Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MS RPCSS attack reported by Symantec


  • Please log in to reply
2 replies to this topic

#1 Aotearoah

Aotearoah

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:14 AM

Posted 20 December 2010 - 09:43 AM

OK, so my Symantec Endpoint protection antivirus software popped up with "MS RPCSS (2) attack detected message" from an IP I did not recognize (after whois lookup it was Russian, and another one, French, if that says anything). Another message that I get is MS RPC LSASS DS Oversized Request. Symantec then blocks these IPs but for only 10 minutes. These messages pop up every now and then (every half an hour or so) all day today basically.

In the Network Threat Protection log that Symantec has, i get incoming connections(?) that Symantec blocks, there are multiple ones every second. about 50 or so.

12/20/2010 6:51:02 PM Blocked 10 Incoming ETHERNET [type=0x9000] 0.0.0.0 40-4A-03-59-3A-A1 0 0.0.0.0 FF-FF-FF-FF-FF-FF 0 sameer sameer-VAIO Default 1 12/20/2010 6:51:01 PM 12/20/2010 6:51:01 PM Block_all
12/20/2010 6:51:02 PM Blocked 10 Incoming ETHERNET [type=0x9000] 0.0.0.0 40-4A-03-59-3A-A1 0 0.0.0.0 FF-FF-FF-FF-FF-FF 0 sameer sameer-VAIO Default 1 12/20/2010 6:50:56 PM 12/20/2010 6:50:56 PM Block_all
12/20/2010 6:51:02 PM Blocked 10 Incoming ETHERNET [type=0x9000] 0.0.0.0 40-4A-03-59-3A-A1 0 0.0.0.0 FF-FF-FF-FF-FF-FF 0 sameer sameer-VAIO Default 1 12/20/2010 6:50:56 PM 12/20/2010 6:50:56 PM Block_all
12/20/2010 6:51:02 PM Blocked 10 Incoming ETHERNET [type=0x9000] 0.0.0.0 40-4A-03-59-3A-A1 0 0.0.0.0 FF-FF-FF-FF-FF-FF 0 sameer sameer-VAIO Default 1 12/20/2010 6:50:56 PM 12/20/2010 6:50:56 PM Block_all
12/20/2010 6:51:02 PM Blocked 10 Incoming ETHERNET [type=0x9000] 0.0.0.0 40-4A-03-59-3A-A1 0 0.0.0.0 FF-FF-FF-FF-FF-FF 0 sameer sameer-VAIO Default 1 12/20/2010 6:50:56 PM 12/20/2010 6:50:56 PM Block_all
12/20/2010 6:51:02 PM Blocked 10 Incoming ETHERNET [type=0x9000] 0.0.0.0 40-4A-03-59-3A-A1 0 0.0.0.0 FF-FF-FF-FF-FF-FF 0 sameer sameer-VAIO Default 1 12/20/2010 6:50:40 PM 12/20/2010 6:50:40 PM Block_all

(this is how a sample copy of the log looks.) sorry for bad formatting.


Now I believe this originates from a wireless internet device (USB stick) that I used today, since I didn't do anything else that I hadn't done in past days. Was stupid to do so, possibly, but too late now. I have Panda Security vaccination tool installed (having "computer vaccinated") and hoped that would help.

I am running Windows 7, Browsing with Google Chrome.

Can anyone help me? I am willing to do scans/post whatever logs the experts here will recommend. Also, I am wondering what are my threats here and now. Should I disconnect this machine from Internet and use another one for accessing this thread?

Running a quick scan with Malwarebytes... found nothing.
Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Database version: 5360

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

12/20/2010 6:55:47 PM
mbam-log-2010-12-20 (18-55-47).txt


Scan type: Quick scan
Objects scanned: 135100
Time elapsed: 7 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Thank you very much in advance!

edit: should this topic go to Virus, Trojan, Spyware, and Malware Removal ? http://www.bleepingcomputer.com/forums/forum22.html if so, can anyone move it there? Should I x-post? thanks

edit 2: i've attached 2 small pics of the two types of messages I am getting from Symantec.

Edited by Aotearoah, 20 December 2010 - 12:11 PM.


BC AdBot (Login to Remove)

 


#2 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:06:14 PM

Posted 07 January 2011 - 05:31 AM

You're being helped on SWI: MS RPS LSASS DS Oversize request, please do not create the same topics on multiple forums... I suggest you follow duckfeet's instructions on SWI...
c18903e63196580f.gif
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#3 Aotearoah

Aotearoah
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:14 AM

Posted 07 January 2011 - 06:17 PM

Thanks and sorry. Please close this topic if it's needed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users