Recently I've had to research on some missing files of a website.
When looking through the proftpd xferlog files, it was clear that the files were deleted by a user having ftp access.
The xferlog file is usually located at "/var/log/xferlog". However, since this was a plesk server, it was located at:
"/var/www/vhosts/{DOMAIN}/sta
A quick grep produced the files that were deleted out and could easily be recovered from a previous backup. Also, discovered the time and offending IP address of the person that did the deletes.
Full listing:
$ grep "_ d" /path/to/xferlog
Listing of just the deleted files:
$ awk '/_ d/ {print $9}' /path/to/xferlog
Below are some additional notes on xferlog anlysis:
The last character in each row shows the completion status of the transfer. This should be "c" for complete and "i" for incomplete transfer.
Return all incomplete transfers:
$ egrep "i$" /path/to/xferlog
The three characters following the file name represent the transfer-type (ascii or binary), any special actions (usually _ meaning none) and the direction (outgoing, incoming or deleted).
-
ascii format:
-
a _ i (uploaded)
a _ o (downloaded)
a _ d (deleted)
-
b _ i (uploaded)
b _ o (downloaded)
b _ d (deleted)
Examples:
-
To extract a list of all successfully uploaded files:
$ awk '($12 ~ /^i$/ && $NF ~ /^c$/){print $9}' /path/to/xferlog
awk '($12 ~ /^i$/ && $NF ~ /^i$/){print $9}' /path/to/xferlog
- wizap's blog
- Login or register to post comments
Comments
Wizap, this URL (http://www.linuxweblog.com/bl ogs/wizap/20080129/analyzing-p roftpd-xferlog-file) should at the top of Google's results when one searches for ProFTPd log file format.
Saved my Monday morning.
Thanks a lot.
Thanks a million man