Video Screencast Help

NEED HELP with SID: 23179 OS Attack

Created: 07 Jun 2011 | 8 comments

HELLO

Today I received this message many time

Traffic from IP address ............ is blocked frpm 7/7/2011 8:35:50AM to 7/7/2011 8:45:50AM 

SID:23179 OS Attack: MS Windows Server  Service RPC Handling CVE-2008-4250 detected

I download the patch but still this message coming, so If some bady can help me with this and what I should take immediate action to stop any damage or prevent further damage from happenin

Comments 8 CommentsJump to latest comment

computer-man's picture

HELLO

Today I received this message many time

Traffic from IP address ............ is blocked frpm 7/7/2011 8:35:50AM to 7/7/2011 8:45:50AM 

SID:23179 OS Attack: MS Windows Server  Service RPC Handling CVE-2008-4250 detected

I download the patch but still this message coming, so If some bady can help me with this and what I should take immediate action to stop any damage or prevent further damage from happenin

Rafeeq's picture

try these two things

1) open IPS policy, frm the frm address / To address is your internal iP then add it under exclude host option

2)edit the ips policy look for the SID and make it allow

http://www.symantec.com/business/support/index?page=content&id=TECH97176&key=55357&actp=LIST

sandra.g's picture

I wouldn't recommend excluding the host or allowing the traffic for this signature without determining whether or not it's malicious.

sandra

Symantec, Information Developer
Installation, Migration, Deployment and Patching
User Protection & Productivity, Endpoint Protection

Don't forget to mark your thread as 'solved' with the answer that best help

Chetan Savade's picture

Hi,

It Clearly states about the OS Attack: MS Windows Server Service RPC Handling. To know more about the same, check the link below:

http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=23179

It is important that you have these Microsoft Updates done on all machine.

Check this Link for all the Updates which needs to be installed.

http://www.securityfocus.com/bid/31874/solution

Chetan Savade
Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

.Brian's picture

Is the traffic inbound or outbound?

I would make sure you get more details before you start excluding hosts.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Priya uthama's picture

Hi All,
above are my log from SEP,I have same Problem,
need advice from all of you,

i think this is worm

.Brian's picture

You need to disconnect those 7 hosts from the network and run scans on them with the latest definition set.

You should also make sure these machines are fully patched.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.