Video Screencast Help

Web Attack: Neutrino Exploit Kit Website?

Created: 13 Nov 2013 • Updated: 06 Feb 2014 | 10 comments
This issue has been solved. See solution.

Hello,

I'm not too sure if there's any virus or malware on my computer but my Endpoint Protection popped up a small bubble saying there was an intrusion attempt or something along those lines. I checked the security log and it mentioned Web Attack: Neutrino Exploit Kit Website. It also mentioned it blocked incoming traffic from IP address 212.83.155.218 for 30 minutes.

I immediately ran the antivirus/antispyware scan and nothing came up.

Is there anything else I should do? I did some reserach, so I'm definitely going to update Java and whatnot, but should I run some other programs or do anything else?

Thank you!

Operating Systems:

Comments 10 CommentsJump to latest comment

_Brian's picture

The IPS did its job by blocking the intrusion attempt. Keep an eye on it. You can create a firewall rule to block that IP address as well to stop any future attack attempts.

SEP is doing its job so you should be ok.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Ecliccion's picture

Hm alright then. Is there a good tutorial for blocking the IP address using Windows Firewall? I just made a custom rule for inbound rules that blocked local and remote IP addresses that correspond to the one I mentioned, but I'm not sure if what I'm doing is correct. This is my first time haha.

_Brian's picture

That sounds right. Just block traffic to/from that IP.

Not sure for Windows firewall but do you use the SEP firewall? You could also do it with that one if you use...sounds like you don't though?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

SOLUTION
Ecliccion's picture

I don't see a firewall option on the Endpoint Protection menu or even when I click "Options" for "Network Threat Protection." I'm guessing this is a administrator issue because my profile is not an admin.

Thanks for all the help though!

_Brian's picture

Yea it's possible the firewall has not been installed

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mick2009's picture

In SEP 11, the firewall component (NTP) was required if IPS was to be used.  SEP 12.1 removed that dependency: it is possible to have IPS without firewall.

It would also be a good time to ensure that the organization's defenses are in good order. There is a great deal of malware in circulation. Take precautions now!

Symantec Endpoint Protection – Best Practices
http://www.symantec.com/theme.jsp?themeid=stopping_malware&depthpath=0

With thanks and best regards,

Mick

Mithun Sanghavi's picture

Hello,

Web Attack: Neutrino Exploit Kit Website  compromises the machine by targeting various vendor vulnerabilities on the victim's machine.

http://www.securityfocus.com/bid/37331/info

That alert was letting you know that an attack was successfully blocked.  More details about the originating IP address, etc, can be found in the logs.

Make sure you have the Windows are updated with current patches. Also make sure all the Adobe softwares are updates with their latest patches.

A great many threats in the wild today are built using certain attack kits that take advantage of known vulnerabilities. 

I recommend ensuring that your defences are at their highests possible level, all patches are applied, all users educated, and constant attention paid to security.  here's some additional best practices:

http://www.symantec.com/business/theme.jsp?themeid=stopping_malware&depthpath=0

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Beppe's picture

Hello,

you should also inform the owner of that public IP of the issue to shut that server down.

Export and send the SEP logs to: abuse@tiscali.fr including timezone and GMT offset.

see: http://whois.net/ip-address-lookup/212.83.155.218

 

Regards,

Giuseppe

Mick2009's picture

Followers of this thread may be interested in this new article.....

Two Reasons why IPS is a "Must Have" for your Network
https://www-secure.symantec.com/connect/articles/two-reasons-why-ips-must-have-your-network

With thanks and best regards,

Mick

_Brian's picture

Ecliccion,

Do you still need assistance or can this thread be marked as solved?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.