2021-12-12: visiting this site b/c you saw a log4j JNDI request for friendly-test.<SHA1HASH>.dns.cyberwar.nl?

Don't worry: that request is (intended as) a friendly test. If a system is potentially vulnerable to Log4Shell (CVE-2021-44228), the owner will be informed asap.

I'm a volunteer at the non-profit Dutch Institute for Vulnerability Disclosure (DIVD; Twitter: @DIVDnl), where tests are being done to detect systems potentially vulnerable to CVE-2021-44228 and inform system owners. DIVD operates in a 'no commerce, no press' setting.

The test is based on a DNS lookup. If a DNS lookup is observed in our logs, a system might be vulnerable. In that case, we inform the system owner about that via CERT channels, via the abuse contact for the IP address or domain, or via other (1-on-1) means. If you don't receive any information, your system was not detected as potentially vulnerable by this (imperfect) test.

We have deliberated on necessity, proportionality and subsidiarity before starting scans. The test that is performed is the least intrusive test known to us: no RCE is triggered. Triggering RCE is not necessary to detect possible vulnerability (hence: disproportionate), and moreover, exceeds both our legal and moral boundaries. The DNS lookup-based tests are performed because of the criticality of the vulnerability, combined with the fact that bad actors are already actively scanning and exploiting it. Like other proactive scanners, and preferably in cooperation with them and other defenders, we seek to help reduce attack surface, hopefully reducing the likelihood and incidence of criminal abuses.

A-record lookups for domains below dns.cyberwar.nl receive a NXDOMAIN response: they never resolve to an IP address. That behavior is by design, intended as an additional safeguard.

The <SHA1HASH> value is used to keep track of associations between DNS lookups and systems.

For more information, see https://csirt.divd.nl/cases/DIVD-2021-00038/.

Note: on the hosts used to perform scans (i.e., the source IP of the requests), a web page is present at tcp/80 that contains a small description + contact information. As per best practice in this domain.

Cyberwar.nl

My blog is at blog.cyberwar.nl.

My RSS aggregator is at news.cyberwar.nl.

An archive of documents obtained from the public internet is kept at cyberwar.nl/d/ (because links break all too often and Lots Of Copies Keep Stuff Safe).

Reading

Miscellaneous

phibetaiota.net | lightbluetouchpaper.org | emergentchaos.com | schneier.com | shmoo.com | taosecurity.blogspot.com | conspicuouschatter.wordpress.com | blog.didierstevens.com | educatedguesswork.org | tscm.com | osvdb.org | exploit-db.com

Mailinglists

Headlines (past week) | Full Disclosure | DailyDave | Securiteam | Risks Digest | Crypto-Gram | EDRI-gram | Cipher - IEEE Security & Privacy

2012: Year of Alan Turing

Alan Turing statue Analog computer This appliance shall only be operated by a trained competent person
These photo's were taken on October 28th 2010 at The National Museum of Computing at Bletchley Park, one-time home of mathematician/codebreaker Alan Turing. 2012 marked Turing's 1st Centennial.

 

Last update: 2021-12-12 15:16:27.

Author: Matthijs R. Koot, or whoever you wish... I mean really, why would you trust this webpage to contain accurate claims? On the Internet one should ALWAYS question information. Be a productive skeptic!