Trace process initiating FTP connections

E

elpek

Hi,

I've been reported that one of my servers is periodicaly trying to connect to some FTP server. Programmers have looked into a code of the software running on that server and stated that their code is not using FTP anywhere. What would be a good way to monitor outgoing FTP traffic over some period of time and if such occurs find the process generating it?
 
First I'd find out if the machine is actually making the connections. You could use tcpdump(1) for that. Just create a filter to capture FTP and let it run for a while. Once you find connections the next step would be to look for the process, but I would first try and find out if there are any actual connections being made.

A tcpdump(1) filter will look something like this:
tcpdump -ni em0 -w capture_out.pcap tcp and port 21
The file capture_out.pcap will contain the connection attempts (if there are any).
 
Turn on logging for the packet filter on your router/firewall and log any connections going outwards with destination tcp port 21.
 
Thanks for the reply. I've been indeed logging traffic with tcpdump(1) for a while now - so far there are no positive results. What I'm more curious of is how to find the "guity" process once the connection will be made and therefore will be logged.
 
You must log in or register to reply here.
Back
Top