Re: FTP Server Logging



On Tue, 06 Dec 2005 04:49:18 GMT, Jeff Cochran wrote:

> On 30 Nov 2005 11:57:01 -0600, MikeV06 <me@xxxxxxxxxxx> wrote:
>
>>I monitor my router and ftp logs on Server 2003. As would be expected, port
>>21 packets show up in both. However, I have an instance where the router
>>shows an incoming and outgoing packet for port 21. However, no entry was
>>made in the ftp log.
>>
>>The router shows
>>
>>Nov 29, 2005 12:25:37.302 UTC - 58.12.31.109 : 62649 >>> 192.168.1.95 :
>>21 - FTP Scan
>>Nov 29, 2005 12:25:37.302 UTC - 192.168.1.95 : 21 >>> 58.12.31.109 :
>>62649
>>
>>The router would not generate an outgoing packet, hence the packet had to
>>have been generated by the server by the program listening on port 21
>>(ftp).
>>
>>Nothing from that ip address is listed in the ftp log, the http log, the
>>firewall log, or the event log. I did not have a deny access entry in
>>directory security for that range of addresses (I do now).
>>
>>Unless I am missing something, this would suggest that a packet was
>>processed by the ftp server but not recorded in the ftp log. How is that
>>possible and how to I correct it?
>
> Or it's processed by another program.
>
> Jeff

I have used netstat -nab and procexp to see what the system is doing and do
not see anything strange. I have not seen the pattern happen again since
the one time.

How could I monitor the port for that activity? I wish I had some of the
Linux tools ... iptables, tcpdump, and so on.
.