NEED HELP with SID: 23179 OS Attack
Created: 07 Jun 2011 | 8 comments
HELLO
Today I received this message many time
Traffic from IP address ............ is blocked frpm 7/7/2011 8:35:50AM to 7/7/2011 8:45:50AM
SID:23179 OS Attack: MS Windows Server Service RPC Handling CVE-2008-4250 detected
I download the patch but still this message coming, so If some bady can help me with this and what I should take immediate action to stop any damage or prevent further damage from happenin
Discussion Filed Under:
Comments 8 Comments • Jump to latest comment
HELLO
Today I received this message many time
Traffic from IP address ............ is blocked frpm 7/7/2011 8:35:50AM to 7/7/2011 8:45:50AM
SID:23179 OS Attack: MS Windows Server Service RPC Handling CVE-2008-4250 detected
I download the patch but still this message coming, so If some bady can help me with this and what I should take immediate action to stop any damage or prevent further damage from happenin
try these two things
1) open IPS policy, frm the frm address / To address is your internal iP then add it under exclude host option
2)edit the ips policy look for the SID and make it allow
http://www.symantec.com/business/support/index?page=content&id=TECH97176&key=55357&actp=LIST
Please don't forget to mark your thread solved with whatever answer helped you : ) Rafeeq
I wouldn't recommend excluding the host or allowing the traffic for this signature without determining whether or not it's malicious.
sandra
Symantec, Information Development, IMDP
Symantec Endpoint Protection / Core Security Engineering Group
Don't forget to mark your thread as 'solved' with the answer that best helped you!
Hi,
It Clearly states about the OS Attack: MS Windows Server Service RPC Handling. To know more about the same, check the link below:
http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=23179
It is important that you have these Microsoft Updates done on all machine.
Check this Link for all the Updates which needs to be installed.
http://www.securityfocus.com/bid/31874/solution
Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |
Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.&
Is the traffic inbound or outbound?
I would make sure you get more details before you start excluding hosts.
SEP Knowledge Base
Endpoint SWAT
Hi All,
above are my log from SEP,I have same Problem,
need advice from all of you,
i think this is worm
You need to disconnect those 7 hosts from the network and run scans on them with the latest definition set.
You should also make sure these machines are fully patched.
SEP Knowledge Base
Endpoint SWAT
http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=23179
Would you like to reply?
Login or Register to post your comment.