I’m worried about a external IP acessing my network: 188.8.131.52
He is syncronized with the OpenVas scan, everytime he executes a Log4J scan this IP shows up in my network,
So, this IP (184.108.40.206) is some server where openvas get his updates?
Hi and welcome to the community!
This IP is not associated in any way with Greenbone. Furthermore the scanner is not contacting any IP’s other than the ones set as targets to scan.
To give you some details about active (trying actively to show the presence of the vulnerability on the target) Log4J checks:
The scanner is trying to get a connection back from the application by sending crafted requests (e.g. via HTTP) to the target including known payloads.
If the application is affected it will try to connect back to the scanner to a certain TCP port (currently in the range of 10000-32000) which the scanner will be looking for and report accordingly.
There might be that other IP’s than the scanned one which will reply on a Log4J scan depending on the affected application and it’s configuration (e.g. the request/payload gets passed to other systems where the actual processing will be done and finally doing a connection back to the scanner) which might even be outside of your scanned network range.
Hope this gives you some clarification and maybe further pointers to investigate…
Looking further at external sources like https://www.abuseipdb.com/check/220.127.116.11 is showing that the there are generally Log4Shell scans done from that IP.