Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.

OS Attack

Created: 10 Jan 2013 | 9 comments

Hi,

 

Iam getting the following errors time and again. Found solution to be a microsoft patch installation but even after installing the same, the message is still coming. Please help:

 

[SID: XXXXX] OS Attack: MSRPC Server Service RPC CVE-2008-4250 detected

 

The client will block traffic from IP address <10.x.x.x> for the next 600 seconds.

 

Regards,

Anish

Comments 9 CommentsJump to latest comment

pete_4u2002's picture

make sure the patch has been installed correctly.

OS Attack: MS Windows Server Service RPC Handling CVE-2008-4250

http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=23179

Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability

http://www.securityfocus.com/bid/31874/solution

.Brian's picture

Run the Conficker removal tool on the affect machines. Download here:

W32.Downadup Removal Tool

http://www.symantec.com/security_response/writeup....

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mithun Sanghavi's picture

Hello,

Take a close look at the logs you're reviewing where you see these alerts...if the IP address(es) are external, there's not much you can do...the nature of the internet is to allow unsolicited attempts for communication.

If the communications are coming from external sources, you can certainly block those IP addresses at the perimeter firewall, and other things such as leveraging intrusion prevention (assuming you've got that, or it's part of the perimeter firewall).

If the attacks are coming from WITHIN your network, you'll need to do some seluthing to get to the bottom of what's actually attacking and deal with it.  My gut, however, leads me to believe that your logs show external IP addresses.

Script kiddies out there are constantly running programs that will try to use exploits on machines...odds are low that you're specifically being targeted.

If the IP addresses in the logs are external to your network, the only way you can completely block the alerts is to configure your perimeter firewall to not allow incoming external traffic to this machine...which, I suspect, would completely negate the usefulness of the server itself.

Also, Please check the Symantec Article below and get assisted.

OS Attack: MS Windows Server Service RPC Handling CVE-2008-4250

http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=23179

Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability

http://www.securityfocus.com/bid/31874/solution

You may be also interested to have a look at this Thread: 

https://www-secure.symantec.com/connect/forums/multiple-attacks-showing-sepm

Hope that helps you to upload all the updates on the system.!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Anishk's picture

Hi Mithun,

 

Thanks for the post. The ip address are not external ip's but belonging in our network.

 

Regards,

Anish

Mithun Sanghavi's picture

Hello,

You may be also interested to have a look at this Thread: 

https://www-secure.symantec.com/connect/forums/multiple-attacks-showing-sepm

Hope that helps!!

 

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Anubhav's picture

Hello Mithun,

We are also getting same kind of attacks on all computers on network from four IP, all are internal in which three are Windows XP machine with Norton AV installed and one is Ububtu 12.04 LTS machine.

Please help me in figuring out what should I do.

Thanks,

Anubhav

Cameron_W's picture

If the IP in the block alert belongs to a machine from within your network then that machine is infected. Verify it has AV installed at the minimum, preferably all features, and is not missing any Microsoft patches, specifically MS08-067.

If I was able to help resolve your issue please mark my post as solution.

cus000's picture

Can you verify the remote host (source of attack) is installed with working AV and related windows patches?

Sometimes there could be more than 1 source machine... do check and go through