Ayuda de vídeo de Screencast

[SID: 23179] OS Attack: MSRPC Server Service RPC CVE-2008-4250 attack blocked. Traffic has been blocked for this application: SYSTEM

Created: 05 DEC 2012 • Updated: 07 Enero 2013 | 6 comments
Se ha solucionado este problema. Vea la solución.

I have SEP12.1 its running perfictly but its always showing [SID: 23179] OS Attack: MSRPC Server Service RPC CVE-2008-4250 attack blocked. Traffic has been blocked for this application: SYSTEM and after that it show me this msg The client will block traffic from IP address for the next 600 seconds (from 22/01/34 12:58:30 Traffic has been blocked for this application: SYSTEM on the server and clinet computer, how can fix this msg or if its normal cant i stop it from showing for the client and just make it hidden please ? 

Comentarios ComentariosIr al último comentario

el cuadro de los Brɨan

Make sure to download and install all required patches.


Go to Change Settings

Click Configure Settings next to NTP component

Click Notifications tab

Uncheck Display Intrusion Prevention notifications

Click OK

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

el cuadro de los Mithun Sanghavi


Take a close look at the logs you're reviewing where you see these alerts...if the IP address(es) are external, there's not much you can do...the nature of the internet is to allow unsolicited attempts for communication.

If the communications are coming from external sources, you can certainly block those IP addresses at the perimeter firewall, and other things such as leveraging intrusion prevention (assuming you've got that, or it's part of the perimeter firewall).

If the attacks are coming from WITHIN your network, you'll need to do some seluthing to get to the bottom of what's actually attacking and deal with it.  My gut, however, leads me to believe that your logs show external IP addresses.

Script kiddies out there are constantly running programs that will try to use exploits on machines...odds are low that you're specifically being targeted.

If the IP addresses in the logs are external to your network, the only way you can completely block the alerts is to configure your perimeter firewall to not allow incoming external traffic to this machine...which, I suspect, would completely negate the usefulness of the server itself.

Also, Please check the Symantec Article below and get assisted.

OS Attack: MS Windows Server Service RPC Handling CVE-2008-4250


Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability


You may be also interested to have a look at this Thread: 


Hope that helps you to upload all the updates on the system.!!

Mithun Sanghavi
Associate Security Architect


Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

el cuadro de los Mick2009

Hi waelhilal,

Just a ping.  Were you able to determine the source of the repeated connection attempts?   What action did you take?  Any advice that you may wish to share will be of benefit to future admins in the same situation.

Many thanks in advance!

With thanks and best regards,


el cuadro de los Ajit Jha

Please apply the Microsoft Patch.

Microsoft ID: MS10-054


Ajit Jha

Technical Consultant


el cuadro de los Riya31

Extract NTP(attack) logs -->check remote host-->install MS08 -67 patch on remote system also check SEP is installed/not.