[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Server logs- how to interpret- how to tell what is being accessed and if it has been compromised

Posted on 2012-04-02
6
Medium Priority
?
388 Views
Last Modified: 2012-04-17
I was wondering if anyone can tell me how to interpret my server logs on Server 2008 Standard? I always see these ip addresses hitting it and I block out the ones I do not recognize or search for and find out they are bots. I just do not know if they have accessed or compromised any files. My site is running perfectly and I see these hits coming from all over the world. How can I tell what if anything is being hit or what files are being corrupted or 'owned' if you will. I am going to launch soon and am looking into server hardening but its complicate and I am a newbie.

This is was one I found to be an attack from yesterday- How can I tell what may have been compromised?

/db/index.php - 80
GET /dbadmin/index.php - 80 - 91.121.73.100
GET /myadmin/index.php - 80 - 91.121.73.100
GET /mysql/index.php - 80 - 91.121.73.100
GET /mysqladmin/index.php - 80 - 91.121.73.100
GET /typo3/phpmyadmin/index.php - 80 - 91.121.73.100
GET /phpMyAdmin/index.php - 80 - 91.121.73.100
GET /phpmyadmin/index.php - 80 - 91.121.73.100
GET /phpmyadmin1/index.php - 80 - 91.121.73.100
GET /pma/index.php - 80 - 91.121.73.100 HTTP/1.1
GET /phpMyAdmin-2.5.1/index.php - 80 - 91.121.73.100
\etc. etc. etc.
0
Comment
Question by:jeffmeverett
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
6 Comments
 
LVL 83

Expert Comment

by:David Johnson, CD, MVP
ID: 37799496
That is a known attacker IP Address


Once your system has been compromised then you cannot trust anything on that system. If they gained access then your only recourse is to restore from a backup and then change the admin logons.
0
 

Author Comment

by:jeffmeverett
ID: 37801069
I do realize that the ip addresses mentioned above are considered to be an attack, but did they get to anything? I am am trying to interpret if the 'Get' line shows that there is an attack. The web server has been running incredibly great! No signs of anything is wrong at least from what I can gather. The processes are low, the firewall is tight with only few neccessary ports open. After an NMAP scan I can only get port 53 to show.  I am not a total beginner but I am about mid-novice at this point so get as technical as you can. What I usually notice is that if I was hacked I would know or realize things are becoming unstable. Are there any other measures to look into to help me recognize if anything is or has been hacked. My developer has been writing code and has not mentioned that anything looks our of place. There is so much to learn and try to prevent, any help or suggestions is appreciated.
0
 
LVL 83

Expert Comment

by:David Johnson, CD, MVP
ID: 37801286
It could be that they just copied off you userbase and moved onward..
0
Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

 
LVL 21

Accepted Solution

by:
Dale Burrell earned 2000 total points
ID: 37803650
Just doing a GET on a site is normal access - that's not in itself a hack. Unless you specifically provide some mechanism to upload files it isn't possible. And unless you provide unprotected access to the database or other admin functions then they'd still need to login to your system to access that.

Check that there are no new files in the site. Do you have a log of who logs into your site? Ensure that the user which your website runs as doesn't have access to anything else on the server. Send 404's when missing files are accessed.

Running on a real world server you're going to get this sort of thing unfortunately.
0
 

Author Comment

by:jeffmeverett
ID: 37804306
Great info! The only thing I did not understand was the following: "Ensure that the user which your website runs as doesn't have access to anything else on the server. Send 404's when missing files are accessed."  I do have to have admin rights for my remote desktop connection user. For some reason its the only way I can use the Exchange server (that is on the same server, not the best setup) to send emails. Also for some reason I cannot get the user to login without the admin rights. EVEN though I have RDP enabled/set in the Active Directory properties for that user.  There are only 4 users allowed in the whole site and the passwords are simply outrageous. I have it pretty locked down when it comes to the ports. Only 7 open and they are all necessary, and I am still trying to figure out if I need the Kerberos ports open. I do not know how to set it to send the 404's you stated. Is there a setting or editing process to do this? All suggestions are welcome. I am no server wizard that's for sure, but with everyone's help here on EE I am getting through it!
0
 
LVL 21

Assisted Solution

by:Dale Burrell
Dale Burrell earned 2000 total points
ID: 37804336
OK, first tip, make sure that any user that has RDT access cannot FTP into the server unless its secure FTP. The reason being that regular FTP passes credentials in plain text, and if someone is monitoring your connection and spot an FTP password the first thing they will do is attempt to RDT with it. So either ensure all FTP users don't have RDT access, or require that any FTP access is secure.

Now I probably can't answer your questions in enough detail for your specific situation, so you'll probably have to go and read about the concepts.

With the website, I assume you are running IIS - websites (or their application pools) in IIS run under an identify (which is a user). Which identity this is depends on how you've set it up. This might help understand this http://blogs.iis.net/davcox/archive/2009/08/12/what-is-my-iis-code-running-as.aspx. So back to my point, whichever identity your website is running under needs to have the minimum rights possible  to your server i.e. read rights within the website directory, and maybe, write rights inside a log file directory, and no rights to anywhere else on your server.

How to handle 404's again depends on your website setup, IIS can handle some 404's your site itself may handle others. If you google 404 IIS (your version number) that will help. And if you google 404 (your application environment, asp.met php etc) that will help there. Use Firefox with Firebug or similar to determine that the site really is sending HTTP Status 404 for missing content (ideally without the redirect that asp.net can do first).

hth
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
Ever needed a SQL 2008 Database replicated/mirrored/log shipped on another server but you can't take the downtime inflicted by initial snapshot or disconnect while T-logs are restored or mirror applied? You can use SQL Server Initialize from Backup…
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question