Solved

Server logs- how to interpret- how to tell what is being accessed and if it has been compromised

Posted on 2012-04-02
6
375 Views
Last Modified: 2012-04-17
I was wondering if anyone can tell me how to interpret my server logs on Server 2008 Standard? I always see these ip addresses hitting it and I block out the ones I do not recognize or search for and find out they are bots. I just do not know if they have accessed or compromised any files. My site is running perfectly and I see these hits coming from all over the world. How can I tell what if anything is being hit or what files are being corrupted or 'owned' if you will. I am going to launch soon and am looking into server hardening but its complicate and I am a newbie.

This is was one I found to be an attack from yesterday- How can I tell what may have been compromised?

/db/index.php - 80
GET /dbadmin/index.php - 80 - 91.121.73.100
GET /myadmin/index.php - 80 - 91.121.73.100
GET /mysql/index.php - 80 - 91.121.73.100
GET /mysqladmin/index.php - 80 - 91.121.73.100
GET /typo3/phpmyadmin/index.php - 80 - 91.121.73.100
GET /phpMyAdmin/index.php - 80 - 91.121.73.100
GET /phpmyadmin/index.php - 80 - 91.121.73.100
GET /phpmyadmin1/index.php - 80 - 91.121.73.100
GET /pma/index.php - 80 - 91.121.73.100 HTTP/1.1
GET /phpMyAdmin-2.5.1/index.php - 80 - 91.121.73.100
\etc. etc. etc.
0
Comment
Question by:jeffmeverett
  • 2
  • 2
  • 2
6 Comments
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
Comment Utility
That is a known attacker IP Address


Once your system has been compromised then you cannot trust anything on that system. If they gained access then your only recourse is to restore from a backup and then change the admin logons.
0
 

Author Comment

by:jeffmeverett
Comment Utility
I do realize that the ip addresses mentioned above are considered to be an attack, but did they get to anything? I am am trying to interpret if the 'Get' line shows that there is an attack. The web server has been running incredibly great! No signs of anything is wrong at least from what I can gather. The processes are low, the firewall is tight with only few neccessary ports open. After an NMAP scan I can only get port 53 to show.  I am not a total beginner but I am about mid-novice at this point so get as technical as you can. What I usually notice is that if I was hacked I would know or realize things are becoming unstable. Are there any other measures to look into to help me recognize if anything is or has been hacked. My developer has been writing code and has not mentioned that anything looks our of place. There is so much to learn and try to prevent, any help or suggestions is appreciated.
0
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
Comment Utility
It could be that they just copied off you userbase and moved onward..
0
Do email signature updates give you a headache?

Do you feel like all of your time is spent managing email signatures? Too busy to visit every user’s desk to make updates? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today!

 
LVL 21

Accepted Solution

by:
Dale Burrell earned 500 total points
Comment Utility
Just doing a GET on a site is normal access - that's not in itself a hack. Unless you specifically provide some mechanism to upload files it isn't possible. And unless you provide unprotected access to the database or other admin functions then they'd still need to login to your system to access that.

Check that there are no new files in the site. Do you have a log of who logs into your site? Ensure that the user which your website runs as doesn't have access to anything else on the server. Send 404's when missing files are accessed.

Running on a real world server you're going to get this sort of thing unfortunately.
0
 

Author Comment

by:jeffmeverett
Comment Utility
Great info! The only thing I did not understand was the following: "Ensure that the user which your website runs as doesn't have access to anything else on the server. Send 404's when missing files are accessed."  I do have to have admin rights for my remote desktop connection user. For some reason its the only way I can use the Exchange server (that is on the same server, not the best setup) to send emails. Also for some reason I cannot get the user to login without the admin rights. EVEN though I have RDP enabled/set in the Active Directory properties for that user.  There are only 4 users allowed in the whole site and the passwords are simply outrageous. I have it pretty locked down when it comes to the ports. Only 7 open and they are all necessary, and I am still trying to figure out if I need the Kerberos ports open. I do not know how to set it to send the 404's you stated. Is there a setting or editing process to do this? All suggestions are welcome. I am no server wizard that's for sure, but with everyone's help here on EE I am getting through it!
0
 
LVL 21

Assisted Solution

by:Dale Burrell
Dale Burrell earned 500 total points
Comment Utility
OK, first tip, make sure that any user that has RDT access cannot FTP into the server unless its secure FTP. The reason being that regular FTP passes credentials in plain text, and if someone is monitoring your connection and spot an FTP password the first thing they will do is attempt to RDT with it. So either ensure all FTP users don't have RDT access, or require that any FTP access is secure.

Now I probably can't answer your questions in enough detail for your specific situation, so you'll probably have to go and read about the concepts.

With the website, I assume you are running IIS - websites (or their application pools) in IIS run under an identify (which is a user). Which identity this is depends on how you've set it up. This might help understand this http://blogs.iis.net/davcox/archive/2009/08/12/what-is-my-iis-code-running-as.aspx. So back to my point, whichever identity your website is running under needs to have the minimum rights possible  to your server i.e. read rights within the website directory, and maybe, write rights inside a log file directory, and no rights to anywhere else on your server.

How to handle 404's again depends on your website setup, IIS can handle some 404's your site itself may handle others. If you google 404 IIS (your version number) that will help. And if you google 404 (your application environment, asp.met php etc) that will help there. Use Firefox with Firebug or similar to determine that the site really is sending HTTP Status 404 for missing content (ideally without the redirect that asp.net can do first).

hth
0

Featured Post

Don't lose your head updating email signatures!

Do your end users still have the wrong email signature? Do email signature updates bore you or fill you with a sense of dread? You can make this a whole lot easier on yourself by trusting an Exclaimer email signature management solution. Over 50 million users do...so should you!

Join & Write a Comment

In this article I will describe the Copy Database Wizard method as one possible migration process and I will add the extra tasks needed for an upgrade when and where is applied so it will cover all.
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now