Proof-of-concept detector for exploitation of log4shell happening with a LDAP JNDI service provider.
This inspects network traffic coming from any java processes, and compares the sends to what the lookup code generates.
Tested against a local environment being "exploited" using
Since this is looking specifically for LDAP traffic it:
- May create false-positives if other Java code/applications happens to do this exact same LDAP search request
- Cannot detect exploitation using a LDAPS (LDAP over SSL/TLS) provider
- Cannot detect exploitation using any other potentially vulnerable provider
- Cannot detect simple envvar exfiltration going on using any provider (e.g. as mentioned here)
And finally, due to the way this hooks network traffic it's (currently) unable to provide the target hostname/IP that the LDAP connection was made to. It can only tell what Java process made the suspicious connection.
- Logout4Shell and Amazon's hotpatch dynamically patch the main "bad" function (
lookup) in a running JVM instance to varying extents.