Video Screencast Help
Symantec Connect login will not be available from 7am-1pm PT, Saturday April 12th, estimated. During that time, you will not be able to log in or engage in any activity on the site such as posting, commenting, or voting. You can still view and search content. Sorry for the inconvenience.

Multiple attacks showing in SEPM

Created: 05 Apr 2011 • Updated: 07 Apr 2011 | 5 comments

We are using SEPM 11.0.6. We have a server that is continually being attacked. We understand that Symantec is doing its job and blocking the attack, but is there any way to get it to stop happening?

We're going on 5 straight days of attacks. It would've been more, but we shut the server down over the weekend.

It seems to be the same 4 attacks over and over with different IP addresses: OS Attack: MS Windows Server Service RPC Handling CVE-2008-4250, OS Attack: MS Windows Server Service NetAPI CVE-2006-3439, OS Attack: MS RPCSS Attack CVE-2004-0116 2, and SMB Guest Login.

We tried to install all the Microsoft patches listed in the various articles, but it didn't seem to help. Is there anything else we can do to stop the attacks?

Comments 5 CommentsJump to latest comment

Ryan_Dasso's picture

The key thing to realize here is that the IPS detections are usually on the machines being attacked, not on the machines that are doing the attacking... so installing the patches is a good thing because it means your servers won't be vulnerable, but the patches do nothing to stop the attacks from happening.

In an example, when a burglar (attacker) has the keys to your door, you can change the locks (patches) to keep him out. The house (attacked computer) is safe but the alarm system (SEP) will still sound when the burglar puts the old key in the new lock. The important thing is to find the burglar's hideout (attacking computer) and get it shut down so it can no longer launch burglars.

The Network Threat Protection logs will tell you just about everything you need to know (which machines are attacking, for example). Export them and view in your favorite spreadsheet program. Make sure to run full system scans with SEP and the latest defs.

You can use the Microsoft Baseline Security Analyzer (http://technet.microsoft.com/en-us/security/cc184923) to scan all of the machines involved. 

Details on the individual threats that are being detected can easily be Googled for more details.

mon_raralio's picture

Is it possible to post the logs?

Other than patching the sources as suggested by Ryan and yourself. Check the logs of these attackers. They may have a persistent malware executable stored in them. You could separate them into a group with stricter polices and limited services allowed in the firewall.

“Your most unhappy customers are your greatest source of learning.”

Mithun Sanghavi's picture

Hello, 

Please check this:

 

1) OS Attack: MS Windows Server Service RPC Handling CVE-2008-4250
 
 
MS Windows Server Service RPC Handling CVE-2008-4250 is used by Threat - 
 
W32.Downadup
 
http://www.symantec.com/security_response/writeup.jsp?docid=2008-112203-2408-99
 
To know more about the Patches, visit the link below:
 
 
 
 
2) OS Attack: MS Windows Server Service NetAPI CVE-2006-3439 
 
 
To know more about the Patches, visit the link above.
 
 
OS Attack: MS Windows Server Service NetAPI CVE-2006-3439 used by Threat - 
 
W32.Rinbot.E
 
http://www.symantec.com/security_response/writeup.jsp?docid=2006-022315-3727-99
 
 
3) OS Attack: MS RPCSS Attack CVE-2004-0116 2 
 
http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=20386
 
 
4) SMB Guest Login
 
http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=21545
 
 
 
All the Attacks which you described happens when you have vulverabilities on the machines from where the attack happens.
 
As Ryan Described above, "The Network Threat Protection logs will tell you just about everything you need to know (which machines are attacking, for example). Export them and view in your favorite spreadsheet program."
 
I would Suggest the Following Plan of Action:
 

1) Make sure ALL Computers are installed with Symantec EP with latest / updated with virus defintions and

2) Install ALL Latest Microsoft Secuirty Patches / Sevice Packs on ALL machines

3) Follow the Links provided above and update all the patches as required.

4) Disable Auto play with GPO

http://support.microsoft.com/kb/953252

5) Disable Scheduled Tasks with GPO

http://support.microsoft.com/kb/310208

6) Enable Security Auditing with GPO

http://support.microsoft.com/kb/300549

7) Scan ALL the machines...

 

You could also Enable "Risk Tracer" -  To understand what is it and how it could help you, I would recommend you to read the Article below:

 

 
What is Risk Tracer?
 
http://www.symantec.com/business/support/index?page=content&id=TECH102539
 
How to use Risk Tracer to locate the source of a threat in Symantec Endpoint Protection
 
http://www.symantec.com/business/support/index?page=content&id=TECH94526
 
 
 
 
 
Hope this may help you.
 

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

chris_delay's picture

Take a close look at the logs you're reviewing where you see these alerts...if the IP address(es) are external, there's not much you can do...the nature of the internet is to allow unsolicited attempts for communication.

If the communications are coming from external sources, you can certainly block those IP addresses at the perimeter firewall, and other things such as leveraging intrusion prevention (assuming you've got that, or it's part of the perimeter firewall).

If the attacks are coming from WITHIN your network, you'll need to do some seluthing to get to the bottom of what's actually attacking and deal with it.  My gut, however, leads me to believe that your logs show external IP addresses.

Script kiddies out there are constantly running programs that will try to use exploits on machines...odds are low that you're specifically being targeted.

If the IP addresses in the logs are external to your network, the only way you can completely block the alerts is to configure your perimeter firewall to not allow incoming external traffic to this machine...which, I suspect, would completely negate the usefulness of the server itself.

rcollura's picture

Thanks for all the suggestions. We did install the patches and we've been checking the logs. This is a web server so we have to allow incoming external traffic to the machine. The IP addresses are external, so there's not much else we can do. At least Symantec is blocking the attacks.