Make sense of SEP11 log entry

Question

I have this log entry from SEP:

2011-04-05T10:52:37+02:00 SymantecServer SomeServer: SomePC,[SID: 23179] 
OS Attack: MS Windows Server Service RPC Handling CVE-2008-4250 detected.  
Traffic has been blocked from this application: C:\WINDOWS\system32\ntoskrnl.exe,
Local: 10.90.27.172,
Local: 000000000000,
Remote: ,
Remote: 10.90.27.220,
Remote: 000000000000,Inbound,TCP,
Intrusion ID: 0,
Begin: 2011-04-05 10:28:37,
End: 2011-04-05 10:28:37,
Occurrences: 1,
Application: C:/WINDOWS/system32/ntoskrnl.exe,
Location: Default,
User: 123456,
Domain: SomeDomain

I want to confirm I understand this correctly. This is TCP inbound communication. Iow the remote IP 10.90.27.220 is trying to expose some vulnerability on the local machine: 10.90.27.172

So we should be more worried about the remote machine than the local machine. Or is it the other way round?

Answer 1

Attacker: 10.90.27.220 Victim: 10.90.27.172

"Inbound" indicates that 10.90.27.172 is the machine under attack (and probably the one generating the log).

Answer 2

Depends what you're trying to fix. You should probably look at the 10.90.27.220, as it is the one that most likely launched the attack.

Answer 3

10.90.27.220, which I assume to be under your control because of the RFC1918 IP, has probably been compromised. It attempted to exploit a known vulnerability (CVE-2008-4250, which is a buffer overflow attack on RPC handling) on 10.90.27.172.

The way you will handle this depends on what kind of machine 10.90.27.220 is. You might be dealing with a port security issue (someone has connected something unauthorized to your network), a firewall issue (the machine was allowed to be connected but is not under your control), a rogue user (running metasploit or something on your network), or a virus-infected workstation (or server!), among other things.

Answer 4

"Inbound" indicates that 10.90.27.172 is the machine under attack and attacker trying to access the vulnerable ntoskrnl.exe.. Its very clear