Video Screencast Help

MSRPC Server Service RPC CVE-2008-4250 detected.

Created: 12 Mar 2012 | 4 comments

i started recieivng this in the log of my webserver.  I have had this particular patch that is mentioned here since it came out in 2008.  Is there anyhtign else i should do to handle this?  Has this machien been compromised?  Is it blocking it like it says? Thanks.

 

MSRPC Server Service RPC CVE-2008-4250 detected.  here is the log when it started.

 

 
3/12/2012 10:31 Intrusion Prevention Critical Incoming TCP 77.10.224.240 00-00-00-00-00-00 192.168.3.2 00-15-5D-03-0A-19 C:\WINNT\system32\ntoskrnl.exe Vette69 TWEETY Default 3/12/2012 10:32 3/12/2012 10:32 [SID: 23179] OS Attack: MSRPC Server Service RPC CVE-2008-4250 detected.
 
3/12/2012 10:31 Active Response Major Incoming None 77.10.224.240 00-00-00-00-00-00 192.168.3.2 00-15-5D-03-0A-19 Vette69 TWEETY Default 3/12/2012 10:32 3/12/2012 10:32 Traffic from IP address 77.10.224.240 is blocked from 3/12/2012 10:32:27 AM to 3/12/2012 10:42:27 AM.
 
3/12/2012 10:31 Active Response Disengaged Information None None 112.216.83.58 00-00-00-00-00-00 0.0.0.0 00-00-00-00-00-00 Vette69 TWEETY Default 3/12/2012 10:33 3/12/2012 10:33 Active Response that started at 03/12/2012 10:23:12 is disengaged. The traffic from IP address 112.216.83.58 was blocked for 600 second(s).

Comments 4 CommentsJump to latest comment

Kirk Hill's picture

i did those beofre i posted my question.  The patch has been installed since it came out in 2008.  What next?

NRaj's picture

If you have followed the instruction and patched the machine. And if the machine is updated with latest definition, then no need to worry.

These logs say that the attack was blocked. Check the IP address 112.216.83.58 & 77.10.224.240 as mentioned in the logs.

Make sure the SEP scans the computer regularly, just to make sure the machine is safe.

Simpson Homer's picture

So is Symantec still detecting the file?

Try to submit those files to the Symantec Security Response Team:-

 

How to create a new case in MySupport

http://www.symantec.com/business/support/index?page=content&id=TECH58873

 

Where to upload a suspected File?

https://submit.symantec.com/websubmit/gold.cgi

 

 

Phone numbers to contact Tech Support:-

 

Regional Support Telephone Numbers:
United States: 800-342-0652 (407-357-7600 from outside the United States)
Australia: 1300 365510 (+61 2 8220 7111 from outside Australia)
United Kingdom: +44 (0) 870 606 6000

India: Toll-Free 000 800 4401 456 directly

IDD call: +61 2 8220 7111

 

Additional contact numbers: http://www.symantec.com/business/support/contact_techsupp_static.jsp