Skip to content

Instantly share code, notes, and snippets.

@blotus

blotus/log4j_exploitation_attempts_crowdsec.md

Last active December 29, 2023 12:24
Show Gist options
  • Star 88 You must be signed in to star a gist
  • Fork 8 You must be signed in to fork a gist
  • Save blotus/f87ed46718bfdc634c9081110d243166 to your computer and use it in GitHub Desktop.
Save blotus/f87ed46718bfdc634c9081110d243166 to your computer and use it in GitHub Desktop.
Download ZIP
IPs exploiting the log4j2 CVE-2021-44228 detected by the crowdsec community
Raw
log4j_exploitation_attempts_crowdsec.md

This list is no longer updated, thus the information is no longer reliable.

You can see the latest version (from october 2022) here

@stefan-datagrid
Copy link

The following IPs are registered on behalf of datagridsurface.com which can be checked with a simple lookup

172.104.230.136,scan4.datagridsurface.com.
172.104.230.214,scan5.datagridsurface.com.
172.104.230.234,scan2.datagridsurface.com.
172.104.230.246,scan3.datagridsurface.com.
172.104.230.25,scan1.datagridsurface.com.
194.233.160.160,scan6.datagridsurface.com.
194.233.160.161,scan9.datagridsurface.com.
194.233.160.162,scan7.datagridsurface.com.
194.233.160.164,scan8.datagridsurface.com.
194.233.160.165,scan10.datagridsurface.com.

@avipars
Copy link

avipars commented Nov 1, 2022

194.163.182.89 is trying other fuzzing techniques besides log4j

@mazzma12
Copy link

mazzma12 commented Nov 2, 2022

194.163.182.89 is trying other fuzzing techniques besides log4j

You're right @avipars - this is actually reported on CrowdSec CTI page which you can find here : https://app.crowdsec.net/cti/194.163.182.89

@avipars
Copy link

avipars commented Nov 3, 2022

194.163.182.89 is trying other fuzzing techniques besides log4j

You're right @avipars - this is actually reported on CrowdSec CTI page which you can find here : https://app.crowdsec.net/cti/194.163.182.89

are you working for them? the page is behind a paywall... please share the details here

@mazzma12
Copy link

mazzma12 commented Nov 3, 2022

194.163.182.89 is trying other fuzzing techniques besides log4j

You're right @avipars - this is actually reported on CrowdSec CTI page which you can find here : https://app.crowdsec.net/cti/194.163.182.89

are you working for them? the page is behind a paywall... please share the details here
Hey @avipars
There is no paywall, it just requires creating a free account (only user email and password are necessary). Then you can use the Console to monitor your CrowdSec instances - if you have any - or to explore the CTI - an API is also available

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment