"Exploitation attempt detected", but pattern not in DETECTION_STRINGS. False positive?
busch opened this issue · 3 comments
log4shell-detector.py detects am exploitation attempt via patttern ${jndi:ldap: in a log file but the pattern is not in the log:
[!!!] Exploitation attempt detected FILE: /var/log/firstboot/vpxd-svcs_firstboot.py_24133_stdout.log LINE_NUMBER: 22 LINE: 2021-03-12T00:12:10.861Z ['# invsvc cisreg props\n', 'solutionUser.name = ${solution-user.name}\n', 'solutionUser.ownerId = ${solution-user.name}@${vmdir.domain-name}\n', 'cmreg.serviceid = ${invsvc.service-id}\n', '# invsvc registration spec properties\n', 'serviceVersion = 1.0\n', 'ownerId = ${solution-user.name}@${vmdir.domain-name}\n', 'serviceType.product = com.vmware.cis\n', 'serviceType.type = cs.inventory\n', 'serviceNameResourceKey = cs.inventory.ServiceName\n', 'serviceDescriptionResourceKey = cs.inventory.ServiceDescription\n', 'serviceGroupResourceKey = cs.inventory.servicegroupresource\n', 'serviceGroupInternalId = cs\n', 'controlScriptPath = ${controlscript.path}\n', 'hostId = ${sca.hostid}\n', 'endpoint0.url = https://${system.urlhostname}:${rhttpproxy.ext.port2}/invsvc\n', 'endpoint0.type.protocol = http\n', 'endpoint0.type.id = com.vmware.cis.inventory\n', 'endpoint1.url = https://${system.urlhostname}:${rhttpproxy.ext.port2}/invsvc/vmomi/sdk\n', 'endpoint1.type.protocol = vmomi\n', 'endpoint1.type.id = com.vmware.cis.inventory.server\n', 'endpoint2.url = https://${system.urlhostname}:${rhttpproxy.ext.port2}/invsvc/vmomi/sdk\n', 'endpoint2.type.protocol = vmomi\n', 'endpoint2.type.id = com.vmware.cis.tagging.server\n', 'endpoint3.url = https://${system.urlhostname}:${rhttpproxy.ext.port2}/invsvc/vapi\n', 'endpoint3.type.protocol = vapi.json.https\n', 'endpoint3.type.id = com.vmware.cis.inventory.vapi\n', 'endpoint3.data0.key = com.vmware.vapi.metadata.metamodel.file.authz\n', 'endpoint3.data0.value = /usr/lib/vmware-vpxd-svcs/vapi-metadata/authz/authz_metamodel.json\n', 'endpoint3.data1.key = com.vmware.vapi.metadata.authentication.file.authz\n', 'endpoint3.data1.value = /usr/lib/vmware-vpxd-svcs/vapi-metadata/authz/authz_authentication.json\n', 'endpoint3.data2.key = com.vmware.vapi.metadata.routing.file.authz\n', 'endpoint3.data2.value = /usr/lib/vmware-vpxd-svcs/vapi-metadata/authz/authz_routing.json\n', 'endpoint3.data3.key = com.vmware.vapi.metadata.metamodel.file.tagging\n', 'endpoint3.data3.value = /usr/lib/vmware-vpxd-svcs/vapi-metadata/tagging/com.vmware.cis.tagging_metamodel.json\n', 'endpoint3.data4.key = com.vmware.vapi.metadata.authentication.file.tagging\n', 'endpoint3.data4.value = /usr/lib/vmware-vpxd-svcs/vapi-metadata/tagging/com.vmware.cis.tagging_authentication.json\n', 'endpoint3.data5.key = com.vmware.vapi.metadata.cli.file.tagging\n', 'endpoint3.data5.value = /usr/lib/vmware-vpxd-svcs/vapi-metadata/tagging/com.vmware.cis.tagging_cli.json\n', 'endpoint4.url = https://${system.urlhostname}:${rhttpproxy.ext.port2}\n', 'endpoint4.type.protocol = gRPC\n', 'endpoint4.type.id = tagging\n', 'endpoint4.data0.key = cis.common.ep.localurl\n', 'endpoint4.data0.value = http://localhost:##{TAGGING_GRPC_PORT}##\n', 'attribute0.key = Syncable\n', 'attribute0.value = ELM,SPOG\n', 'attribute1.key = Subscribable\n', 'attribute1.value = true\n', 'health.url = https://${system.urlhostname}:${rhttpproxy.ext.port2}/invsvc/invsvc-health\n', 'resourcebundle.url = https://${system.urlhostname}:${rhttpproxy.ext.port2}/invsvc/invsvc-resource\n', 'resourcebundle.data0.key = com.vmware.cis.common.resourcebundle.basename\n', 'resourcebundle.data0.value = cs.inventory.ResourceBundle\n', '# reverse proxy configuration\n', 'rhttpproxy.file = invsvc-proxy.conf\n', 'rhttpproxy.endpoint0.namespace = /invsvc\n', 'rhttpproxy.endpoint0.connectionType = local\n', 'rhttpproxy.endpoint0.address = ${vpxd-svcs.int.http}\n', 'rhttpproxy.endpoint0.httpAccessMode = redirect\n', 'rhttpproxy.endpoint0.httpsAccessMode = allow\n'] DEOBFUSCATED_STRING: ${jndi:ldap:
Ah, interesting. I'll add a maximum distance between the characters in the detection pad. It'll take some time.
Had to fix more issues