1827807 Members
2643 Online
109969 Solutions
New Discussion

Syslog Message > ftpd

 
SOLVED
Go to solution
Nobody's Hero
Valued Contributor

Syslog Message > ftpd

Can someone explain why I have these messages in my syslog? nobody has access to this box and I am the only one that uses it. Is there a process that uses ftp? What is using ftp?
Just wondering why I am seeing these messages.
Nobody uses ftp on the box.
UNIX IS GOOD
11 REPLIES 11
Henk Geurts
Esteemed Contributor

Re: Syslog Message > ftpd

robert
can you post the complete message.

check
/etc/inetd.conf
/var/adm/inetd.sec
/etc/ftpd/ftpaccess
/etc/ftpd/ftpusers
ps -ef|grep ftp

let me know.
regards
Henk
Nobody's Hero
Valued Contributor

Re: Syslog Message > ftpd

eb 8 06:56:29 ltcrss ftpd[6770]: FTP session closed
Feb 8 07:01:29 ltcrss ftpd[6812]: FTP session closed
Feb 8 07:06:30 ltcrss ftpd[6856]: FTP session closed
Feb 8 07:11:30 ltcrss ftpd[6898]: FTP session closed
Feb 8 07:16:30 ltcrss ftpd[6941]: FTP session closed
Feb 8 07:21:30 ltcrss ftpd[6984]: FTP session closed
Feb 8 07:26:29 ltcrss ftpd[7026]: FTP session closed
Feb 8 07:31:29 ltcrss ftpd[7068]: FTP session closed
Feb 8 07:36:30 ltcrss ftpd[7109]: FTP session closed
Feb 8 07:41:29 ltcrss ftpd[7152]: FTP session closed
Feb 8 07:46:30 ltcrss ftpd[7202]: FTP session closed
Feb 8 07:51:30 ltcrss ftpd[7245]: FTP session closed
Feb 8 07:56:29 ltcrss ftpd[7290]: FTP session closed
Feb 8 08:01:30 ltcrss ftpd[7335]: FTP session closed
UNIX IS GOOD
harry d brown jr
Honored Contributor

Re: Syslog Message > ftpd


ftpd is a daemon that responds with some process trying to FTP to YOUR box, not someone on your box trying to FTP to some place else.

Is ftpd disabled?


live free or die
harry d brown jr
Live Free or Die
Nobody's Hero
Valued Contributor

Re: Syslog Message > ftpd

Harry,
so you are saying that a process is trying to ftp to this box?
UNIX IS GOOD
Nobody's Hero
Valued Contributor

Re: Syslog Message > ftpd

If so, how can I trap the ftp to see what it is. I dont want to turn off ftp.
UNIX IS GOOD
harry d brown jr
Honored Contributor
Solution

Re: Syslog Message > ftpd

Robert,

You have something/someone trying every FIVE minutes to use FTP to your box. Do you have "lsof" ?? If so, try to catch them and find their IP.

live free or die
harry d brown jr
Live Free or Die
Nobody's Hero
Valued Contributor

Re: Syslog Message > ftpd

I have no idea who or what it could be. It must be from the inside. I'll load lsof and give it a try. Where can I find lsof?
UNIX IS GOOD
Dave Hutton
Honored Contributor

Re: Syslog Message > ftpd

Robert, you can download it from here:
http://hpux.cs.utah.edu/hppd/hpux/Sysadmin/lsof-4.74/

For the depot precompiled versions.

Steven E. Protter
Exalted Contributor

Re: Syslog Message > ftpd

Somebody is trying to ftp to the box, quite regularly.

The usual suspects are cron jobs on other boxes. Because of the regularlity of the ouptut, that is why I suspect it.

If you have secure shell openssh working and clients with your users, I'd say go to /etc/inetd.conf and comment out the ftpd daemon.

Then save the file

inetd -c

First, you might want to use enhanced logging, inetd -l and see what the source ip address of the ftp request is. That will narrow your suspect list.

Don't forget to check the cron schedule on this box. I've seen sysadmins do that to themselves on occaision.

< Quickly looks and sees if there is anyone standing behind me. >

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
harry d brown jr
Honored Contributor

Re: Syslog Message > ftpd

Robert,

In inetd.conf, change the ftp line to add the "-l" option. it gives more details in syslog:

ftp stream tcp nowait root /usr/lbin/ftpd ftpd -l

example output:
Feb 8 09:49:06 vpart1 ftpd[27752]: FTP LOGIN FROM rndspt01.paychex.com [10.2.110.1], root
Feb 8 09:49:26 vpart1 ftpd[27752]: root of rndspt01.paychex.com [10.2.110.1] deleted /tmp/xyz
Feb 8 09:49:31 vpart1 ftpd[27752]: FTP session closed
[root@vpart1 /var/adm/syslog]#


live free or die
harry d brown jr
Live Free or Die
harry d brown jr
Honored Contributor

Re: Syslog Message > ftpd

After making the change to /etc/inetd.conf, don't forget to issue:

inetd -c

live free or die
harry d brown jr
Live Free or Die