Hal Pomeranz · Dec 13, 2021 · 9:39 AM UTC

Hal Pomeranz · Dec 13, 2021 · 9:39 AM UTC

Hal Pomeranz

Hal Pomeranz @hal_pomeranz

13 Dec 2021

There may be earlier exploitation, but “find / -mtime -4” is a good way to look for weekend #log4j carnage on your Linux servers. RCE is likely unprivileged, so focus first on [/var]/tmp, /dev/shm, and similar world-write directories.

Dec 13, 2021 · 9:39 AM UTC

102

Detmar · Dec 13, 2021 · 6:49 PM UTC

Detmar @d3tm4r

13 Dec 2021

Replying to @hal_pomeranz @strandjs

doesn’t that cover only the last 4 hours? Just making sure I understand the command correctly. Maybe you wanted to write -48? Sorry if that question is silly.

Hal Pomeranz · Dec 13, 2021 · 6:56 PM UTC

Hal Pomeranz @hal_pomeranz

13 Dec 2021

The units for "-mtime" etc are in days

IAMerica · Dec 14, 2021 · 12:01 AM UTC

IAMerica

@EricaZelic

14 Dec 2021

Replying to @hal_pomeranz

Except eBPF and auditD aren't xonfigured to monitor thos directories :P