Endpoint Protection

 View Only
Back to discussions
Expand all | Collapse all

[SID: 23179] MSRPC Server Service BO detected

  • 1.  [SID: 23179] MSRPC Server Service BO detected

    Posted Mar 05, 2009 09:27 AM
      |   view attached

    Please can I have some help with this problem.

    Yesterday, out of the blue certain computers on my network started freezing. After a day of investigation I have found in the client management security log these entries that are occuring at the same time :

    26 04/03/2009 13:30:10 Intrusion Prevention Critical Incoming TCP 192.168.1.4 00-00-00-00-00-00 0.0.0.0 00-00-00-00-00-00 C:\WINDOWS\system32\ntoskrnl.exe Administrator WORKGROUP Default 1 13/01/2009 20:27:20 13/01/2009 20:27:20 [SID: 23179] MSRPC Server Service BO detected.
     
    27 04/03/2009 13:30:10 Active Response Major Incoming None 192.168.1.4 00-00-00-00-00-00 0.0.0.0 00-00-00-00-00-00  Administrator WORKGROUP Default 1 13/01/2009 20:27:20 13/01/2009 20:27:20 Traffic from IP address 192.168.1.4 is blocked from 13/01/2009 20:27:20 to 13/01/2009 20:37:20.
     
    28 04/03/2009 13:30:10 Intrusion Prevention Critical Incoming TCP 192.168.1.3 00-00-00-00-00-00 0.0.0.0 00-00-00-00-00-00 C:\WINDOWS\system32\ntoskrnl.exe Administrator WORKGROUP Default 1 13/01/2009 20:27:21 13/01/2009 20:27:21 [SID: 23179] MSRPC Server Service BO detected.
     
    They are happening almost every hour, the response is :

    [SID: 23179] MSRPC Server Service BO detected.
    Traffic has been blocked from this application: C:\WINDOWS\system32\ntoskrnl.exe

    I have had to disable the internal firewall which is really problematic. Our network runs many point of sale terminals which everytime we have this problem its cripling our business.

    Any help would be appreciated as I am getting very close to being bald after pulling the majority of my hair out.

    Is the ntoskrnl.exe that is being blocked, is it the local server version or the client app. Im guessing its the client app as its that that is being blocked.

    Many thanks in advance of your help.

    Attachment(s)

    txt
    fw.txt   77 KB 1 version


  • 2.  RE: [SID: 23179] MSRPC Server Service BO detected

    Posted Mar 05, 2009 11:26 AM

    We had the same thing start happening yesterday, and it turned out to be a worm:

     

    http://support.microsoft.com/kb/962007

     

    Good luck...



  • 3.  RE: [SID: 23179] MSRPC Server Service BO detected

    Posted Mar 26, 2009 11:53 PM
    Remove the machine from network whose IP address is flashed on the clients. That machine is infacted the malware/spyware application and trying to spread internally on your network.


  • 4.  RE: [SID: 23179] MSRPC Server Service BO detected

    Posted Jul 04, 2009 06:55 AM

    bonjour à tous,
    j'ai un message m'annocant que le trafic en provenance d'une adresses ip XXXXXXXX a été bloqué [sid 23179] détéction de MSRPC server service BO
    j'aimerais savoir comment ne plus afficher ce message



  • 5.  RE: [SID: 23179] MSRPC Server Service BO detected

    Posted Jul 04, 2009 01:30 PM
    Hi,

    I don't speak French but your post is clear.

    Here's the technical details of this attack signature:

    http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=23179

    It is a serious security threat but you can fix it with these patches for your Windows machines:

    http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

    Regards,





  • 6.  RE: [SID: 23179] MSRPC Server Service BO detected

    Posted Jul 04, 2009 05:42 PM
    Bonjour,

    Il suffit simplement d'aller dans les policies des prevention d'intrusion et d'editer la règle pou que le blocage ne soit plus effectif (voir eventuellement la journalisation concernant ce sid).



  • 7.  RE: [SID: 23179] MSRPC Server Service BO detected

    Posted Jul 04, 2009 05:46 PM
    This action of prevention intrusion can be caused by copy of big file between two computers (with supercopier or same utilities).

    To not block your computers, edit policies and uncheck block attackers (by default to 600 seconds).


  • 8.  RE: [SID: 23179] MSRPC Server Service BO detected

    Posted Jul 04, 2009 08:12 PM
    Actually we don't know false positive associated with this signature. If you know a false positive, please, report it to our Support as well.
    Unchecking "block attackers" could open the door for several malwares, be carefull when you give this suggestion without knowing if the OS is fully patched. Un-patched OS is one of the most common worst practices.

    Regards,



  • 9.  RE: [SID: 23179] MSRPC Server Service BO detected

    Posted Jul 08, 2009 08:47 AM
    Go to the SEPM policies and in Intrusion Prevension Add this SID under exception with the required Action


  • 10.  RE: [SID: 23179] MSRPC Server Service BO detected

    Posted Sep 10, 2009 09:11 PM

    Additional information...

    1.Go to Policies --> Intrusion Prevention Policies
    2.Right Click Edit --> On the Exceptions tab
    3.Click Add --> Look for the ID 23179
    4.click Next
    5. On the Signature Action select "Allow" and click OK.

    If you want to disable the notification on your system tray..

    1. Go to Clients, then the client group you want to remove this ability from.
    2. Click the Policies tab on the right, then expand 'Location-specific Settings'.
    3. Click on 'Server Control', then Customize.
    4. In the Intrusion Prevention Notifications Uncheck the "Display Intrusion Prevention notifications."



  • 11.  RE: [SID: 23179] MSRPC Server Service BO detected

    Posted Oct 28, 2009 11:20 PM
    i have the same problem either..
    i would like to check the suspected workstation but the IP address that cause problem is doesnt exsist !!!
    i already tries to ping the ip address but came with RTO.

    this problem sometimes occur everytime i start my pc in the morning..

    can some one help me to troubleshoot it ?