[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 390
  • Last Modified:

Server logs- how to interpret- how to tell what is being accessed and if it has been compromised

I was wondering if anyone can tell me how to interpret my server logs on Server 2008 Standard? I always see these ip addresses hitting it and I block out the ones I do not recognize or search for and find out they are bots. I just do not know if they have accessed or compromised any files. My site is running perfectly and I see these hits coming from all over the world. How can I tell what if anything is being hit or what files are being corrupted or 'owned' if you will. I am going to launch soon and am looking into server hardening but its complicate and I am a newbie.

This is was one I found to be an attack from yesterday- How can I tell what may have been compromised?

/db/index.php - 80
GET /dbadmin/index.php - 80 - 91.121.73.100
GET /myadmin/index.php - 80 - 91.121.73.100
GET /mysql/index.php - 80 - 91.121.73.100
GET /mysqladmin/index.php - 80 - 91.121.73.100
GET /typo3/phpmyadmin/index.php - 80 - 91.121.73.100
GET /phpMyAdmin/index.php - 80 - 91.121.73.100
GET /phpmyadmin/index.php - 80 - 91.121.73.100
GET /phpmyadmin1/index.php - 80 - 91.121.73.100
GET /pma/index.php - 80 - 91.121.73.100 HTTP/1.1
GET /phpMyAdmin-2.5.1/index.php - 80 - 91.121.73.100
\etc. etc. etc.
0
jeffmeverett
Asked:
jeffmeverett
  • 2
  • 2
  • 2
2 Solutions
 
David Johnson, CD, MVPOwnerCommented:
That is a known attacker IP Address


Once your system has been compromised then you cannot trust anything on that system. If they gained access then your only recourse is to restore from a backup and then change the admin logons.
0
 
jeffmeverettAuthor Commented:
I do realize that the ip addresses mentioned above are considered to be an attack, but did they get to anything? I am am trying to interpret if the 'Get' line shows that there is an attack. The web server has been running incredibly great! No signs of anything is wrong at least from what I can gather. The processes are low, the firewall is tight with only few neccessary ports open. After an NMAP scan I can only get port 53 to show.  I am not a total beginner but I am about mid-novice at this point so get as technical as you can. What I usually notice is that if I was hacked I would know or realize things are becoming unstable. Are there any other measures to look into to help me recognize if anything is or has been hacked. My developer has been writing code and has not mentioned that anything looks our of place. There is so much to learn and try to prevent, any help or suggestions is appreciated.
0
 
David Johnson, CD, MVPOwnerCommented:
It could be that they just copied off you userbase and moved onward..
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
Dale BurrellCommented:
Just doing a GET on a site is normal access - that's not in itself a hack. Unless you specifically provide some mechanism to upload files it isn't possible. And unless you provide unprotected access to the database or other admin functions then they'd still need to login to your system to access that.

Check that there are no new files in the site. Do you have a log of who logs into your site? Ensure that the user which your website runs as doesn't have access to anything else on the server. Send 404's when missing files are accessed.

Running on a real world server you're going to get this sort of thing unfortunately.
0
 
jeffmeverettAuthor Commented:
Great info! The only thing I did not understand was the following: "Ensure that the user which your website runs as doesn't have access to anything else on the server. Send 404's when missing files are accessed."  I do have to have admin rights for my remote desktop connection user. For some reason its the only way I can use the Exchange server (that is on the same server, not the best setup) to send emails. Also for some reason I cannot get the user to login without the admin rights. EVEN though I have RDP enabled/set in the Active Directory properties for that user.  There are only 4 users allowed in the whole site and the passwords are simply outrageous. I have it pretty locked down when it comes to the ports. Only 7 open and they are all necessary, and I am still trying to figure out if I need the Kerberos ports open. I do not know how to set it to send the 404's you stated. Is there a setting or editing process to do this? All suggestions are welcome. I am no server wizard that's for sure, but with everyone's help here on EE I am getting through it!
0
 
Dale BurrellCommented:
OK, first tip, make sure that any user that has RDT access cannot FTP into the server unless its secure FTP. The reason being that regular FTP passes credentials in plain text, and if someone is monitoring your connection and spot an FTP password the first thing they will do is attempt to RDT with it. So either ensure all FTP users don't have RDT access, or require that any FTP access is secure.

Now I probably can't answer your questions in enough detail for your specific situation, so you'll probably have to go and read about the concepts.

With the website, I assume you are running IIS - websites (or their application pools) in IIS run under an identify (which is a user). Which identity this is depends on how you've set it up. This might help understand this http://blogs.iis.net/davcox/archive/2009/08/12/what-is-my-iis-code-running-as.aspx. So back to my point, whichever identity your website is running under needs to have the minimum rights possible  to your server i.e. read rights within the website directory, and maybe, write rights inside a log file directory, and no rights to anywhere else on your server.

How to handle 404's again depends on your website setup, IIS can handle some 404's your site itself may handle others. If you google 404 IIS (your version number) that will help. And if you google 404 (your application environment, asp.met php etc) that will help there. Use Firefox with Firebug or similar to determine that the site really is sending HTTP Status 404 for missing content (ideally without the redirect that asp.net can do first).

hth
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now