October 9th, 2004, 05:14 AM
Can someone help me translate this excerpt from my syslog.
2004-10-08 16:08:18 User.Warning 192.168.10.1 klogd: ACCEPT IN=br0 OUT=vlan1 SRC=192.168.10.10 DST=18.104.22.168 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=26380 DF PROTO=TCP SPT=7637 DPT=7777 SEQ=1727272745 ACK=0 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402)
I'm running windows 2003 server, this particular line is in my syslog file approximately every 2 hours, sometimes more often...I'm behind a Linksys Router with the following open ports
25, 80, 110, 443, 6000-6004.
October 9th, 2004, 11:45 AM
Well I can not. I donít run windows 2003 server, nor do I know how much you do or donít know ( your profile is empty ), nor do I know much about your network as the information is limited. If you are truly a newbie then read the FAQs; and remember, specific information ( but not too detailed as to give away info to dark sided hackers ) is important if you want help..
Is this the exact same message you see?
Assuming you know nothing ( but then why would you be running a 2003 server ? ) here is what I see, but as I said I am not familiar with this syslog:
The server is on a class ďCĒ network
There is a VLAN running on the server
The network device facing the intranet is br0
The protocol in question is TCP
The source IP ( internal ) is 192.168.10.10
The source port is 7637 ( from the above computer )
The destination is 22.214.171.124 ( where the source is trying to connect to )
The destination port is 7777 ( of the destination above )
This is a syn packet
the length is 48 ( basically size )
time-to-live is 127
The rest I am to drunk to discuss or remember so it is not important, and if you know nothing it isnít important to you either.
OK now, lets see. You have a computer inside your network that is trying to connect to 126.96.36.199 ( registered to Microtek Corporation Alberta Canada )
1) which computer in the your network has this address? ( 192.168.10.10 )
2) are you connected to the Internet through this network? ( Microtek Corporation )
3) Is there a computer in your LAN that needs to connect to someone in this IP range ( the Microtek Corporation )?
The fact that it is a SYN packet with nothing else ( no ACK, etc. ) means it is an initial attempt to connect, probably failing because your router wonít let it out ( just guessing here, bet remember Iím way drunk by now trying to answer this ) and that is why it is being logged. The TTL, or time-to live is 127, and if it canít get out will just stop. The LEN is 48: no help here, a proper length ( By the way, all these could be used to ďfingerprintĒ the system in question, but that is WAY beyond this )
Now down to the nitty-gritty. Nothing special about the source prot that I know of ( 7637 ) but this could be assigned arbitrarily by the program running on the computer in question, or could be fixed: either way nothing special.
On the other hand, the destination port may be significant. That is port 7777.
It could be trying to connect to an oracle-portal or someone introduced a trojan onto your system. If the later, from what I gather, the server portion of the trojan ( there are a few variants ) would be on your system ( at 192.168.10.10 ) trying to connect to a client at 188.8.131.52, but why would it pick this particular address?
The key here is the originating ( source, 192.168.10.10 ) computer.
(A) What OS ( Operating System ) is it running?
(B) What programs are installed ?
(C) Is it current with patches, etc.?
(D) Is there something set up to use a FWTK-authsvr ( also registered to port 7777, but known exploits have existed for several years ) ?
As you see, much more info is needed. The bottom line is, you have to help yourself before others can help you.
Anyone else see anything different ?? Thus again, I am only looking through one eye trying to focus.
Hope this leads you to a conclusion.
P.S. I sure as hell hope I dinn't do somneone's homework!
" And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes