How to find out what command was done with my FTP log?

My index.php files has suddenly been deleted today. I downloaded the FTP log file from the server. I see that an unknown user has accessed my FTP server today. I have the following line in my FTP log, but don't know how to read it:

Fri Dec 31 13:25:51 2010 0 ::ffff:[IP HERE] 10079 [FILE NAME] a _ o r [USERNAME] ftp 0 * c

What do the following pieces of information mean? 10079 and a_ o r and 0 * c ?


Solution 1:

FTP logs are largely in xferlog format. That follows this convention:

current-time   transfer-time   remote-host   file-size   filename   transfer-type   special-action-flag   direction   access-mode   username   service-name   authentication-method   authenticated-user-id  completion-status

In your case, I believe you are interpreting 10079, a_or and O*c as three separate pieces of information. Those pieces of information are actually seven distinct pieces of information

  • 10079 is the file size
  • a is transfer type (a stands for an ascii transfer)
  • _ is the special-action-flag (_ means no action taken)
  • o is the direction (o is for outgoing)
  • r is for access mode (r is for "real" or locally authenticated user)
  • 0 is for authentication-method (0 = none)
  • * is for authenticated-user-id (* means "not available")
  • c is for completion-status (c means "complete" for a complete transfer)

Check out man xferlog for more information. Here's a web based man page for xferlog.