nanog mailing list archives
Re: Log4j mitigation
From: A Crisan <alina.florar () gmail com>
Date: Mon, 13 Dec 2021 14:58:58 +0100
Hi all, I guess what Jorg is suggesting is that beyond this particular incident, a preventive testing/mitigation methodology would make for a great NANOG2022 presentation/workshop. Cheers, Dora On Mon, Dec 13, 2021 at 2:33 PM Jean St-Laurent via NANOG <nanog () nanog org> wrote:
I agree, As an example that back what you're saying, I pasted the ip provided by Jörg in my browser. http://45.83.64.1/ Here is the html page returned. <html> ... Research Scanning Project This is a scanner of a research scanning project. If you want to exclude your IPs from scans, please send an e-mail to exclude () alphastrike io. Thank you for your appreciation! ... </html> This ip scanner is in Germany and it looks legit, but a better investigation is recommended. The second host provided looks more suspicious. blah.c6rip779l9hq8g7hluigcg5131oyyyt8e.interactsh.com resolve to 104.248.51.21 which is hosted on DigitalOcean. Here is the html output: <html> ... Interactsh Server Interactsh is an open-source solution for out-of-band data extraction. It is a tool designed to detect bugs that cause external interactions. These bugs include, Blind SQLi, Blind CMDi, SSRF, etc. If you find communications or exchanges with the interactsh.com server in your logs, it is possible that someone has been testing your applications. You should review the time when these interactions were initiated to identify the person responsible for this testing. ... </html> First, it's important to gain visibility and filter the goods from the bads. The first ip looks legit. The second could be reported to DigitalOcean for investigation. They usually investigate very fast. You can check for weird network flows patterns. You can also look for that suspicious html file that is crawling on http in clear text on your gears. At ISP level, visibility is a must and patterns will clearly become easy to identify. I agree with Karl that perfection is enemy of good. Jean -----Original Message----- From: NANOG <nanog-bounces+jean=ddostest.me () nanog org> On Behalf Of Karl Auer Sent: December 13, 2021 7:55 AM To: NANOG List <nanog () nanog org> Subject: Re: Log4j mitigation On Mon, 2021-12-13 at 06:35 -0600, Joe Greco wrote:Just because there are other sources of fatalities, doesn't mean you can't check for the quick obvious stuff.Indeed. One check, even an inadequate one, is better than no checks at all. And over time you can add more checks or improve the ones you have. Don't let "perfect" be the enemy of "good". Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer () biplane com au) http://www.biplane.com.au/kauer GPG fingerprint: 61A0 99A9 8823 3A75 871E 5D90 BADB B237 260C 9C58 Old fingerprint: 2561 E9EC D868 E73C 8AF1 49CF EE50 4B1D CCA1 5170
Current thread:
- Re: Log4j mitigation, (continued)
- Re: Log4j mitigation Joe Greco (Dec 13)
- Re: Log4j mitigation Jörg Kost (Dec 13)
- Re: Log4j mitigation Joe Greco (Dec 13)
- Re: Log4j mitigation Jörg Kost (Dec 13)
- Re: Log4j mitigation Joe Greco (Dec 13)
- Re: Log4j mitigation Karl Auer (Dec 13)
- Re: Log4j mitigation bofh139 (Dec 13)
- Re: Log4j mitigation Hank Nussbacher (Dec 13)
- Re: Log4j mitigation Karl Auer (Dec 13)
- RE: Log4j mitigation Jean St-Laurent via NANOG (Dec 13)
- Re: Log4j mitigation A Crisan (Dec 13)
- Re: Log4j mitigation Mike Hammett (Dec 13)
- Re: Log4j mitigation Karl Auer (Dec 13)
- Re: Log4j mitigation Andy Ringsmuth (Dec 13)
- Re: Log4j mitigation Doug McIntyre (Dec 14)
- Re: Log4j mitigation Tyler Conrad (Dec 14)
- Re: Log4j mitigation Owen DeLong via NANOG (Dec 14)
- Re: Log4j mitigation Owen DeLong via NANOG (Dec 15)