Login or Register to Ask a Question and Join Our Community


Cybersecurity

FTP logfile shows strange activity at login

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Special Forums Cybersecurity FTP logfile shows strange activity at login
# 1  
Old 09-01-2009
FTP logfile shows strange activity at login
Has anyone seen or know what is causing this FTP log file line-item?

3 times when I successfully logged into FTP today, the log file shows a server response of a wrong password (530) to an IP address that is not mine... Below are FTP Log-file entries. I have removed my username & IP address:

[2009/09/01 09:46:28] my_username 75.MY.IP.XXX: C="USER my_username" B=- S=331
[2009/09/01 09:46:28] my_username 74.9.212.42: C="PASS (hidden)" B=- S=530
[2009/09/01 09:46:30] my_username 75.MY.IP.XXX: C="PASS (hidden)" B=- S=230
[2009/09/01 09:46:30] my_username 75.MY.IP.XXX: C="FEAT" B=- S=211

-----------

[2009/09/01 10:13:39] my_username 75.MY.IP.XXX: C="USER my_username" B=- S=331
[2009/09/01 10:13:39] my_username 206.174.127.8: C="PASS (hidden)" B=- S=530
[2009/09/01 10:13:41] my_username 75.MY.IP.XXX: C="PASS (hidden)" B=- S=230
[2009/09/01 10:13:41] my_username 75.MY.IP.XXX: C="FEAT" B=- S=211

-----------

[2009/09/01 10:28:15] my_username 75.MY.IP.XXX: C="USER my_username" B=- S=331
[2009/09/01 10:28:15] my_username 69.229.165.99: C="PASS (hidden)" B=- S=530
[2009/09/01 10:28:17] my_username 75.MY.IP.XXX: C="PASS (hidden)" B=- S=230
[2009/09/01 10:28:17] my_username 75.MY.IP.XXX: C="FEAT" B=- S=211

-----------

Line 1: server acknowledges good username (331) from my IP address.
Line 2: always at the same time stamp, the server tells someone else's IP address (associated with various ISPs around the country) that the password was refused (530).
Line 3: a few seconds later, the password I sent is accepted (230) from my IP address.
Line 4: my FTP client successfully starts its session...

Any ideas what's causing this would be appreciated!
Thank you.
Last edited by bricolage; 09-01-2009 at 11:05 PM..
# 2  
Old 09-01-2009
Try running a whois against each unexpected IP address but one thought is that there is a DNS problem causing "odd" IP addresses to turn up for the name of your host perhaps?
# 3  
Old 09-01-2009
Thank you for the reply Tony.

DNS is an interesting thought. There's a chance that could explain the "odd" IP addresses. I don't know enough to say how though, or if it would also explain the refused password log item as well. It makes me think that something somewhere is miss-configured, poorly programmed or someone is being naughty.

For what it's worth, WhoIs says that the three "odd" IP addresses are assigned to three different ISPs around the USA: PaeTec Communications, General Communication and AT&T Internet Services.

The extra IP address and refused password code don't show up for every log-in attempt I make, only some.
Login or Register to Ask a Question

Previous Thread | Next Thread

7 More Discussions You Might Find Interesting

1. Solaris

FTP log only shows FTP LOGIN FROM entry?

OS: Solaris 9 Configuration /etc/syslog.conf daemon.debug /etc/inetd.conf ftp stream tcp6 nowait root /usr/sbin/in.ftpd in.ftpd -A -l -d Found the ftp.log only generate those entries from other servers/hosts. Can we trace on all ftp entries either from/to the server? ... (6 Replies)
Discussion started by: KhawHL
6 Replies

2. UNIX for Dummies Questions & Answers

Strange system activity no matter what I try

When I choose to encrypt my drive during a Linux install, it encryps it, but I receive errors in dmesg and in ~/.xsessions-errors during use. The first error is in dmesg where it sometimes shows errors writing to the encypted device. The second error is in ~/.xsessions-errors with an error about... (0 Replies)
Discussion started by: justgoogleit
0 Replies

3. UNIX for Dummies Questions & Answers

FTP that works correctly in command prompt and shows issue in UNIX server

Hi All, FTP ports opens with the given user name and password and allows to download file through COMMAND PROMPT. Code as below: H:\>ftp ftpxxxxx Connected to entvc2ft07-pub.xxxxx.com. 220 Microsoft FTP Service User (entvc2ft07-pub.xxxxx.com:(none)): userxxxxx 331 User name okay, need... (1 Reply)
Discussion started by: vijayalakshmi.r
1 Replies

4. HP-UX

Strange login behaviour

Hi all, I am using HP-UX and I have just noticed that when I log into the network it seems to save the previous windows that were subsequently closed on previous occasions. Does anyone know when I log in, it seems to display these previous windows, e.g. nedit windows open again? Does... (1 Reply)
Discussion started by: cyberfrog
1 Replies

5. HP-UX

HP-UX strange login problem

Hi, I am faceing strange login problem in HP-UX. I am sending login username through tcl script in telnet session. After opening new telnet session prompt comes as, login: but it not able to handle or get username whatever i am sending.If i press an enter then every thing goes... (1 Reply)
Discussion started by: ashokd009
1 Replies

6. UNIX for Dummies Questions & Answers

setup a logfile for user login/logout ???

Hi everybody, im a newer, i want to setup a logfile to capture information about user login/logout (and some other events ex: a user ftp, run a speacial command) on my system in HP-UX, pls help me. i think only edit file /etc/syslog.conf but i dont know how to do it. Help me. (3 Replies)
Discussion started by: pwd
3 Replies

7. HP-UX

setup a logfile for user login/logout ???

Hi everybody, im a newer, i want to setup a logfile to capture information about user login/logout (and some other events ex: a user ftp, run a speacial command) on my system in HP-UX, pls help me. i think only edit file /etc/syslog.conf but dont know how to do it. Help me. (0 Replies)
Discussion started by: pwd
0 Replies
Login or Register to Ask a Question