Server: Microsoft-IIS/7.0\r\n

Understanding IIS FTP Log

Actually this is one of the reply I posted @ .tw.iis newsgroup -

Log file:
#Software: Microsoft Internet Information Services 5.0
#Version: 1.0
#Date: 2004-11-16 10:54:13
#Fields: time c-ip cs-username s-port cs-method cs-uri-stem sc-status
10:54:13 ip1 anonymous@ftp.microsoft.com 21 [135]USER anonymous@ftp.microsoft.com 331
10:54:13 ip1 - 21 [135]PASS - 530
11:48:04 ip2 anonymous 21 [136]USER anonymous 331
11:48:04 ip2 - 21 [136]PASS Cgpuser@home.com 530
13:50:27 ip3 Anonymous 21 [137]USER Anonymous 331
13:50:27 ip3 - 21 [137]PASS guest@my.net 530
17:40:30 ip4 anonymous 21 [138]USER anonymous 331
17:40:30 ip4 - 21 [138]PASS IEUser@ 530
17:40:30 ip4 anonymous 21 [139]USER anonymous 331
17:40:30 ip4 - 21 [139]PASS IEUser@ 530
17:40:41 ip4 Administrator 21 [140]USER Administrator 331
17:40:41 ip4 Administrator 21 [140]PASS - 230

Q&A:
1) what's the [135] and 331 stands for ? where do I look for the detail about this status code ?
A: First, the [135] in the cs-method field represents the 'connection id' for the IIS FTP. In this case, the first connection from ip1 is the 135th connection since service started

331 is the reply status code and it stands for “User name okay, need password“. This per RFC959 spec of coz. The next line with status code 530 represent that the user is not currently logged in, it could be failed to authenticate because of username/password, or the user account doesn't have required permissions or user right to logon. For complete status code and its description, you can refer this KB - IIS Status code.

2) My Win2k machine doesn't have anonymous@ftp.microsoft.com and I didn't allow anonymous access, is this user trying login by guessing the username ?
A: Yes, but I would say this is pretty useless, as this UPN (universal principal name) login has a domain of ftp.microsoft.com which I don't think you have anything to do with that (e.g. authenticate with that domain). so again, this is useless. if you see login like 'administrator', or random username that exist in your user database, then most likely that attacker is trying to login using a known username.

3) Hence, in the 2nd line PASS - 530 tells that the user didn't logged in, right ?
Yes, refer 1.

4) But between line 4 and 6, why there's a email address between PASS and 530 ?
Good question. You see, both line 3 and 5 indicate the users are trying to login anonymously and you see the cs-username as 'anonymous'. Even though with anonymous account, you still need to provide a password, it could be anything. but IIS FTP response with the following:
“331 Anonymous access allowed, send identity (e-mail name) as password.”
hence, most of the user will enter email address as the password. and for anonymous password, it is capture in the FTP log file.

5) The last two log entries indicating the user has logged on to ftp ?
Yes, because the status code for PASS is 230, which indicate a successful logon. However take note that, IIS will not store the logon user password in the log file.

6) At the last 3rd line, there's IEUser@ in the PASS field. why this is there ?
Well, this clearly tells us that the user is using IE. And by default IE will automatic login as anonymous when you browse a FTP site. hence you see the username 'anonymous' and the IEUser@ is just the password that IE use.