Haven't yet been seeing this with #log4j but be aware that LD_PRELOAD rootkits are circulating in the wild. Use of LD_PRELOAD is uncommon, so spot suspicious processes with "grep -l LD_PRELOAD /proc/[0-9]*/environ"
gwillem @gwillem
13 Dec 2021
Replying to @hal_pomeranz @CraigHRowland
FYI recent malware uses LD_PRELOAD to hide behind legit exe paths. sansec.io/research/nginrat
1
2
9
You want to see what LD_PRELOAD is set to? "grep -l LD_PRELOAD /proc/[0-9]*/environ | while read file; do echo $file:; cat $file | tr \\000 \\n | grep LD_PRELOAD; echo; done"

Dec 13, 2021 · 7:38 PM UTC
1
7