There may be earlier exploitation, but “find / -mtime -4” is a good way to look for weekend #log4j carnage on your Linux servers. RCE is likely unprivileged, so focus first on [/var]/tmp, /dev/shm, and similar world-write directories.

doesn’t that cover only the last 4 hours? Just making sure I understand the command correctly. Maybe you wanted to write -48? Sorry if that question is silly.