explain this log entry?
Results 1 to 5 of 5

Thread: explain this log entry?

  1. #1
    Member
    Join Date
    Nov 2003
    Posts
    34

    explain this log entry?

    Hi could someone give me a quick rundown on reading this log entry?

    Thur, 03/04/2004 00:07:22 - TCP connection dropped - Source:203..x.x.x, 4498, WAN - Destination:203..x.x.x, 135, WAN - 'Suspicious TCP Data'

    Does this mean that my firewall found something sstrange, it came from (allegedly) 203.x.x.x
    and it's source was my network 203.x.x.x. (destination IP =me?)
    It was over the internet = WAN
    and it was using UDP?
    Now if I get heaps of these from the same IP then someone is trying harder than usual to find an open door?
    \"\'Do not despise the snake for having no horns, for who is to say it will not become a dragon?\"

  2. #2
    Thur, 03/04/2004 00:07:22 - Occured: thursday, March, 04, 2004 at 7am and 22 minutes

    TCP connection dropped - Meaning: a connection was lost suddenly(correct me if I am wrong anyone)

    Source:203..x.x. - The TCP connection drop came from the IP 203.x.x.x from their port 4498.

    WAN - Destination:203..x.x.x, 135 - The Source IP (See above) tried to connect to the destination IP: 203.x.x.x on port 135 on your WAN IP (internet IP)

    WAN - 'Suspicious TCP Data' Sounds like the application that made the log file recognizes this as not something that happens normally, and needs your attention.


    It was using the TCP protocol. You know this because of the "TCP connection dropped" and the "Suspiscous TCP data". Also, port 135 is not a trojan port but a critical windows port. I'll snag some information on port 135 in a moment.

    1. Were both IP's the same?
    2. Are you on a home network?

  3. #3
    Member
    Join Date
    Nov 2003
    Posts
    34
    thanks.
    I did mean TCP not UDP--I've been looking at these logs all day and my eyes are skware.
    The Ip's were different..ie the source and the destination. Destination is my network...not ahome one which gets assigned ip every time we logon via adsl.
    135 is RPC port and lots of things can use it DHCP/WINS etc.
    \"\'Do not despise the snake for having no horns, for who is to say it will not become a dragon?\"

  4. #4
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Looks like it might be a scanning tool looking for an open RPC port. If it doesn't receive an appropriate answer, (SYN/ACK), then it probably sends a FIN or and RST so as not to appear to be a "Stealth" or Half Open Scan. That would be the "dropped" part. Your firewall may see it as suspicious, (which it is), simply because things were just out of order, (SYN- "nothing" - RST or FIN).

    I don't think it's anything you should lose sleep over.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  5. #5
    Member
    Join Date
    Nov 2003
    Posts
    34
    thanks tiger...
    \"\'Do not despise the snake for having no horns, for who is to say it will not become a dragon?\"

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •