Re: FTP Server Logging
- From: MikeV06 <me@xxxxxxxxxxx>
- Date: 6 Dec 2005 07:34:02 -0600
On Tue, 06 Dec 2005 04:49:18 GMT, Jeff Cochran wrote:
> On 30 Nov 2005 11:57:01 -0600, MikeV06 <me@xxxxxxxxxxx> wrote:
>>I monitor my router and ftp logs on Server 2003. As would be expected, port
>>21 packets show up in both. However, I have an instance where the router
>>shows an incoming and outgoing packet for port 21. However, no entry was
>>made in the ftp log.
>>The router shows
>>Nov 29, 2005 12:25:37.302 UTC - 220.127.116.11 : 62649 >>> 192.168.1.95 :
>>21 - FTP Scan
>>Nov 29, 2005 12:25:37.302 UTC - 192.168.1.95 : 21 >>> 18.104.22.168 :
>>The router would not generate an outgoing packet, hence the packet had to
>>have been generated by the server by the program listening on port 21
>>Nothing from that ip address is listed in the ftp log, the http log, the
>>firewall log, or the event log. I did not have a deny access entry in
>>directory security for that range of addresses (I do now).
>>Unless I am missing something, this would suggest that a packet was
>>processed by the ftp server but not recorded in the ftp log. How is that
>>possible and how to I correct it?
> Or it's processed by another program.
I have used netstat -nab and procexp to see what the system is doing and do
not see anything strange. I have not seen the pattern happen again since
the one time.
How could I monitor the port for that activity? I wish I had some of the
Linux tools ... iptables, tcpdump, and so on.