[SID: 23179] OS Attack: MSRPC Server Service RPC CVE-2008-4250 attack blocked. Traffic has been blocked for this application: SYSTEM
Created: 05 Dec 2012 | Updated: 07 Jan 2013 | 6 comments
This issue has been solved. See solution.
I have SEP12.1 its running perfictly but its always showing [SID: 23179] OS Attack: MSRPC Server Service RPC CVE-2008-4250 attack blocked. Traffic has been blocked for this application: SYSTEM and after that it show me this msg The client will block traffic from IP address 192.168.1.27 for the next 600 seconds (from 22/01/34 12:58:30 Traffic has been blocked for this application: SYSTEM on the server and clinet computer, how can fix this msg or if its normal cant i stop it from showing for the client and just make it hidden please ?
Discussion Filed Under:
Comments 6 Comments • Jump to latest comment
Hi,
OS Attack: MSRPC Server Service RPC CVE-2008-4250
http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=23179
Check this thread
http://www.symantec.com/connect/forums/msrpc-server-service-rpc-cve-2008-4250-detected
http://www.symantec.com/connect/forums/need-help-sid-23179-os-attack
Thanks In Advance.
Manish
Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.
Make sure to download and install all required patches.
Open SEP GUI
Go to Change Settings
Click Configure Settings next to NTP component
Click Notifications tab
Uncheck Display Intrusion Prevention notifications
Click OK
SEP Knowledge Base
Endpoint SWAT
Hello,
Take a close look at the logs you're reviewing where you see these alerts...if the IP address(es) are external, there's not much you can do...the nature of the internet is to allow unsolicited attempts for communication.
If the communications are coming from external sources, you can certainly block those IP addresses at the perimeter firewall, and other things such as leveraging intrusion prevention (assuming you've got that, or it's part of the perimeter firewall).
If the attacks are coming from WITHIN your network, you'll need to do some seluthing to get to the bottom of what's actually attacking and deal with it. My gut, however, leads me to believe that your logs show external IP addresses.
Script kiddies out there are constantly running programs that will try to use exploits on machines...odds are low that you're specifically being targeted.
If the IP addresses in the logs are external to your network, the only way you can completely block the alerts is to configure your perimeter firewall to not allow incoming external traffic to this machine...which, I suspect, would completely negate the usefulness of the server itself.
Also, Please check the Symantec Article below and get assisted.
OS Attack: MS Windows Server Service RPC Handling CVE-2008-4250
http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=23179
Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability
http://www.securityfocus.com/bid/31874/solution
You may be also interested to have a look at this Thread:
https://www-secure.symantec.com/connect/forums/multiple-attacks-showing-sepm
Mithun Sanghavi
Symantec Technical Support Engineer, SEP
MIM | MCSA | MCTS | STS | ITIL v3
Twitter: @mithun_sanghavi
Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<&a
Hi waelhilal,
Just a ping. Were you able to determine the source of the repeated connection attempts? What action did you take? Any advice that you may wish to share will be of benefit to future admins in the same situation.
Many thanks in advance!
With thanks and best regards,
Mick
Please apply the Microsoft Patch.
Microsoft ID: MS10-054
Regard's
Ajit Jha
Technical Consultant
ASC & STS
Extract NTP(attack) logs -->check remote host-->install MS08 -67 patch on remote system also check SEP is installed/not.
Would you like to reply?
Login or Register to post your comment.