Endpoint Protection

 View Only

  • 1.  MSRPC Server Service RPC CVE-2008-4250 detected.

    Posted Mar 12, 2012 12:40 PM

    i started recieivng this in the log of my webserver.  I have had this particular patch that is mentioned here since it came out in 2008.  Is there anyhtign else i should do to handle this?  Has this machien been compromised?  Is it blocking it like it says? Thanks.

     

    MSRPC Server Service RPC CVE-2008-4250 detected.  here is the log when it started.

     

     
    3/12/2012 10:31 Intrusion Prevention Critical Incoming TCP 77.10.224.240 00-00-00-00-00-00 192.168.3.2 00-15-5D-03-0A-19 C:\WINNT\system32\ntoskrnl.exe Vette69 TWEETY Default 3/12/2012 10:32 3/12/2012 10:32 [SID: 23179] OS Attack: MSRPC Server Service RPC CVE-2008-4250 detected.
     
    3/12/2012 10:31 Active Response Major Incoming None 77.10.224.240 00-00-00-00-00-00 192.168.3.2 00-15-5D-03-0A-19 Vette69 TWEETY Default 3/12/2012 10:32 3/12/2012 10:32 Traffic from IP address 77.10.224.240 is blocked from 3/12/2012 10:32:27 AM to 3/12/2012 10:42:27 AM.
     
    3/12/2012 10:31 Active Response Disengaged Information None None 112.216.83.58 00-00-00-00-00-00 0.0.0.0 00-00-00-00-00-00 Vette69 TWEETY Default 3/12/2012 10:33 3/12/2012 10:33 Active Response that started at 03/12/2012 10:23:12 is disengaged. The traffic from IP address 112.216.83.58 was blocked for 600 second(s).


  • 2.  RE: MSRPC Server Service RPC CVE-2008-4250 detected.

    Posted Mar 12, 2012 01:45 PM

    Follow the instructions on this link:-

     

    http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=23180



  • 3.  RE: MSRPC Server Service RPC CVE-2008-4250 detected.

    Posted Mar 13, 2012 12:06 AM

    i did those beofre i posted my question.  The patch has been installed since it came out in 2008.  What next?



  • 4.  RE: MSRPC Server Service RPC CVE-2008-4250 detected.

    Posted Mar 13, 2012 10:29 AM

    If you have followed the instruction and patched the machine. And if the machine is updated with latest definition, then no need to worry.

    These logs say that the attack was blocked. Check the IP address 112.216.83.58 & 77.10.224.240 as mentioned in the logs.

    Make sure the SEP scans the computer regularly, just to make sure the machine is safe.



  • 5.  RE: MSRPC Server Service RPC CVE-2008-4250 detected.

    Posted Mar 13, 2012 10:42 AM

    So is Symantec still detecting the file?

    Try to submit those files to the Symantec Security Response Team:-

     

    How to create a new case in MySupport

    http://www.symantec.com/business/support/index?page=content&id=TECH58873

     

    Where to upload a suspected File?

    https://submit.symantec.com/websubmit/gold.cgi

     

     

    Phone numbers to contact Tech Support:-

     

    Regional Support Telephone Numbers:
    United States: https://support.broadcom.com (407-357-7600 from outside the United States)
    Australia: 1300 365510 (+61 2 8220 7111 from outside Australia)
    United Kingdom: +44 (0) 870 606 6000

    India: Toll-Free 000 800 4401 456 directly

    IDD call: +61 2 8220 7111

     

    Additional contact numbers: http://www.symantec.com/business/support/contact_techsupp_static.jsp