A web server that we have got hacked into. A bunch of files were deleted. The web server ran windows 2000 server and was patched up recently. It also was behind a sonicwall firewall and in the DMZ zone. I looked at the log files and here are a couple of entries
2008-02-05 17:32:26 126.96.36.199 -188.8.131.52 80 DELETE /topnavigation_samplerequest.htm - 200 Microsoft+Data+Access+Internet+Publishing+Provider+DAV
2008-02-05 17:32:26 184.108.40.206 -220.127.116.11 80 DELETE /upload.html - 200 Microsoft+Data+Access+Internet+Publishing+Provider+DAV
2008-02-05 17:32:26 18.104.22.168 -22.214.171.124 80 DELETE /uploadconfirmation.asp - 403 Microsoft+Data+Access+Internet+Publishing+Provider+DAV
2008-02-05 17:32:33 126.96.36.199 -188.8.131.52 80 DELETE /thankyou.asp - 403 Microsoft+Data+Access+Internet+Publishing+Provider+DAV
Is there anything that can be gleaned from the entries above. How did the files get deleted. Secondly, I changed the IP address from the original IP address. Since I have the originating IP address, can it be tracked back to who deleted the files? If so, how? The reason I am interested in finding out who it is, is to:
1.) try and prosecute the originator. and
2.) Protect our servers from similar attacks in the future.