False alarms?

[rennis250]

First off, many thanks for this great tool in this terrible situation!

Sorry if this is the wrong place to raise this, but it seems we might be getting false alarms on our system. I have run the detector a few times on /var/log and every time, it reports three lines as attempts in a cdebconf file, but the deobfuscated string is different each time.

Here are three examples:

[!] FILE: /var/log/installer/cdebconf/templates.dat LINE_NUMBER: 65224 DEOBFUSCATED_STRING: ${jndi:dns: LINE: Extended_description-ku.UTF-8: Cîhaza ku hatiye hilbijartin partîsiyonên ji bo cîhazên RAiD dihundirîne. Ew cîhaz û partîsiyon dê werin rakirin:\n\nCîhaza Software RAID li bêr rakirinê ye: ${REMOVED_DEVICES}\n\nPartition ji hêla van cîhazên RAID ve hat bikaranîn: ${REMOVED_PARTITIONS}\n\nNîşe: Her wisa evê her tim hemû daneyên li ser cîhazên RAID yên nivîsbarî jê bibe.
[!] FILE: /var/log/installer/cdebconf/templates.dat LINE_NUMBER: 58996 DEOBFUSCATED_STRING: ${jndi:nis: LINE: Extended_description-sl.UTF-8: Povzetek trenutne nastavitve LVM:\n\n Prosti fizični nosilci:  ${FREE_PVS}\n Uporabljeni fizični nosilci:  ${USED_PVS}\n Skupine nosilcev:          ${VGS}\n Logični nosilci:        ${LVS}
[!] FILE: /var/log/installer/cdebconf/templates.dat LINE_NUMBER: 58910 DEOBFUSCATED_STRING: ${jndi:nis: LINE: Extended_description-eo.UTF-8: Resumo de la nuna LVM-agordo:\n\n Liberaj Konkretaj Datumportiloj:  ${FREE_PVS}\n Uzataj Konktretaj Datumportiloj:  ${USED_PVS}\n Datumportilaj Grupoj:             ${VGS}\n Logikaj Datumportiloj:            ${LVS}

[!] FILE: /var/log/installer/cdebconf/templates.dat LINE_NUMBER: 65224 DEOBFUSCATED_STRING: ${jndi:rmi: LINE: Extended_description-ku.UTF-8: Cîhaza ku hatiye hilbijartin partîsiyonên ji bo cîhazên RAiD dihundirîne. Ew cîhaz û partîsiyon dê werin rakirin:\n\nCîhaza Software RAID li bêr rakirinê ye: ${REMOVED_DEVICES}\n\nPartition ji hêla van cîhazên RAID ve hat bikaranîn: ${REMOVED_PARTITIONS}\n\nNîşe: Her wisa evê her tim hemû daneyên li ser cîhazên RAID yên nivîsbarî jê bibe.
[!] FILE: /var/log/installer/cdebconf/templates.dat LINE_NUMBER: 58996 DEOBFUSCATED_STRING: ${jndi:nis: LINE: Extended_description-sl.UTF-8: Povzetek trenutne nastavitve LVM:\n\n Prosti fizični nosilci:  ${FREE_PVS}\n Uporabljeni fizični nosilci:  ${USED_PVS}\n Skupine nosilcev:          ${VGS}\n Logični nosilci:        ${LVS}
[!] FILE: /var/log/installer/cdebconf/templates.dat LINE_NUMBER: 58910 DEOBFUSCATED_STRING: ${jndi:nis: LINE: Extended_description-eo.UTF-8: Resumo de la nuna LVM-agordo:\n\n Liberaj Konkretaj Datumportiloj:  ${FREE_PVS}\n Uzataj Konktretaj Datumportiloj:  ${USED_PVS}\n Datumportilaj Grupoj:             ${VGS}\n Logikaj Datumportiloj:            ${LVS}

[!] FILE: /var/log/installer/cdebconf/templates.dat LINE_NUMBER: 65224 DEOBFUSCATED_STRING: ${jndi:dns: LINE: Extended_description-ku.UTF-8: Cîhaza ku hatiye hilbijartin partîsiyonên ji bo cîhazên RAiD dihundirîne. Ew cîhaz û partîsiyon dê werin rakirin:\n\nCîhaza Software RAID li bêr rakirinê ye: ${REMOVED_DEVICES}\n\nPartition ji hêla van cîhazên RAID ve hat bikaranîn: ${REMOVED_PARTITIONS}\n\nNîşe: Her wisa evê her tim hemû daneyên li ser cîhazên RAID yên nivîsbarî jê bibe.
[!] FILE: /var/log/installer/cdebconf/templates.dat LINE_NUMBER: 58996 DEOBFUSCATED_STRING: ${jndi:nis: LINE: Extended_description-sl.UTF-8: Povzetek trenutne nastavitve LVM:\n\n Prosti fizični nosilci:  ${FREE_PVS}\n Uporabljeni fizični nosilci:  ${USED_PVS}\n Skupine nosilcev:          ${VGS}\n Logični nosilci:        ${LVS}
[!] FILE: /var/log/installer/cdebconf/templates.dat LINE_NUMBER: 58910 DEOBFUSCATED_STRING: ${jndi:dns: LINE: Extended_description-eo.UTF-8: Resumo de la nuna LVM-agordo:\n\n Liberaj Konkretaj Datumportiloj:  ${FREE_PVS}\n Uzataj Konktretaj Datumportiloj:  ${USED_PVS}\n Datumportilaj Grupoj:             ${VGS}\n Logikaj Datumportiloj:            ${LVS}

In addition, the file has not been touched since 2015:

-rw------- 1 root root 14M Mar 18  2015 /var/log/installer/cdebconf/templates.dat

Everything else, including your quick tests to check for log4j (thanks very much for those, too!), indicates that our systems should hopefully be unaffected by the log4j vuln.

Best wishes, Rob

[Neo23x0]

Strange. I cannot reproduce these matches.

[rennis250]

Ok, thanks. It was so far found on two of our Ubuntu servers (both 16.04.7 LTS; yes, we need to upgrade...): same file, different lines in the file on each server, but same line content, both files from 2013-2015.

I re-ran it with Python 2, just in case that was an issue, but Python 2 chokes on the Unicode bytes it seems:

/var/log/installer/cdebconf/templates.dat
Traceback (most recent call last):
  File "log4shell-detector.py", line 312, in <module>
    detections = l4sd.scan_path(path)
  File "log4shell-detector.py", line 193, in scan_path
    print('[!] FILE: %s LINE_NUMBER: %s DEOBFUSCATED_STRING: %s LINE: %s' % (match, line_number, matches[match][line_number][1], matches[match][line_number][0]))
UnicodeDecodeError: 'ascii' codec can't decode byte 0xc3 in position 32: ordinal not in range(128)

And Python versions are:

Python 3.5.2 Python 2.7.12

• Rob