Identifying threat actors from server access logs
To understand how to identify rogue agents, we will use the well-known example of the Apache Log4j vulnerability. We’re using this specific example because it is so aggressively targeted by threat actors that you will likely find threat actors attempting to exploit it on your site – even if you’re not vulnerable to it. There are several reasons why the Log4j vulnerability is dangerous:
- It provides a frictionless way for a threat actor to upload their code to your site (via Apache logs)
- Log4j is ubiquitous, so threat actors are very likely to attempt to exploit this vulnerability, regardless of whether you have Log4j in use on your Moodle site
- Proofs of Concepts (POCs) are easy to find, meaning someone with very little experience can attempt to hack a site
To identify a threat actor attempting to exploit the Log4j vulnerability, we need to look in the server access logs. Here is an example...