homepage Welcome to WebmasterWorld Guest from 54.166.95.146
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Home / Forums Index / Hardware and OS Related Technologies / Linux, Unix, and *nix like Operating Systems
Forum Library, Charter, Moderators: bakedjake

Linux, Unix, and *nix like Operating Systems Forum

    
Vsftpd Log Question
murmy




msg:4164939
 9:13 pm on Jul 5, 2010 (gmt 0)

I believe that my server admin has been lifting logs from my server. Can someone please explain what is happening in these three entries (particularly the last one):

Wed Jun 2 05:12:11 2010 1 00.000.00.000 217 /var/log/apache2/ssl_request_log-20100528.gz b _ o r ftpmurmy ftp 0 * c
Wed Jun 2 05:18:20 2010 1 00.000.00.000 217 /var/log/apache2/ssl_request_log-20100528.gz b _ o r ftpmurmy ftp 0 * c
Wed Jun 2 05:18:29 2010 1 00.000.00.000 217 /var/log/apache2/ssl_request_log-20100528.gz b _ i r ftpmurmy ftp 0 * c

(I went over the IP address with 00.000.00.000 to protect identity)

 

Demaestro




msg:4164967
 10:24 pm on Jul 5, 2010 (gmt 0)

b _ o


First letter: transfer mode
a = ascii
b = binary

Underscore:
A letter in this position would indicate any special operations, like gzipping or tarring the data on-the-fly. "_", meaning "no special operation".

Second letter: transfer direction
i = input (= upload = FTP PUT)
o = output (FTP GET)

r ftpmurmy


Third letter: access mode
a = anonymous
g = guest user
r = regular user

After this letter is the username of the person performing the operation.


ftp 0 * c


"ftp 0 *": service name, authentication method and authentication user id (if applicable). These are not configurable in vsftpd, so this is a constant string that carries no useful information. It is there only to match wuftpd log format.

The last letter: completion status
c = completed
i = interrupted (transfer failed)

**********************************

What has happened is he took a copy of the ssl_request_log-20100528.gz file... twice... then uploaded one back and reaplced the one he took.

Depending on his role it could just be that he is archiving your logs and taking a copy for backup. I am not sure why he would PUT the file back. He could have modified it for less than pure reasons.

I don't know your relationship or dynamics so it is hard to say what his intentions are.

lammert




msg:4165105
 7:09 am on Jul 6, 2010 (gmt 0)

Worth mentioning is that 217 is the length of the up/downloaded file. The file size hasn't changed between download and upload. That is no guarantee that nothing inside the logfile has changed, but it doesn't seem that full lines have been added or removed.

murmy




msg:4165133
 9:09 am on Jul 6, 2010 (gmt 0)

Thanks for your assessment guys. I am now certain that they have been lifting our access logs, although I now understand that there is nothing sinister in these particular entries which ive discovered relate to something else.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Hardware and OS Related Technologies / Linux, Unix, and *nix like Operating Systems
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved