Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations bkrike on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

How to check FTP logins.

Status
Not open for further replies.
nerbonne

nerbonne

Technical User
Dec 11, 2006
99
US
When I run "ps -ef", I see alot of entries that say the localhost IP is logged into the server thru FTP. To me, this means that a script on the webserver is logging in (or attempting to) via FTP. How can I find out who this is?

Here is some examples of the ps output:

nobody 13833 27617 0 18:36 ? 00:00:00 proftpd: connected: 127.0.0.1 (127.0.0.1:50510)
nobody 13852 27617 0 18:36 ? 00:00:00 proftpd: connected: 127.0.0.1 (127.0.0.1:50522)
nobody 13871 27617 0 18:36 ? 00:00:00 proftpd: connected: 127.0.0.1 (127.0.0.1:50545)
nobody 13881 27617 0 18:36 ? 00:00:00 proftpd: connected: 127.0.0.1 (127.0.0.1:50557)
nobody 13888 27617 0 18:36 ? 00:00:00 proftpd: connected: 127.0.0.1 (127.0.0.1:50569)
nobody 13906 27617 0 18:36 ? 00:00:00 proftpd: connected: 127.0.0.1 (127.0.0.1:50581)
nobody 13918 27617 0 18:36 ? 00:00:00 proftpd: connected: 127.0.0.1 (127.0.0.1:50592)
nobody 13927 27617 0 18:36 ? 00:00:00 proftpd: connected: 127.0.0.1 (127.0.0.1:50604)
nobody 13949 27617 0 18:36 ? 00:00:00 proftpd: connected: 127.0.0.1 (127.0.0.1:50626)
nobody 13961 27617 0 18:36 ? 00:00:00 proftpd: connected: 127.0.0.1 (127.0.0.1:50637)
nobody 13971 27617 0 18:36 ? 00:00:00 proftpd: connected: 127.0.0.1 (127.0.0.1:50649)
nobody 13983 27617 0 18:36 ? 00:00:00 proftpd: connected: 127.0.0.1 (127.0.0.1:50660)
nobody 13995 27617 0 18:36 ? 00:00:00 proftpd: connected: 127.0.0.1 (127.0.0.1:50672)
nobody 14020 27617 0 18:36 ? 00:00:00 proftpd: connected: 127.0.0.1 (127.0.0.1:50694)
nobody 14032 27617 0 18:36 ? 00:00:00 proftpd: connected: 127.0.0.1 (127.0.0.1:50705)
nobody 14042 27617 0 18:36 ? 00:00:00 proftpd: connected: 127.0.0.1 (127.0.0.1:50717)
nobody 14062 27617 0 18:36 ? 00:00:00 proftpd: connected: 127.0.0.1 (127.0.0.1:50739)
nobody 14075 27617 0 18:36 ? 00:00:00 proftpd: connected: 127.0.0.1 (127.0.0.1:50750)
nobody 14083 27617 0 18:36 ? 00:00:00 proftpd: connected: 127.0.0.1 (127.0.0.1:50762)
nobody 14107 27617 0 18:36 ? 00:00:00 proftpd: connected: 127.0.0.1 (127.0.0.1:50784)
nobody 14119 27617 0 18:36 ? 00:00:00 proftpd: connected: 127.0.0.1 (127.0.0.1:50795)
nobody 14128 27617 0 18:36 ? 00:00:00 proftpd: connected: 127.0.0.1 (127.0.0.1:50807)
nobody 14154 27617 0 18:36 ? 00:00:00 proftpd: connected: 127.0.0.1 (127.0.0.1:50829)
nobody 14169 27617 0 18:36 ? 00:00:00 proftpd: connected: 127.0.0.1 (127.0.0.1:50840)
nobody 14184 27617 0 18:36 ? 00:00:00 proftpd: connected: 127.0.0.1 (127.0.0.1:50852)
nobody 14204 27617 0 18:37 ? 00:00:00 proftpd: connected: 127.0.0.1 (127.0.0.1:50875)
nobody 14239 27617 0 18:37 ? 00:00:00 proftpd: connected: 127.0.0.1 (127.0.0.1:50889)
nobody 14251 27617 0 18:37 ? 00:00:00 proftpd: connected: 127.0.0.1 (127.0.0.1:50900)
nobody 14260 27617 0 18:37 ? 00:00:00 proftpd: connected: 127.0.0.1 (127.0.0.1:50912)
nobody 14308 27617 0 18:37 ? 00:00:00 proftpd: connected: 127.0.0.1 (127.0.0.1:50956)
 
Sort by date Sort by votes
Additionally, netstat -a returns a bunch of entries that look like this:

tcp 0 0 localhost:56505 localhost:domain TIME _WAIT
tcp 0 0 localhost:56457 localhost:domain TIME _WAIT
tcp 0 0 localhost:56469 localhost:domain TIME _WAIT
tcp 0 0 localhost:56421 localhost:domain TIME _WAIT
tcp 0 0 localhost:56445 localhost:domain TIME _WAIT
tcp 0 0 localhost:56433 localhost:domain TIME _WAIT
tcp 0 0 localhost:56396 localhost:domain TIME _WAIT
tcp 0 0 localhost:56384 localhost:domain TIME _WAIT
tcp 0 0 localhost:56408 localhost:domain TIME _WAIT
tcp 0 0 localhost:56360 localhost:domain TIME _WAIT
tcp 0 0 localhost:56372 localhost:domain TIME

tcp 0 0 localhost:56407 localhost:2082 TIME _WAIT
tcp 0 0 localhost:56395 localhost:2082 TIME _WAIT
tcp 0 0 localhost:56371 localhost:2082 TIME _WAIT
tcp 0 0 localhost:56383 localhost:2082 TIME _WAIT
tcp 0 0 localhost:56359 localhost:2082 TIME _WAIT
tcp 0 0 localhost:56347 localhost:2082 TIME _WAIT
tcp 0 0 localhost:56323 localhost:2082 TIME _WAIT
tcp 0 0 localhost:56335 localhost:2082 TIME

Can anyone please tell me what is going on???
 
Upvote 0 Downvote
Wouldn't you want to refer to the proftpd system logs for information about who/what is logged in? Enabling proftpd may be a conf option, but I'm guessing you can log the details you want.

D.E.R. Management - IT Project Management Consulting
 
Upvote 0 Downvote
I've looked in /etc/proftpd.conf and I don't see options for logging.
 
Upvote 0 Downvote
I think proftpd creates a log called /var/log/xferlog by default. It does for me anyway and I didn't even have to ask it to. ;-)



 
Upvote 0 Downvote
Nothing shows up in the xferlog. I'm still getting tons of these process every day. It looks like a script on the server is starting them, but I don't know how to track them down. How can I tell who started the process?
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

SamBones
  • Locked
  • Question
How Do I Start/Stop Systemd Services as a non-root User?
Replies
2
Views
1K
gbaughma
gbaughma
donald lepariku
  • Locked
  • Question
Error: 694, Severity: 24, State: 10 An attempt was made to read logical page '153', virtpage '616' f 1
Replies
3
Views
554
spamjim
spamjim
jimktrains
  • Locked
  • Question
RHEL 7 limit user logins
Replies
0
Views
257
jimktrains
jimktrains
kasperelectronics
  • Locked
  • Question
Desktop streaming from a server to low power front end device e.g. RasPi
Replies
0
Views
299
kasperelectronics
kasperelectronics
Edwin Reyes
  • Locked
  • Question
High CPU utilization Linux Server due to mysql
Replies
1
Views
357
spamjim
spamjim

Part and Inventory Search

Sponsor

Back
Top