Home / server / Questions / 345640
Accepted
Moon
Asked: 2012-01-01 17:17:31 +0800 CST

How to find out what command was done with my FTP log?

  • 772

My index.php files has suddenly been deleted today. I downloaded the FTP log file from the server. I see that an unknown user has accessed my FTP server today. I have the following line in my FTP log, but don't know how to read it:

Fri Dec 31 13:25:51 2010 0 ::ffff:[IP HERE] 10079 [FILE NAME] a _ o r [USERNAME] ftp 0 * c

What do the following pieces of information mean? 10079 and a_ o r and 0 * c ?

ftp logging

1 Answers

  1. Best Answer

    FTP logs are largely in xferlog format. That follows this convention:

    current-time   transfer-time   remote-host   file-size   filename   transfer-type   special-action-flag   direction   access-mode   username   service-name   authentication-method   authenticated-user-id  completion-status

    In your case, I believe you are interpreting 10079, a_or and O*c as three separate pieces of information. Those pieces of information are actually seven distinct pieces of information

    • 10079 is the file size
    • a is transfer type (a stands for an ascii transfer)
    • _ is the special-action-flag (_ means no action taken)
    • o is the direction (o is for outgoing)
    • r is for access mode (r is for "real" or locally authenticated user)
    • 0 is for authentication-method (0 = none)
    • * is for authenticated-user-id (* means "not available")
    • c is for completion-status (c means "complete" for a complete transfer)

    Check out man xferlog for more information. Here's a web based man page for xferlog.

    • 7