This indicates an attack attempt to exploit a buffer-overflow vulnerability in the Microsoft Windows Server Service (svchost.exe). An attacker who successfully exploited this vulnerability can execute arbitrary code in the affected system.
The Windows Server service exposes some vulnerable functions through SMB/RPC. These functions can be accessed without authentication by default on Windows 2000, XP and Windows server 2003. Authentication is required on Windows Vista and Windows Server 2008 by default.
The following links provide more information on this vulnerability:
- MS08-67: http://www.microsoft.com/technet/security/Bulletin/ms08-067.mspx
- BID 31874: http://www.securityfocus.com/bid/31874
- VUPEN/ADV-2008-2902: http://www.frsirt.com/english/advisories/2008/2902
- CVE-2008-4250: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2008-4250
- MILW0RM 7132: http://www.milw0rm.com/exploits/7132
- MILW0RM 7104: http://milw0rm.com/exploits/7104
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
- Download and install the patch for the Server Service Vulnerability: http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx.