Understanding IIS FTP Log

Actually this is one of the reply I posted @ .tw.iis newsgroup -

Log file:
#Software: Microsoft Internet Information Services 5.0
#Version: 1.0
#Date: 2004-11-16 10:54:13
#Fields: time c-ip cs-username s-port cs-method cs-uri-stem sc-status
10:54:13 ip1 anonymous@ftp.microsoft.com 21 [135]USER anonymous@ftp.microsoft.com 331
10:54:13 ip1 - 21 [135]PASS - 530
11:48:04 ip2 anonymous 21 [136]USER anonymous 331
11:48:04 ip2 - 21 [136]PASS Cgpuser@home.com 530
13:50:27 ip3 Anonymous 21 [137]USER Anonymous 331
13:50:27 ip3 - 21 [137]PASS guest@my.net 530
17:40:30 ip4 anonymous 21 [138]USER anonymous 331
17:40:30 ip4 - 21 [138]PASS IEUser@ 530
17:40:30 ip4 anonymous 21 [139]USER anonymous 331
17:40:30 ip4 - 21 [139]PASS IEUser@ 530
17:40:41 ip4 Administrator 21 [140]USER Administrator 331
17:40:41 ip4 Administrator 21 [140]PASS - 230

 

Q&A:
1) what's the [135] and 331 stands for ? where do I look for the detail about this status code ?
A: First, the [135] in the cs-method field represents the 'connection id' for the IIS FTP. In this case, the first connection from ip1 is the 135th connection since service started

331 is the reply status code and it stands for “User name okay, need password“. This per RFC959 spec of coz. The next line with status code 530 represent that the user is not currently logged in, it could be failed to authenticate because of username/password, or the user account doesn't have required permissions or user right to logon. For complete status code and its description, you can refer this KB - IIS Status code.

 

2) My Win2k machine doesn't have anonymous@ftp.microsoft.com and I didn't allow anonymous access, is this user trying login by guessing the username ?
A: Yes, but I would say this is pretty useless, as this UPN (universal principal name) login has a domain of ftp.microsoft.com which I don't think you have anything to do with that (e.g. authenticate with that domain). so again, this is useless. if you see login like 'administrator', or random username that exist in your user database, then most likely that attacker is trying to login using a known username.

 

3) Hence, in the 2nd line PASS - 530 tells that the user didn't logged in, right ?
Yes, refer 1.

 

4) But between line 4 and 6, why there's a email address between PASS and 530 ?
Good question. You see, both line 3 and 5 indicate the users are trying to login anonymously and you see the cs-username as 'anonymous'. Even though with anonymous account, you still need to provide a password, it could be anything. but IIS FTP response with the following:
“331 Anonymous access allowed, send identity (e-mail name) as password.”
hence, most of the user will enter email address as the password. and for anonymous password, it is capture in the FTP log file.

 

5) The last two log entries indicating the user has logged on to ftp ?
Yes, because the status code for PASS is 230, which indicate a successful logon. However take note that, IIS will not store the logon user password in the log file.

6) At the last 3rd line, there's IEUser@ in the PASS field. why this is there ?
Well, this clearly tells us that the user is using IE. And by default IE will automatic login as anonymous when you browse a FTP site. hence you see the username 'anonymous' and the IEUser@ is just the password that IE use.

Published Fri, Jan 28 2005 10:50 by bernard
Filed under: ,

Comments

# bernard said on 30 June, 2005 07:33 PM
Q: I am using Windows XP FTP server. Every file that is downloaded from my FTP server is logged in my c:\ drive also. So after some days I find a lot of files named s1f4.3, s1f4.4, s1f4.5, s1f4.a, ... with the same content and size of the corresponding downloaded files. How can I disable this?
# bernard said on 30 June, 2005 09:18 PM
Hi Thomas,

Are you using IIS FTP server that come with XP Pro? Are you saying you have mystery file in your c:\ ? are you uploading or downloading ? You might want to post this question with more information in public IIS newsgroups.
# bernard said on 01 July, 2005 04:45 AM
Yes, I am using standard IIS FTP that come with XP Pro. Every file that is downloaded from my FTP server is appearing in this strange file format on c:\.
# bernard said on 01 July, 2005 10:15 AM
Are you saying when you download from your IIS FTP server, those downloaded files appear in strange format? How do you download? have you try download it via ftp.exe ?

C:\> ftp localhost

login, do a dir listing, set the transer mode (ascii / binary), mget the file.

what file you are downloading anyway?
# bernard said on 11 July, 2005 07:55 AM
OK, whatever program I use to download files from my IIS FTP server I can successfully download them to the client. But all files that have been downloaded appears in that strange naming format also on drive c:\ of the server. Looks like there is something logging every FTP access of my server.
# bernard said on 11 July, 2005 10:55 AM
In this case, do you have special software installed in the machine? antivirus, IDS, or ? Does this happen to your machine only? what about other client workstation? same issue. If it's your machine alone, then you need to know what's in the box that manipulating the incoming ftp packets.
# bernard said on 12 July, 2005 07:38 AM
IDS?
# jewel said on 10 July, 2006 05:37 AM
Thanks for u, this article really help me for understanding iis log.
I am intresting about 530 event. Can be this event alone... without 331 event i.e. somebody can pass user identyfication and try to login entering password only?
# yan said on 10 July, 2006 09:11 PM
Hello,

for see your log go to :

C:\WINDOWS\system32\Logfiles\MSFTPSVC1

# qbernard said on 11 July, 2006 10:46 PM
Hi Jewel,

Interesting, I have not any 530 for 'pass' event withouth 331 username input. can you post your log file here?
# Filezilla Probleme - Server Support Forum said on 03 February, 2008 08:44 AM

Pingback from  Filezilla Probleme - Server Support Forum

News

Search

Go

This Blog

Tags

Archives

IIS Sites

MVPs - MVPs

IIS Related

Syndication