Endpoint Protection Small Business Edition

We have multiple intrusions being blocked by symantec on our server many times a day for at least a month now maybe more and I have not been able to figure out how to stop this. Below is one of the most recent ones:

Attack: an intrusion attempt was blocked.

Risk Level | Medium

Attacker Computer

219.214.28.3 0

Destination Computer

192.168.1.2 0

Protocol

TCP

Attack URL

127.0.0.1/cgi-bin/authLogin.cgi

Targeted Application

-

Status

Blocked

Action

Resolved - No Action Required

Date & Time

Thursday, January 08, 2015 9:04:56 AM

 

They all come from different IP addresses, but the rest stays the same.  The alert emails I get show the attack is on Port 0.  I have done an intrusion scan but came up with nothing.  Many different virus and malware scans have not turned up anything.  Tried to block Port 0 traffic on server and that did not help.  I know symantec is blocking them and that is good but the constant alerts filling up my email box is annoying.  Also, this wasn't happening until just recently.

Any help would be appreciated.

This is an attacker trying to explot the shellshock vulnerability. The IPS is doing it's job by blocking it and you're not infected. If the system is not vulnerable to the exploit it won't work anyway. It's most likely attackers just scanning to see what they can exploit.

Create a firewall rule to block that IP.

The IP is different everytime.

I wouldn't expect it to be. Again, it's an attacker scanning for vulnerable systems. The IPS is doing it's job by blocking the attempts.

How do I check to see if we are vulnerable?  We are running Microsoft SBS 2011 on the server so I assume that isn't vulnerable.  We do have an oracle database program called Primavera that uses alot of command line prompts but that is through Mssql so I'm thinking that is safe too?

Is there a way to stop the emails on that one instance but still get alerts on other things?

Is it external facing?

There is not