Results 1 to 2 of 2

Thread: SysLog Translation

  1. #1
    Junior Member
    Join Date
    Oct 2004

    SysLog Translation

    Can someone help me translate this excerpt from my syslog.

    2004-10-08 16:08:18 User.Warning klogd: ACCEPT IN=br0 OUT=vlan1 SRC= DST= LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=26380 DF PROTO=TCP SPT=7637 DPT=7777 SEQ=1727272745 ACK=0 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402)

    I'm running windows 2003 server, this particular line is in my syslog file approximately every 2 hours, sometimes more often...I'm behind a Linksys Router with the following open ports
    25, 80, 110, 443, 6000-6004.


  2. #2
    Senior Member IKnowNot's Avatar
    Join Date
    Jan 2003
    Well I can not. I donít run windows 2003 server, nor do I know how much you do or donít know ( your profile is empty ), nor do I know much about your network as the information is limited. If you are truly a newbie then read the FAQs; and remember, specific information ( but not too detailed as to give away info to dark sided hackers ) is important if you want help..

    Is this the exact same message you see?

    Assuming you know nothing ( but then why would you be running a 2003 server ? ) here is what I see, but as I said I am not familiar with this syslog:
    The server is on a class ďCĒ network
    There is a VLAN running on the server
    The network device facing the intranet is br0
    The protocol in question is TCP
    The source IP ( internal ) is
    The source port is 7637 ( from the above computer )
    The destination is ( where the source is trying to connect to )
    The destination port is 7777 ( of the destination above )
    This is a syn packet
    the length is 48 ( basically size )
    time-to-live is 127

    The rest I am to drunk to discuss or remember so it is not important, and if you know nothing it isnít important to you either.

    OK now, lets see. You have a computer inside your network that is trying to connect to ( registered to Microtek Corporation Alberta Canada )
    1) which computer in the your network has this address? ( )
    2) are you connected to the Internet through this network? ( Microtek Corporation )
    3) Is there a computer in your LAN that needs to connect to someone in this IP range ( the Microtek Corporation )?

    The fact that it is a SYN packet with nothing else ( no ACK, etc. ) means it is an initial attempt to connect, probably failing because your router wonít let it out ( just guessing here, bet remember Iím way drunk by now trying to answer this ) and that is why it is being logged. The TTL, or time-to live is 127, and if it canít get out will just stop. The LEN is 48: no help here, a proper length ( By the way, all these could be used to ďfingerprintĒ the system in question, but that is WAY beyond this )

    Now down to the nitty-gritty. Nothing special about the source prot that I know of ( 7637 ) but this could be assigned arbitrarily by the program running on the computer in question, or could be fixed: either way nothing special.
    On the other hand, the destination port may be significant. That is port 7777.
    It could be trying to connect to an oracle-portal or someone introduced a trojan onto your system. If the later, from what I gather, the server portion of the trojan ( there are a few variants ) would be on your system ( at ) trying to connect to a client at, but why would it pick this particular address?

    The key here is the originating ( source, ) computer.

    (A) What OS ( Operating System ) is it running?
    (B) What programs are installed ?
    (C) Is it current with patches, etc.?
    (D) Is there something set up to use a FWTK-authsvr ( also registered to port 7777, but known exploits have existed for several years ) ?

    As you see, much more info is needed. The bottom line is, you have to help yourself before others can help you.

    Anyone else see anything different ?? Thus again, I am only looking through one eye trying to focus.

    Hope this leads you to a conclusion.

    P.S. I sure as hell hope I dinn't do somneone's homework!
    " And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts