Re: Need help. FTP log messages

[erickbe () YAHOO COM (Erick)]

Hi there,

The Bay logs aren't that detailed for FTP so from
looking over it it appears that someone was seeing
what ports were opened or accidentally FTP'd to your
router.

They have to successfully login as Manager to see/get
files however and your packet filter dropped the IP
packet eventually and the connection was closed. The
FTP Debug error after the IP Packet error is a error
from FTP saying it couldn't transmit the buffer that
was killed by the packet filter most likely. How is
your packet filter setup? (this would possibly explain
delay in dropping the FTP session).

Also look at the times for other connections like
telnet, tftp, etc at around the same time from same
IP.
And if you don't FTP on this router... disable it.

HTH, Erick

--- Melissa Lovett <mlovett () WARRIOR MGC PEACHNET EDU>
wrote:
> The following appeared in the router event log.  It
> appears that someone
> used FTP to do something, but I can't figure out
> anything.  I have never
> seen anything like this in the log files before.  I
> traced the address back
> to the UK.  Any ideas?
>
>
> # 316: 07/01/00 04:43:23 DEBUG  SLOT  3 GAME  Event
> Code: 77
> GID_CB: gate 0x060ea @ 0x3160b3f6 (RD=76678687) -
> gid_add:
> ADDING NEW SEGMENT
>    free: head=0x00208 tail=0x00000->0x1ffff/0x002ff
> (cnt=248)
>    curr: head=0x001c2 tail=0x000f0->0x00000/0x000f0
> (cnt=150)
>    next: head=0x00033 tail=0x001c3->0x00000/0x001c3
> (cnt=113)
>
> # 317: 07/01/00 04:43:29 DEBUG  SLOT  3 TCP  Event
> Code: 14
> TCP Open req: 16x.xx.xxx.x,21 - 194.117.155.79,4654
> TCB: 0x31558260
>
> # 318: 07/01/00 04:43:29 DEBUG SLOT  3 IP    Event
> Code: 38
> Interface 16x.xx.xxx.x: TCP port 21 to remote port
> 4654 allocated
>
> # 319: 07/01/00 04:43:29 INFO  SLOT  3 TCP   Event
> Code:  6
> TCP Opened: 16x.xx.xxx.x,21 - 194.117.155.79,4654
> TCB: 0x31558260
>
> # 320: 07/01/00 04:43:33 DEBUG  SLOT  3 IP   Event
> Code: 39
> Interface 16x.xx.xxx.x: TCP port 21 to remote port
> 4654 deallocated
>
> # 321: 07/01/00 04:46:47 INFO  SLOT  3 IP   Event
> Code: 28
> IP Traffic Filter - Rule 16, Interface 16x.xx.xxx.x,
> Circuit 7 (Drop packet)
>
> # 322: 07/01/00 04:56:49 INFO  SLOT  3 IP  Event
> Code:  0
> The previous event on slot 3 repeated 2 time(s).
> [Code 28]
>
> # 323: 07/01/00 04:58:32 DEBUG  SLOT  3 FTP  Event
> Code: 55
> FTP debug message 827687520 - Error (15) in xmiting
> tcp buffer to the client.
> FTP debug message 829054800 - TCP Connection closed.

=====
---------------------/-----------------------
 Erick B.           /  http://berk.dhs.org
 erickbe () yahoo com / CCNP+Security+NetRanger
                  /  NNCSS, CCIE-Lab 9/21 SJ
-----------------/---------------------------

__________________________________________________
Do You Yahoo!?
Send instant messages & get email alerts with Yahoo! Messenger.
http://im.yahoo.com/