Associated Vulnerability
Title:Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints (CVE-2021-44228)Description:Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
Description
Scan your logs for CVE-2021-44228 related activity and report the attackers
Readme
# jndiRep - CVE-2021-44228
Basically a **bad** grep on even **worse** drugs.
- search for malicious strings
- decode payloads
- print results to stdout or file
- report ips (incl. logs) to AbuseIPDB
## Scanning
- Directory: `python3 jndiRep.py -d /path/to/directory`
- File: `python3 jndiRep.py -f /path/to/input.txt`
- Custom filter: `python3 jndiRep.py ... -g "ldap"`
- Threading: If scanning a directory, 4 threads will work on the files in parallel. You can change this by using `-t <threads>`.
## Output
You can either print results to a file or to stdout (includes coloring of IPs and payloads).
- stdout: `python3 jndiRep.py ...`
- file: `python3 jndiRep.py ... -o /path/to/output.txt`
## Reporting
For reporting, an API Key (hex string of length 80) for AbuseIPDB is required, which you can obtain by register at the service and request IP Reporting ability.
- Report IPs once: `python3 jndiRep.py ... -a <api key>`
- Report every occurrence: `python3 jndiRep.py ... -a <api key> --no-dedup`
- Change default comment: `python3 jndiRep.py ... -c "your custom comment"`
- Include logs: `python3 jndiRep.py ... --include-logs`
**Warning**: Reporting is provided "as is". PII will not be cut, decoded payloads will not be uploaded.
## Issues
- Create pull request with your solution
- Open an issue [here](https://github.com/js-on/jndiRep/issues) and I'll try to fix it asap
## Help
```
usage: jndiRep.py [-h] [-a API_KEY] [-d DIRECTORY] [-f FILE] [-g GREP] [-o OUTPUT] [-t THREADS] [-r] [-c COMMENT] [--include-logs] [--no-dedup]
optional arguments:
-h, --help show this help message and exit
-a API_KEY, --api-key API_KEY
AbuseIPDB Api Key
-d DIRECTORY, --directory DIRECTORY
Directory to scan
-f FILE, --file FILE File to scan
-g GREP, --grep GREP Custom word to grep for
-o OUTPUT, --output OUTPUT
File to store results. stdout if not set
-t THREADS, --threads THREADS
Number of threads to start. Default is 4
-r, --report Report IPs to AbuseIPDB with category 21 (malicious web request)
-c COMMENT, --comment COMMENT
Comment sent with your report
--include-logs Include logs in your report. PII will NOT be stripped of!!!
--no-dedup If set, report ever occurrence of IP. Default: Report only once.
```
File Snapshot
[4.0K] /data/pocs/383fbcb2e42c7b76eefdefda45f2d661a62c8a93
├── [6.4K] jndiRep.py
├── [1.0K] LICENSE
├── [2.3K] README.md
└── [ 17] requirements.txt
0 directories, 4 files
Remarks
1. It is advised to access via the original source first.
2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →