Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

FTP log file / FTP site stopped

Status
Not open for further replies.
neualex

neualex

Programmer
Joined
Feb 26, 2008
Messages
53
Location
US
Hi guys,

I hope I am posting this question in the right place, if not please let me know where I should post it.

I am running a FTP site on IIS 6.0 on Windows 2003 EE.
This FTP site has been stopped several times in the past week, and I don't find any trace on who might possibly did it.

I looked at the FTP logs, but they won't help.
I looked at the SYSTEM event logs, but I don't find anything related to the FTP service.

Am I looking at the wrong places?
Some guidance is appreciated.

Thanks,
...neualex
 
Sort by date Sort by votes
How many users have access to this?

Burt
 
Upvote 0 Downvote
No online users; however, we setup FTP accounts used by other systems to FTP data processed by this FTP server.

...neualex
 
Upvote 0 Downvote
What logs are you looking at? In C:\WINDOWS\System32\LogFiles\MSFTPVSC1\exDate).log?

Burt
 
Upvote 0 Downvote
Here's an example of a dictionary attack attempt (ha ha ha)...I love it when

09:56:13 201.91.76.5 [371]USER adrian 331
09:56:13 201.91.76.5 [371]PASS - 530
09:56:14 201.91.76.5 [371]USER alex 331
09:56:14 201.91.76.5 [372]USER alex 331
09:56:14 201.91.76.5 [372]USER alex 331
09:56:15 201.91.76.5 [372]PASS - 530
09:56:15 201.91.76.5 [372]USER alex 331
09:56:15 201.91.76.5 [373]USER alex 331
09:56:17 201.91.76.5 [373]USER alex 331
09:56:17 201.91.76.5 [373]PASS - 530
09:56:17 201.91.76.5 [373]USER alex 331
09:56:18 201.91.76.5 [374]USER alex 331
09:56:18 201.91.76.5 [374]USER alex 331
09:56:18 201.91.76.5 [374]PASS - 530
09:56:19 201.91.76.5 [374]USER alex 331
09:56:19 201.91.76.5 [375]USER alex 331
09:56:19 201.91.76.5 [375]USER alex 331
09:56:20 201.91.76.5 [375]PASS - 530
09:56:20 201.91.76.5 [375]USER alex 331
09:56:20 201.91.76.5 [376]USER alex 331
09:56:21 201.91.76.5 [376]USER alex 331
09:56:21 201.91.76.5 [376]PASS - 530
09:56:21 201.91.76.5 [376]USER alex 331
09:56:22 201.91.76.5 [377]USER alex 331
09:56:22 201.91.76.5 [377]USER alex 331
09:56:22 201.91.76.5 [377]PASS - 530
09:56:23 201.91.76.5 [377]USER alex 331

Here is the IP address info...

IP address: 201.91.76.5
Reverse DNS: 201-91-76-5.customer.tdatabrasil.net.br.
Reverse DNS authenticity: [Could be forged: hostname 201-91-76-5.customer.tdatabrasil.net.br. does not exist]
ASN: 0
ASN Name: IANA-RSVD-0
IP range connectivity: 0
Registrar (per ASN): Unknown
Country (per IP registrar): BR [Brazil]
Country Currency: BRL [Brazil Real]
Country IP Range: 201.64.0.0 to 201.95.255.255
Country fraud profile: Normal
City (per outside source): Unknown
Country (per outside source): BR [Brazil]
Private (internal) IP? No
IP address registrar: whois.lacnic.net
Known Proxy? No
Link for WHOIS: 201.91.76.5

the link...


the acl in my Cisco that blocks the entire range from the ISP...

access-list 113 deny ip 201.64.0.0 0.31.255.255 any
access-list 113 permit ip any any
int di0
ip access-group 113 in

Stops that!

My point is that those logs show all activity from all IP addresses---I have mine set to log every day (used to be every hour).

Burt
 
Upvote 0 Downvote
Burt,

Yes, I am looking at the same FTP logs on "C:\WINDOWS\System32\LogFiles\MSFTPVSC1\"

However, what I am trying to find out is WHO/WHEN stops the FTP service, no the FTP activity.

Thanks for your help,
...neualex
 
Upvote 0 Downvote
I can't think of any way other than looking at about when the service stops and matching that as close as you can to hourly logs...

Burt
 
Upvote 0 Downvote
Are you positive that someone is stopping the service, and that it's not simply falling over? How do you have the recovery set for that service?



"We must fall back upon the old axiom that when all other contingencies fail, whatever remains, however improbable, must be the truth." - Sherlock Holmes

 
Upvote 0 Downvote
LawnBoy,

I am not sure if it is someone or some process...but I cannot see what's stopping the service. The recovery process is set to RESTART THE SERVICE.

Isn't Windows supposed to log an event entry if something/someone restarts a service?

Thanks,
...neualex
 
Upvote 0 Downvote
Supposed to? Yes. I've a Blackberry server that IIS fails on and doesn't log a thing.



"We must fall back upon the old axiom that when all other contingencies fail, whatever remains, however improbable, must be the truth." - Sherlock Holmes

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

bpafc
  • Locked
  • Question Question
FTP login delay
Replies
2
Views
449
bpafc
bpafc
DWheater
  • Locked
  • Question Question
FTP through Back to Back Firewalls
Replies
0
Views
283
DWheater
DWheater
Egghead2
  • Locked
  • Question Question
File Transfer Issue Using Active FTP - Port Command
Replies
1
Views
467
allworxguy
allworxguy
PCHomepage
  • Locked
  • Question Question
Accessing FTP As Explorer Location
Replies
5
Views
436
PCHomepage
PCHomepage
3rdParty
  • Locked
  • Question Question
Tool for text file logging
Replies
0
Views
261
3rdParty
3rdParty

Part and Inventory Search

Sponsor

Back
Top