ビデオヘルプ

NEED HELP with SID: 23179 OS Attack

作成: 07 Jun 2011 | コメント数: 8

HELLO

Today I received this message many time

Traffic from IP address ............ is blocked frpm 7/7/2011 8:35:50AM to 7/7/2011 8:45:50AM 

SID:23179 OS Attack: MS Windows Server  Service RPC Handling CVE-2008-4250 detected

I download the patch but still this message coming, so If some bady can help me with this and what I should take immediate action to stop any damage or prevent further damage from happenin

コメント コメント数: 8最新のコメントを表示

computer-man の写真

HELLO

Today I received this message many time

Traffic from IP address ............ is blocked frpm 7/7/2011 8:35:50AM to 7/7/2011 8:45:50AM 

SID:23179 OS Attack: MS Windows Server  Service RPC Handling CVE-2008-4250 detected

I download the patch but still this message coming, so If some bady can help me with this and what I should take immediate action to stop any damage or prevent further damage from happenin

Rafeeq の写真

try these two things

1) open IPS policy, frm the frm address / To address is your internal iP then add it under exclude host option

2)edit the ips policy look for the SID and make it allow

http://www.symantec.com/business/support/index?page=content&id=TECH97176&key=55357&actp=LIST

sandra.g の写真

I wouldn't recommend excluding the host or allowing the traffic for this signature without determining whether or not it's malicious.

sandra

Symantec, Senior Information Developer
Enterprise Security, Mobility, and Management - Endpoint Protection

Don't forget to mark your thread as 'solved' with the answer that best helps you!

Chetan Savade の写真

Hi,

It Clearly states about the OS Attack: MS Windows Server Service RPC Handling. To know more about the same, check the link below:

http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=23179

It is important that you have these Microsoft Updates done on all machine.

Check this Link for all the Updates which needs to be installed.

http://www.securityfocus.com/bid/31874/solution

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Brɨan の写真

Is the traffic inbound or outbound?

I would make sure you get more details before you start excluding hosts.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Priya uthama の写真

Hi All,
above are my log from SEP,I have same Problem,
need advice from all of you,

i think this is worm

Brɨan の写真

You need to disconnect those 7 hosts from the network and run scans on them with the latest definition set.

You should also make sure these machines are fully patched.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.