How to find out what command was done with my FTP log?
My index.php
files has suddenly been deleted today. I downloaded the FTP log file from the server. I see that an unknown user has accessed my FTP server today. I have the following line in my FTP log, but don't know how to read it:
Fri Dec 31 13:25:51 2010 0 ::ffff:[IP HERE] 10079 [FILE NAME] a _ o r [USERNAME] ftp 0 * c
What do the following pieces of information mean? 10079 and a_ o r and 0 * c ?
Solution 1:
FTP logs are largely in xferlog
format. That follows this convention:
current-time transfer-time remote-host file-size filename transfer-type special-action-flag direction access-mode username service-name authentication-method authenticated-user-id completion-status
In your case, I believe you are interpreting 10079
, a_or
and O*c
as three separate pieces of information. Those pieces of information are actually seven distinct pieces of information
-
10079
is the file size -
a
is transfer type (a
stands for an ascii transfer) -
_
is the special-action-flag (_
means no action taken) -
o
is the direction (o
is for outgoing) -
r
is for access mode (r
is for "real" or locally authenticated user) -
0
is for authentication-method (0
= none) -
*
is for authenticated-user-id (*
means "not available") -
c
is for completion-status (c
means "complete" for a complete transfer)
Check out man xferlog
for more information. Here's a web based man page for xferlog
.