'Re: [Proftpd-user] logging problem. Bug? ExtendedLog ... possibly EPSV ?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       proftpd-users
Subject:    Re: [Proftpd-user] logging problem. Bug? ExtendedLog ... possibly EPSV ?
From:       TJ Saunders <tj () castaglia ! org>
Date:       2012-07-25 16:04:42
Message-ID: alpine.DEB.2.00.1207250859530.23651 () familiar ! castaglia ! org
[Download RAW message or body]


> Thanks for the response! (looks like it is a problem with "incomplete"
> transfers, not EPSV). More below:

Ah, yes.  Thanks for jogging my memory about this particular issue.

> > Given that the ExtendedLog shows EPSV/STOR pairs for the
> > /xxxxxxhonda/.htaccess file, I'm inclined to wonder your ExtendedLog file
> > was modified such that that STOR /xxxxxxhonda/showthread.php line was
> > surgically removed...
> 
> except that would require root access (I checked the perms).

OK, good.  That was going to something else to check: whether the 
ExtendedLog path was a symlink, and whether the permissions on the 
directory containing the ExtendedLog file allowed users (other than root) 
to delete/add files.

> And it is also illogical, why would the attacker be messing around with 
> FTP and/or deleting _part_ of the logs for their session if they had 
> root?

I'm not sure.  I would caution against using logic to rule out what an 
attacker might or might not do -- unless you know specifically what an 
attacker is out to do on your system.

> ahh frig, there it is. It is the incomplete transfers. Both those 
> transfers are showing as incomplete. Now that I go back and look, that's 
> the same on the original report.  THAT element is common. I can find 
> multiple occassions where there's a TransferLog entry showing an 
> incomplete transfer that does NOT have a matching STOR entry in 
> ExtendedLog

There is some functionality -- currently in the proftpd source code in CVS 
-- which fixes this particular issue (i.e. of logging of 
incomplete/aborted transfers) as part of supporting additional logging 
variables.

> check.xferlog in case anyone else cares to check. No guarantees
> of course.

Thanks for the script!  It's always useful, for those on this list, to see 
what other admins use for checking things like this.

Cheers,
TJ

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

   The more we study, the more we discover our ignorance.

   	-Percy Bysshe Shelley

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
ProFTPD Users List   <proftpd-users@proftpd.org>
Unsubscribe problems?
http://www.proftpd.org/list-unsub.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic