FTP Attack Source IP

 

We sometimes are told a server is being brute forced attacked, but unfortunately we cannot get the source of the attack from Windows server logs. We only get failed attempts. As long as FTP logging is setup, you can check its log and get the source IP they used and when they did it. Below is the destination to go to check this:

C:\WINDOWS\System32\LogFiles\MSFTPSVC1

(Note that the MSFTPSVC1 part of the directory may be different, depending on your server the number may change.)

Once you’re in that directory, you just need to find the oldest log file or the one from the date your looking for. The log file is in the format of exnnnnnn.log. Open the file you need most likely will be the last one. Below is a sample of what they should look like.

#Software: Microsoft Internet Information Services 5.1

#Version: 1.0

#Date:  03:55:34

#Fields: time c-ip cs-method cs-uri-stem sc-status

03:55:34 127.0.0.1 [1]USER anonymous 331

03:55:42 127.0.0.1 [1]PASS me@herongyang.com 230

03:55:49 127.0.0.1 [1]QUIT - 226

04:07:57 127.0.0.1 [2]sent /ftp.html 226

04:07:57 127.0.0.1 [2]sent /index.html 226

04:07:58 127.0.0.1 [2]sent /reference.html 226

03:55:49 127.0.0.1 [1]QUIT - 226