Fun with FTP Logs

By Aaron Macks on February 27, 2013 11:29 PM StumbleUpon Toolbar | No Comments

Had to do some work with ProFTPD logs today.  This script was created to get the date of last login of a user, or a list of multiple users, and return that data as a .csv file.  If you have customized the log formats, you may need to tweek the regex that breaks apart the line. 

get_last_login.pl

Several bits are incomplete, including the proper handling of timezone offsets and usage text in the help routine, but it works if you pass it a logfile and either a name or a namefile

$ get_last_login.pl --log=auth.log --namefile=username_list.txt > last_login.csv

or

$ get_last_login.pl --log=auth.log --name=am_user > last_login.csv

In doing this work, I noticed something fun, people are now trying SQL injection through FTP:

ProFTPD Default Installation [32717] ###.###.###.### [24/Feb/2013:00:16:23 -0500] "USER %') 
  UNION SELECT 1,concat(0x7b,0x6d,0x64,0x35,0x7d,0x78,0x4d,0x70,0x43,0x4f,0x4b,0x43,0x35,0x49,0x34,0x49,0x4e,
  0x7a,0x46,0x43,0x61,0x62,0x33,0x57,0x45,0x6d,0x77,0x3d,0x3d),NULL,NULL,concat(0x2f),concat(0x2f,0x62,0x69,
  0x6e,0x2f,0x73,0x68) #" 331

A

Categories:

Tags:

Leave a comment

Search

About this Entry

This page contains a single entry by Aaron Macks published on February 27, 2013 11:29 PM.

Monastery of Montecassino was the previous entry in this blog.

Quick Review: The Northern Crusades is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.

Categories

Monthly Archives

OpenID accepted here Learn more about OpenID