HPE Community
Operating System - HP-UX
1830627 Members
2571 Online
110015 Solutions
New Discussion

Syslog Message > ftpd

 
SOLVED
Go to solution
Nobody's Hero
Valued Contributor

‎02-08-2005 12:49 AM

‎02-08-2005 12:49 AM

Syslog Message > ftpd

Can someone explain why I have these messages in my syslog? nobody has access to this box and I am the only one that uses it. Is there a process that uses ftp? What is using ftp?
Just wondering why I am seeing these messages.
Nobody uses ftp on the box.
UNIX IS GOOD
0 Kudos
Reply
11 REPLIES 11
Henk Geurts
Esteemed Contributor

‎02-08-2005 12:59 AM

‎02-08-2005 12:59 AM

Re: Syslog Message > ftpd

robert
can you post the complete message.

check
/etc/inetd.conf
/var/adm/inetd.sec
/etc/ftpd/ftpaccess
/etc/ftpd/ftpusers
ps -ef|grep ftp

let me know.
regards
Henk
0 Kudos
Reply
Nobody's Hero
Valued Contributor

‎02-08-2005 01:04 AM

‎02-08-2005 01:04 AM

Re: Syslog Message > ftpd

eb 8 06:56:29 ltcrss ftpd[6770]: FTP session closed
Feb 8 07:01:29 ltcrss ftpd[6812]: FTP session closed
Feb 8 07:06:30 ltcrss ftpd[6856]: FTP session closed
Feb 8 07:11:30 ltcrss ftpd[6898]: FTP session closed
Feb 8 07:16:30 ltcrss ftpd[6941]: FTP session closed
Feb 8 07:21:30 ltcrss ftpd[6984]: FTP session closed
Feb 8 07:26:29 ltcrss ftpd[7026]: FTP session closed
Feb 8 07:31:29 ltcrss ftpd[7068]: FTP session closed
Feb 8 07:36:30 ltcrss ftpd[7109]: FTP session closed
Feb 8 07:41:29 ltcrss ftpd[7152]: FTP session closed
Feb 8 07:46:30 ltcrss ftpd[7202]: FTP session closed
Feb 8 07:51:30 ltcrss ftpd[7245]: FTP session closed
Feb 8 07:56:29 ltcrss ftpd[7290]: FTP session closed
Feb 8 08:01:30 ltcrss ftpd[7335]: FTP session closed
UNIX IS GOOD
0 Kudos
Reply
harry d brown jr
Honored Contributor

‎02-08-2005 01:05 AM

‎02-08-2005 01:05 AM

Re: Syslog Message > ftpd


ftpd is a daemon that responds with some process trying to FTP to YOUR box, not someone on your box trying to FTP to some place else.

Is ftpd disabled?


live free or die
harry d brown jr
Live Free or Die
0 Kudos
Reply
Nobody's Hero
Valued Contributor

‎02-08-2005 01:07 AM

‎02-08-2005 01:07 AM

Re: Syslog Message > ftpd

Harry,
so you are saying that a process is trying to ftp to this box?
UNIX IS GOOD
0 Kudos
Reply
Nobody's Hero
Valued Contributor

‎02-08-2005 01:08 AM

‎02-08-2005 01:08 AM

Re: Syslog Message > ftpd

If so, how can I trap the ftp to see what it is. I dont want to turn off ftp.
UNIX IS GOOD
0 Kudos
Reply
harry d brown jr
Honored Contributor

‎02-08-2005 01:11 AM

‎02-08-2005 01:11 AM

Solution

Re: Syslog Message > ftpd

Robert,

You have something/someone trying every FIVE minutes to use FTP to your box. Do you have "lsof" ?? If so, try to catch them and find their IP.

live free or die
harry d brown jr
Live Free or Die
Reply
Nobody's Hero
Valued Contributor

‎02-08-2005 01:13 AM

‎02-08-2005 01:13 AM

Re: Syslog Message > ftpd

I have no idea who or what it could be. It must be from the inside. I'll load lsof and give it a try. Where can I find lsof?
UNIX IS GOOD
0 Kudos
Reply
Dave Hutton
Honored Contributor

‎02-08-2005 01:17 AM

‎02-08-2005 01:17 AM

Re: Syslog Message > ftpd

Robert, you can download it from here:
http://hpux.cs.utah.edu/hppd/hpux/Sysadmin/lsof-4.74/

For the depot precompiled versions.

Reply
Steven E. Protter
Exalted Contributor

‎02-08-2005 01:25 AM

‎02-08-2005 01:25 AM

Re: Syslog Message > ftpd

Somebody is trying to ftp to the box, quite regularly.

The usual suspects are cron jobs on other boxes. Because of the regularlity of the ouptut, that is why I suspect it.

If you have secure shell openssh working and clients with your users, I'd say go to /etc/inetd.conf and comment out the ftpd daemon.

Then save the file

inetd -c

First, you might want to use enhanced logging, inetd -l and see what the source ip address of the ftp request is. That will narrow your suspect list.

Don't forget to check the cron schedule on this box. I've seen sysadmins do that to themselves on occaision.

< Quickly looks and sees if there is anyone standing behind me. >

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
harry d brown jr
Honored Contributor

‎02-08-2005 01:51 AM

‎02-08-2005 01:51 AM

Re: Syslog Message > ftpd

Robert,

In inetd.conf, change the ftp line to add the "-l" option. it gives more details in syslog:

ftp stream tcp nowait root /usr/lbin/ftpd ftpd -l

example output:
Feb 8 09:49:06 vpart1 ftpd[27752]: FTP LOGIN FROM rndspt01.paychex.com [10.2.110.1], root
Feb 8 09:49:26 vpart1 ftpd[27752]: root of rndspt01.paychex.com [10.2.110.1] deleted /tmp/xyz
Feb 8 09:49:31 vpart1 ftpd[27752]: FTP session closed
[root@vpart1 /var/adm/syslog]#


live free or die
harry d brown jr
Live Free or Die
0 Kudos
Reply
harry d brown jr
Honored Contributor

‎02-08-2005 01:53 AM

‎02-08-2005 01:53 AM

Re: Syslog Message > ftpd

After making the change to /etc/inetd.conf, don't forget to issue:

inetd -c

live free or die
harry d brown jr
Live Free or Die
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.