Meraki

Community

IDS Log Entry

Solved
Einstein
Getting noticed
‎Jan 7 2025 7:10 AM
‎Jan 7 2025 7:10 AM

IDS Log Entry

I continue to get this IDS firewall log entry: 

vulnscan10.cyhy.ncats.cyber.dhs.gov

IP/port:100.27.42.250:48534

With event: Apache Log4j logging remote code execution attempt

The event is blocked.

It is directed to a SINGLE internal server NOT open to the internet.  It appears to be a valid website. My concerns are,

1) How does this website even know about this particular server? ........it's rhetorical. 

2) Why is it trying to run code on it? again rhetorical. 

 

I am just at a loss to this. Server scanned, all clean. It is a new server that was added in the last year, new OS.

I cannot find anything in event log on this server that coincides with this, would give any hint as to why something on the outside is trying to get to it. 

Thank you all in advanced!

Anyone else seeing this?

0 Kudos
1 Accepted Solution
RWelch
Kind of a big deal
Kind of a big deal
‎Jan 7 2025 7:24 AM
‎Jan 7 2025 7:24 AM

The IDS log indicates: The event is (was) blocked.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.

View solution in original post

0 Kudos
4 Replies 4
RWelch
Kind of a big deal
Kind of a big deal
‎Jan 7 2025 7:24 AM
‎Jan 7 2025 7:24 AM

The IDS log indicates: The event is (was) blocked.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to RWelch
Einstein
Getting noticed
‎Jan 7 2025 7:37 AM
‎Jan 7 2025 7:37 AM

I agree and happy, it was blocked. I am puzzled as to how this outside website even knows about this server, as it is totally cut off from the outside world.  A little wary it's from DHS.gov.....lol

Thank you RWelch, appreciate it!

 

 

0 Kudos
In response to Einstein
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jan 7 2025 1:06 PM
‎Jan 7 2025 1:06 PM

Are you sure you don't have nat or port forward configured?

Have you got NO-NAT enabled?

In response to PhilipDAth
Einstein
Getting noticed
‎Jan 8 2025 5:44 AM
‎Jan 8 2025 5:44 AM

We do have some port forwards for several servers, but nothing forwarded to this server.  We run some client VPN connections; NO-NAT is not enabled. No local users have rights to this server.  Just very odd that the IP, FQDN of this IDS alert resolves to dhs.gov on AWS. These events were just Monday and yesterday. Nothing today. I did upgrade firmware to 211.4 last night, may have fixed that issue but not our speed issue. Our internet speeds are still very low coming through our MX250. I might open a ticket today. We have gig/gig fiber. Before new firmware we were getting 900/200. Today I am getting 500/200.  Not good. 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.