"Mark Rae" <mark@markNOSPAMrae.com> wrote in message
news:uEKeBOl4GHA.1196@TK2MSFTNGP02.phx.gbl...
> Hi,
>
> Can anyone please give me a definitive answer to the following:
>
> Does the presence of an entry in the FTP log ending in 331 prove
> absolutely and categorically that a successful connection was made to the
> FTP server, or does it merely indicate that an *attempt* was made to
> connect using the userid provided, and that a password was requested
> because anonymous access was disabled.
>
> I understand that a subsequent entry [with the same session number] ending
> in 530 proves that the login attempt was unsuccessful due to an invalid
> userid / password combination.
>
> I also understand that a subsequent entry [with the same session number]
> ending in 230 proves that the login attempt was successful, but this is
> not logged by default.
>
> I'd be particularly interested to know if there is any legal case history
> where the above information was used.
>
> Any assistance gratefully received.
>
> Mark
>

"Bernard Cheah [MVP]" <qbernard@hotmail.com.discuss> wrote in message
news:%23qT7SW34GHA.3964@TK2MSFTNGP04.phx.gbl...

> See if this helps.
> http://msmvps.com/blogs/bernard/archive/2005/01/28/34050.aspx

"Bernard Cheah [MVP]" <qbernard@hotmail.com.discuss> wrote in message
news:%23qT7SW34GHA.3964@TK2MSFTNGP04.phx.gbl...

> See if this helps.
> http://msmvps.com/blogs/bernard/archive/2005/01/28/34050.aspx

"Mark Rae" <mark@markNOSPAMrae.com> wrote in message
news:utBgUSF5GHA.4832@TK2MSFTNGP06.phx.gbl...
> "Bernard Cheah [MVP]" <qbernard@hotmail.com.discuss> wrote in message
> news:%23qT7SW34GHA.3964@TK2MSFTNGP04.phx.gbl...
>
>> See if this helps.
>> http://msmvps.com/blogs/bernard/archive/2005/01/28/34050.aspx
>
> That was useful, thanks.
>
> As you may have gathered from my original post, I'm investigating a
> suspected case of hacking and/or FTP log tampering.
>
> Regarding the FTP log on a Windows 2000 server, is the session identifier
> in square brackets ALWAYS incremental? If it wasn't, i.e. there was an
> entry missing, would that be symptomatic of the FTP log having been
> tampered with?
>
> Any assistance gratefully received.
>
> Mark
>

"Bernard Cheah [MVP]" <qbernard@hotmail.com.discuss> wrote in message
news:uep$MCS5GHA.4832@TK2MSFTNGP06.phx.gbl...

> Yes, it always be incremental. if FTP service got restarted, it will start
> again.

> And per your last question. errr. not so sure, but highly possible,
> althought if ftp crashes in between or log didn't get flush to disk, you
> will also have missing entry in between.

> --
> Regards,
> Bernard Cheah
> http://www.iis.net/
> http://www.iis-resources.com/
> http://msmvps.com/blogs/bernard/
>
>
> "Mark Rae" <mark@markNOSPAMrae.com> wrote in message
> news:utBgUSF5GHA.4832@TK2MSFTNGP06.phx.gbl...
>> "Bernard Cheah [MVP]" <qbernard@hotmail.com.discuss> wrote in message
>> news:%23qT7SW34GHA.3964@TK2MSFTNGP04.phx.gbl...
>>
>>> See if this helps.
>>> http://msmvps.com/blogs/bernard/archive/2005/01/28/34050.aspx
>>
>> That was useful, thanks.
>>
>> As you may have gathered from my original post, I'm investigating a
>> suspected case of hacking and/or FTP log tampering.
>>
>> Regarding the FTP log on a Windows 2000 server, is the session identifier
>> in square brackets ALWAYS incremental? If it wasn't, i.e. there was an
>> entry missing, would that be symptomatic of the FTP log having been
>> tampered with?
>>
>> Any assistance gratefully received.
>>
>> Mark
>>
>
>