[SID: 23179] MSRPC Server Service BO detected

John_Roberts's picture
John_Roberts
March 5th, 2009

Please can I have some help with this problem.

Yesterday, out of the blue certain computers on my network started freezing. After a day of investigation I have found in the client management security log these entries that are occuring at the same time :

26 04/03/2009 13:30:10 Intrusion Prevention Critical Incoming TCP 192.168.1.4 00-00-00-00-00-00 0.0.0.0 00-00-00-00-00-00 C:\WINDOWS\system32\ntoskrnl.exe Administrator WORKGROUP Default 1 13/01/2009 20:27:20 13/01/2009 20:27:20 [SID: 23179] MSRPC Server Service BO detected.
 
27 04/03/2009 13:30:10 Active Response Major Incoming None 192.168.1.4 00-00-00-00-00-00 0.0.0.0 00-00-00-00-00-00  Administrator WORKGROUP Default 1 13/01/2009 20:27:20 13/01/2009 20:27:20 Traffic from IP address 192.168.1.4 is blocked from 13/01/2009 20:27:20 to 13/01/2009 20:37:20.
 
28 04/03/2009 13:30:10 Intrusion Prevention Critical Incoming TCP 192.168.1.3 00-00-00-00-00-00 0.0.0.0 00-00-00-00-00-00 C:\WINDOWS\system32\ntoskrnl.exe Administrator WORKGROUP Default 1 13/01/2009 20:27:21 13/01/2009 20:27:21 [SID: 23179] MSRPC Server Service BO detected.
 
They are happening almost every hour, the response is :

[SID: 23179] MSRPC Server Service BO detected.
Traffic has been blocked from this application: C:\WINDOWS\system32\ntoskrnl.exe

I have had to disable the internal firewall which is really problematic. Our network runs many point of sale terminals which everytime we have this problem its cripling our business.

Any help would be appreciated as I am getting very close to being bald after pulling the majority of my hair out.

Is the ntoskrnl.exe that is being blocked, is it the local server version or the client app. Im guessing its the client app as its that that is being blocked.

Many thanks in advance of your help.

Filed under: , , , , , ,
+1 (1 vote)
Brendon Colby's picture
Brendon Colby
37 weeks 4 days ago

Uh oh!

We had the same thing start happening yesterday, and it turned out to be a worm:

 

http://support.microsoft.com/kb/962007

 

Good luck...

+1 (1 vote)
Tejas Shah's picture
Tejas Shah
34 weeks 3 days ago

Remove the machine from

Remove the machine from network whose IP address is flashed on the clients. That machine is infacted the malware/spyware application and trying to spread internally on your network.

0 votes
ezanguy@yahoo.fr's picture
ezanguy@yahoo.fr
20 weeks 2 days ago

display a message

bonjour à tous,
j'ai un message m'annocant que le trafic en provenance d'une adresses ip XXXXXXXX a été bloqué [sid 23179] détéction de MSRPC server service BO
j'aimerais savoir comment ne plus afficher ce message

0 votes
eddy_fazer's picture
eddy_fazer
20 weeks 1 day ago

Bonjour, Il suffit simplement

Bonjour,

Il suffit simplement d'aller dans les policies des prevention d'intrusion et d'editer la règle pou que le blocage ne soit plus effectif (voir eventuellement la journalisation concernant ce sid).

0 votes
Giuseppe.Axia's picture
Giuseppe.Axia
20 weeks 2 days ago

Bonjour!

Hi,

I don't speak French but your post is clear.

Here's the technical details of this attack signature:

http://www.symantec.com/business/security_response...

It is a serious security threat but you can fix it with these patches for your Windows machines:

http://www.microsoft.com/technet/security/Bulletin...

Regards,

Giuseppe

+1 (1 vote)
eddy_fazer's picture
eddy_fazer
20 weeks 1 day ago

This action of prevention

This action of prevention intrusion can be caused by copy of big file between two computers (with supercopier or same utilities).

To not block your computers, edit policies and uncheck block attackers (by default to 600 seconds).

-1 (3 votes)
Giuseppe.Axia's picture
Giuseppe.Axia
20 weeks 1 day ago

There are no known false positives associated with this signatur

Actually we don't know false positive associated with this signature. If you know a false positive, please, report it to our Support as well.
Unchecking "block attackers" could open the door for several malwares, be carefull when you give this suggestion without knowing if the OS is fully patched. Un-patched OS is one of the most common worst practices.

Regards,

Giuseppe

0 votes
Ajitjha's picture
Ajitjha
19 weeks 5 days ago

Go to the SEPM policies and

Go to the SEPM policies and in Intrusion Prevension Add this SID under exception with the required Action

Regards'
Ajit Jha
TechSuport Engineer
STS

-2 (2 votes)
Optimus Prime's picture
Optimus Prime
10 weeks 3 days ago

Additional

Additional information...

1.Go to Policies --> Intrusion Prevention Policies
2.Right Click Edit --> On the Exceptions tab
3.Click Add --> Look for the ID 23179
4.click Next
5. On the Signature Action select "Allow" and click OK.

If you want to disable the notification on your system tray..

1. Go to Clients, then the client group you want to remove this ability from.
2. Click the Policies tab on the right, then expand 'Location-specific Settings'.
3. Click on 'Server Control', then Customize.
4. In the Intrusion Prevention Notifications Uncheck the "Display Intrusion Prevention notifications."

;-)

0 votes
Good Boy's picture
Good Boy
3 weeks 4 days ago

i have the same problem either..

i have the same problem either..
i would like to check the suspected workstation but the IP address that cause problem is doesnt exsist !!!
i already tries to ping the ip address but came with RTO.

this problem sometimes occur everytime i start my pc in the morning..

can some one help me to troubleshoot it ?

0 votes