Video Screencast Help
Search Video Help Close Back
to help

OS Attack

Created: 10 Jan 2013 | 9 comments
Anishk's picture
Anishk
0 0 Votes
Login to vote

Hi,

 

Iam getting the following errors time and again. Found solution to be a microsoft patch installation but even after installing the same, the message is still coming. Please help:

 

[SID: XXXXX] OS Attack: MSRPC Server Service RPC CVE-2008-4250 detected

 

The client will block traffic from IP address <10.x.x.x> for the next 600 seconds.

 

Regards,

Anish

Discussion Filed Under:
, , ,

Comments 9 CommentsJump to latest comment

Ashish-Sharma's picture
Ashish-Sharma
OS Attack - Comment:10 Jan 2013 : Link

HI,

 

OS Attack: MSRPC Server Service RPC CVE-2008-4250

http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=23179

Check this thread

http://www.symantec.com/connect/forums/msrpc-server-service-rpc-cve-2008-4250-detected

http://www.symantec.com/connect/forums/need-help-sid-23179-os-attack

Check this thread

https://www-secure.symantec.com/connect/forums/sid...

Thanks In Advance

Ashish Sharma

SEPM Knowledgebase Documents  

 

0
Login to vote
pete_4u2002's picture
pete_4u2002 Symantec Employee
OS Attack - Comment:10 Jan 2013 : Link

make sure the patch has been installed correctly.

OS Attack: MS Windows Server Service RPC Handling CVE-2008-4250

http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=23179

Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability

http://www.securityfocus.com/bid/31874/solution

Cheers!
Pete

Help Link: http://www.symantec.com/business/support/overview.jsp?pid=54619

0
Login to vote
Brian81's picture
Brian81 Trusted Advisor
OS Attack - Comment:11 Jan 2013 : Link

Run the Conficker removal tool on the affect machines. Download here:

W32.Downadup Removal Tool

http://www.symantec.com/security_response/writeup....

SEP Knowledge Base

Endpoint SWAT

0
Login to vote
Mithun Sanghavi's picture
Mithun Sanghavi Symantec Employee Technical Support Accredited
OS Attack - Comment:11 Jan 2013 : Link

Hello,

Take a close look at the logs you're reviewing where you see these alerts...if the IP address(es) are external, there's not much you can do...the nature of the internet is to allow unsolicited attempts for communication.

If the communications are coming from external sources, you can certainly block those IP addresses at the perimeter firewall, and other things such as leveraging intrusion prevention (assuming you've got that, or it's part of the perimeter firewall).

If the attacks are coming from WITHIN your network, you'll need to do some seluthing to get to the bottom of what's actually attacking and deal with it.  My gut, however, leads me to believe that your logs show external IP addresses.

Script kiddies out there are constantly running programs that will try to use exploits on machines...odds are low that you're specifically being targeted.

If the IP addresses in the logs are external to your network, the only way you can completely block the alerts is to configure your perimeter firewall to not allow incoming external traffic to this machine...which, I suspect, would completely negate the usefulness of the server itself.

Also, Please check the Symantec Article below and get assisted.

OS Attack: MS Windows Server Service RPC Handling CVE-2008-4250

http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=23179

Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability

http://www.securityfocus.com/bid/31874/solution

You may be also interested to have a look at this Thread: 

https://www-secure.symantec.com/connect/forums/multiple-attacks-showing-sepm

Hope that helps you to upload all the updates on the system.!!

Mithun Sanghavi
Symantec Technical Support Engineer, SEP
MIM | MCSA | MCTS | STS | ITIL v3

Twitter: @mithun_sanghavi

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<&a

0
Login to vote
Anishk's picture
Anishk
OS Attack - Comment:11 Jan 2013 : Link

Hi Mithun,

 

Thanks for the post. The ip address are not external ip's but belonging in our network.

 

Regards,

Anish

0
Login to vote
Mithun Sanghavi's picture
Mithun Sanghavi Symantec Employee Technical Support Accredited
OS Attack - Comment:14 Jan 2013 : Link

Hello,

You may be also interested to have a look at this Thread: 

https://www-secure.symantec.com/connect/forums/multiple-attacks-showing-sepm

Hope that helps!!

 

Mithun Sanghavi
Symantec Technical Support Engineer, SEP
MIM | MCSA | MCTS | STS | ITIL v3

Twitter: @mithun_sanghavi

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<&a

0
Login to vote
Anubhav's picture
Anubhav
OS Attack - Comment:13 Mar 2013 : Link

Hello Mithun,

We are also getting same kind of attacks on all computers on network from four IP, all are internal in which three are Windows XP machine with Norton AV installed and one is Ububtu 12.04 LTS machine.

Please help me in figuring out what should I do.

Thanks,

Anubhav

+1
Login to vote
Cameron_W's picture
Cameron_W Symantec Employee Accredited
OS Attack - Comment:14 Jan 2013 : Link

If the IP in the block alert belongs to a machine from within your network then that machine is infected. Verify it has AV installed at the minimum, preferably all features, and is not missing any Microsoft patches, specifically MS08-067.

If I was able to help resolve your issue please mark my post as solution.

+1
Login to vote
cus000's picture
cus000 Partner Accredited
OS Attack - Comment:15 Mar 2013 : Link

Can you verify the remote host (source of attack) is installed with working AV and related windows patches?

Sometimes there could be more than 1 source machine... do check and go through

0
Login to vote