Video Screencast Help

[SID: 23179] OS Attack: MSRPC Server Service RPC CVE-2008-4250 attack blocked. Traffic has been blocked for this application: SYSTEM

Created: 05 Dec 2012 • Updated: 07 Jan 2013 | 6 comments
This issue has been solved. See solution.

I have SEP12.1 its running perfictly but its always showing [SID: 23179] OS Attack: MSRPC Server Service RPC CVE-2008-4250 attack blocked. Traffic has been blocked for this application: SYSTEM and after that it show me this msg The client will block traffic from IP address 192.168.1.27 for the next 600 seconds (from 22/01/34 12:58:30 Traffic has been blocked for this application: SYSTEM on the server and clinet computer, how can fix this msg or if its normal cant i stop it from showing for the client and just make it hidden please ? 

Comments 6 CommentsJump to latest comment

_Brian's picture

Make sure to download and install all required patches.

Open SEP GUI

Go to Change Settings

Click Configure Settings next to NTP component

Click Notifications tab

Uncheck Display Intrusion Prevention notifications

Click OK

 

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mithun Sanghavi's picture

Hello,

Take a close look at the logs you're reviewing where you see these alerts...if the IP address(es) are external, there's not much you can do...the nature of the internet is to allow unsolicited attempts for communication.

If the communications are coming from external sources, you can certainly block those IP addresses at the perimeter firewall, and other things such as leveraging intrusion prevention (assuming you've got that, or it's part of the perimeter firewall).

If the attacks are coming from WITHIN your network, you'll need to do some seluthing to get to the bottom of what's actually attacking and deal with it.  My gut, however, leads me to believe that your logs show external IP addresses.

Script kiddies out there are constantly running programs that will try to use exploits on machines...odds are low that you're specifically being targeted.

If the IP addresses in the logs are external to your network, the only way you can completely block the alerts is to configure your perimeter firewall to not allow incoming external traffic to this machine...which, I suspect, would completely negate the usefulness of the server itself.

Also, Please check the Symantec Article below and get assisted.

OS Attack: MS Windows Server Service RPC Handling CVE-2008-4250

http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=23179

Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability

http://www.securityfocus.com/bid/31874/solution

You may be also interested to have a look at this Thread: 

https://www-secure.symantec.com/connect/forums/multiple-attacks-showing-sepm

Hope that helps you to upload all the updates on the system.!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

SOLUTION
Mick2009's picture

Hi waelhilal,

Just a ping.  Were you able to determine the source of the repeated connection attempts?   What action did you take?  Any advice that you may wish to share will be of benefit to future admins in the same situation.

Many thanks in advance!

With thanks and best regards,

Mick

Ajit Jha's picture

Please apply the Microsoft Patch.

Microsoft ID: MS10-054

Regard's

Ajit Jha

Technical Consultant

ASC & STS

Riya31's picture

Extract NTP(attack) logs -->check remote host-->install MS08 -67 patch on remote system also check SEP is installed/not.