.randori.com/blog/cve-2021-44228/
https://serverfault.com/questions/1086065/how-do-i-check-if-log4j-is-installed-on-my-server
https://www.govcert.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/

 

 

 

 

 

 

 

 

Stop Spam Harvesters, Join Project Honey Pot

 

Get a free SSL certificate!

 

The leading nonprofit defending digital privacy, free speech, and innovation.

 

The Linux Foundation provides a neutral, trusted hub for developers and organizations to code, manage, and scale open technology projects and ecosystems.

 

Kubuntu is an operating system built by a worldwide community of developers, testers, supporters and translators.

 

 43ef5c89 CanonicalUbuntudarktext