Server logs- how to interpret- how to tell what is being accessed and if it has been compromised

Posted on 2012-04-02
Medium Priority
Last Modified: 2012-04-17
I was wondering if anyone can tell me how to interpret my server logs on Server 2008 Standard? I always see these ip addresses hitting it and I block out the ones I do not recognize or search for and find out they are bots. I just do not know if they have accessed or compromised any files. My site is running perfectly and I see these hits coming from all over the world. How can I tell what if anything is being hit or what files are being corrupted or 'owned' if you will. I am going to launch soon and am looking into server hardening but its complicate and I am a newbie.

This is was one I found to be an attack from yesterday- How can I tell what may have been compromised?

/db/index.php - 80
GET /dbadmin/index.php - 80 -
GET /myadmin/index.php - 80 -
GET /mysql/index.php - 80 -
GET /mysqladmin/index.php - 80 -
GET /typo3/phpmyadmin/index.php - 80 -
GET /phpMyAdmin/index.php - 80 -
GET /phpmyadmin/index.php - 80 -
GET /phpmyadmin1/index.php - 80 -
GET /pma/index.php - 80 - HTTP/1.1
GET /phpMyAdmin-2.5.1/index.php - 80 -
\etc. etc. etc.
Question by:jeffmeverett
  • 2
  • 2
  • 2
LVL 85

Expert Comment

by:David Johnson, CD, MVP
ID: 37799496
That is a known attacker IP Address

Once your system has been compromised then you cannot trust anything on that system. If they gained access then your only recourse is to restore from a backup and then change the admin logons.

Author Comment

ID: 37801069
I do realize that the ip addresses mentioned above are considered to be an attack, but did they get to anything? I am am trying to interpret if the 'Get' line shows that there is an attack. The web server has been running incredibly great! No signs of anything is wrong at least from what I can gather. The processes are low, the firewall is tight with only few neccessary ports open. After an NMAP scan I can only get port 53 to show.  I am not a total beginner but I am about mid-novice at this point so get as technical as you can. What I usually notice is that if I was hacked I would know or realize things are becoming unstable. Are there any other measures to look into to help me recognize if anything is or has been hacked. My developer has been writing code and has not mentioned that anything looks our of place. There is so much to learn and try to prevent, any help or suggestions is appreciated.
LVL 85

Expert Comment

by:David Johnson, CD, MVP
ID: 37801286
It could be that they just copied off you userbase and moved onward..
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

LVL 21

Accepted Solution

Dale Burrell earned 2000 total points
ID: 37803650
Just doing a GET on a site is normal access - that's not in itself a hack. Unless you specifically provide some mechanism to upload files it isn't possible. And unless you provide unprotected access to the database or other admin functions then they'd still need to login to your system to access that.

Check that there are no new files in the site. Do you have a log of who logs into your site? Ensure that the user which your website runs as doesn't have access to anything else on the server. Send 404's when missing files are accessed.

Running on a real world server you're going to get this sort of thing unfortunately.

Author Comment

ID: 37804306
Great info! The only thing I did not understand was the following: "Ensure that the user which your website runs as doesn't have access to anything else on the server. Send 404's when missing files are accessed."  I do have to have admin rights for my remote desktop connection user. For some reason its the only way I can use the Exchange server (that is on the same server, not the best setup) to send emails. Also for some reason I cannot get the user to login without the admin rights. EVEN though I have RDP enabled/set in the Active Directory properties for that user.  There are only 4 users allowed in the whole site and the passwords are simply outrageous. I have it pretty locked down when it comes to the ports. Only 7 open and they are all necessary, and I am still trying to figure out if I need the Kerberos ports open. I do not know how to set it to send the 404's you stated. Is there a setting or editing process to do this? All suggestions are welcome. I am no server wizard that's for sure, but with everyone's help here on EE I am getting through it!
LVL 21

Assisted Solution

by:Dale Burrell
Dale Burrell earned 2000 total points
ID: 37804336
OK, first tip, make sure that any user that has RDT access cannot FTP into the server unless its secure FTP. The reason being that regular FTP passes credentials in plain text, and if someone is monitoring your connection and spot an FTP password the first thing they will do is attempt to RDT with it. So either ensure all FTP users don't have RDT access, or require that any FTP access is secure.

Now I probably can't answer your questions in enough detail for your specific situation, so you'll probably have to go and read about the concepts.

With the website, I assume you are running IIS - websites (or their application pools) in IIS run under an identify (which is a user). Which identity this is depends on how you've set it up. This might help understand this http://blogs.iis.net/davcox/archive/2009/08/12/what-is-my-iis-code-running-as.aspx. So back to my point, whichever identity your website is running under needs to have the minimum rights possible  to your server i.e. read rights within the website directory, and maybe, write rights inside a log file directory, and no rights to anywhere else on your server.

How to handle 404's again depends on your website setup, IIS can handle some 404's your site itself may handle others. If you google 404 IIS (your version number) that will help. And if you google 404 (your application environment, asp.met php etc) that will help there. Use Firefox with Firebug or similar to determine that the site really is sending HTTP Status 404 for missing content (ideally without the redirect that asp.net can do first).


Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
Suggested Courses

607 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question