#Local Webserver Logs

Looks like jndi:dns// may be apart of the query

This has happened on two different devices, both of which were running local webservers.

${cid} - ${method} ${originalUrl} - ${userAgent} ${ip} - ${statusCode} - ${new Date().getTime() - start}ms

The logs you've provided indicate that your local webserver is encountering some suspicious requests. The presence of jndi:dns// in the URLs is particularly notable because it suggests an attempt to exploit a known vulnerability, such as Log4Shell (CVE-2021-44228). This vulnerability affects the Apache Log4j 2 library, which is used for logging in many Java applications.

Here’s a breakdown of the logs and what might be happening:

1. POST /onvif/device_service - 404:

   • This indicates a POST request to /onvif/device_service which results in a 404 error. The onvif part suggests it may be targeting a device or service that uses the ONVIF standard, often used in IP cameras and surveillance systems.

2. GET / - 404:

   • A simple GET request to the root path of your server, resulting in a 404 error. This might be a scan to check if the server is alive or to find more information.

3. GET /%24%7Benv%3ATEST%3A-j%7Dndi%3A%24%7Benv%3ATEST%3A-d%7D%24%7Benv%3ATEST%3A-n%7D%24%7B%3A%3A-s%7D%3A%2F%2F192.168.1.254... - 404:

   • This URL seems to be attempting to exploit the JNDI lookup feature. The %24%7B sequences are URL-encoded characters representing ${}, often used in exploits to reference environment variables in vulnerable systems.

4. POST / - 404:

   • Another POST request to the root path of your server, resulting in a 404 error.

Recommendations:
Update Software: Ensure all your software, especially those using Log4j, are updated to the latest versions. Patches for Log4Shell have been released.

Harden the Server: Configure your server to minimize exposure. Disable any unnecessary services and ports. Implement firewall rules to restrict access.

Review and Sanitize Inputs: Validate and sanitize all inputs to your webserver to prevent any form of injection attacks.

Monitor Logs: Keep an eye on your logs for unusual activity. Set up alerts for suspicious patterns.

Security Tools: Utilize security tools and scanners to check for vulnerabilities. Tools like nmap, OpenVAS, and specific Log4Shell scanners can help identify weak points.

Network Segmentation: Isolate your development and production environments to limit the spread of potential breaches.

Consult Documentation: Refer to the documentation of the services and frameworks you're using for specific security recommendations.

These steps should help you identify and mitigate potential security issues with your local webserver.

I suppose this is more worrying because it is a local webserver, in which some of the recommendations don't quite apply.