FTP log file / FTP site stopped

[neualex]

Hi guys,

I hope I am posting this question in the right place, if not please let me know where I should post it.

I am running a FTP site on IIS 6.0 on Windows 2003 EE.
This FTP site has been stopped several times in the past week, and I don't find any trace on who might possibly did it.

I looked at the FTP logs, but they won't help.
I looked at the SYSTEM event logs, but I don't find anything related to the FTP service.

Am I looking at the wrong places?
Some guidance is appreciated.

Thanks,
...neualex

 

[burtsbees]

How many users have access to this?

Burt

 

[neualex]

No online users; however, we setup FTP accounts used by other systems to FTP data processed by this FTP server.

...neualex

 

[burtsbees]

What logs are you looking at? In C:\WINDOWS\System32\LogFiles\MSFTPVSC1\exDate).log?

Burt

 

[burtsbees]

Here's an example of a dictionary attack attempt (ha ha ha)...I love it when

09:56:13 201.91.76.5 [371]USER adrian 331
09:56:13 201.91.76.5 [371]PASS - 530
09:56:14 201.91.76.5 [371]USER alex 331
09:56:14 201.91.76.5 [372]USER alex 331
09:56:14 201.91.76.5 [372]USER alex 331
09:56:15 201.91.76.5 [372]PASS - 530
09:56:15 201.91.76.5 [372]USER alex 331
09:56:15 201.91.76.5 [373]USER alex 331
09:56:17 201.91.76.5 [373]USER alex 331
09:56:17 201.91.76.5 [373]PASS - 530
09:56:17 201.91.76.5 [373]USER alex 331
09:56:18 201.91.76.5 [374]USER alex 331
09:56:18 201.91.76.5 [374]USER alex 331
09:56:18 201.91.76.5 [374]PASS - 530
09:56:19 201.91.76.5 [374]USER alex 331
09:56:19 201.91.76.5 [375]USER alex 331
09:56:19 201.91.76.5 [375]USER alex 331
09:56:20 201.91.76.5 [375]PASS - 530
09:56:20 201.91.76.5 [375]USER alex 331
09:56:20 201.91.76.5 [376]USER alex 331
09:56:21 201.91.76.5 [376]USER alex 331
09:56:21 201.91.76.5 [376]PASS - 530
09:56:21 201.91.76.5 [376]USER alex 331
09:56:22 201.91.76.5 [377]USER alex 331
09:56:22 201.91.76.5 [377]USER alex 331
09:56:22 201.91.76.5 [377]PASS - 530
09:56:23 201.91.76.5 [377]USER alex 331

Here is the IP address info...

IP address: 201.91.76.5
Reverse DNS: 201-91-76-5.customer.tdatabrasil.net.br.
Reverse DNS authenticity: [Could be forged: hostname 201-91-76-5.customer.tdatabrasil.net.br. does not exist]
ASN: 0
ASN Name: IANA-RSVD-0
IP range connectivity: 0
Registrar (per ASN): Unknown
Country (per IP registrar): BR [Brazil]
Country Currency: BRL [Brazil Real]
Country IP Range: 201.64.0.0 to 201.95.255.255
Country fraud profile: Normal
City (per outside source): Unknown
Country (per outside source): BR [Brazil]
Private (internal) IP? No
IP address registrar: whois.lacnic.net
Known Proxy? No
Link for WHOIS: 201.91.76.5

the link...

http://www.dnsstuff.com/tools/ipall.ch?domain=201.91.76.5

the acl in my Cisco that blocks the entire range from the ISP...

access-list 113 deny ip 201.64.0.0 0.31.255.255 any
access-list 113 permit ip any any
int di0
ip access-group 113 in

Stops that!

My point is that those logs show all activity from all IP addresses---I have mine set to log every day (used to be every hour).

Burt

 

[neualex]

Burt,

Yes, I am looking at the same FTP logs on "C:\WINDOWS\System32\LogFiles\MSFTPVSC1\"

However, what I am trying to find out is WHO/WHEN stops the FTP service, no the FTP activity.

Thanks for your help,
...neualex

 

[burtsbees]

I can't think of any way other than looking at about when the service stops and matching that as close as you can to hourly logs...

Burt

 

[LawnBoy]

Are you positive that someone is stopping the service, and that it's not simply falling over? How do you have the recovery set for that service?



"We must fall back upon the old axiom that when all other contingencies fail, whatever remains, however improbable, must be the truth." - Sherlock Holmes

 

[neualex]

LawnBoy,

I am not sure if it is someone or some process...but I cannot see what's stopping the service. The recovery process is set to RESTART THE SERVICE.

Isn't Windows supposed to log an event entry if something/someone restarts a service?

Thanks,
...neualex

 

[LawnBoy]

Supposed to? Yes. I've a Blackberry server that IIS fails on and doesn't log a thing.



"We must fall back upon the old axiom that when all other contingencies fail, whatever remains, however improbable, must be the truth." - Sherlock Holmes