Server logs- how to interpret- how to tell what is being accessed and if it has been compromised

I was wondering if anyone can tell me how to interpret my server logs on Server 2008 Standard? I always see these ip addresses hitting it and I block out the ones I do not recognize or search for and find out they are bots. I just do not know if they have accessed or compromised any files. My site is running perfectly and I see these hits coming from all over the world. How can I tell what if anything is being hit or what files are being corrupted or 'owned' if you will. I am going to launch soon and am looking into server hardening but its complicate and I am a newbie.

This is was one I found to be an attack from yesterday- How can I tell what may have been compromised?

/db/index.php - 80
GET /dbadmin/index.php - 80 -
GET /myadmin/index.php - 80 -
GET /mysql/index.php - 80 -
GET /mysqladmin/index.php - 80 -
GET /typo3/phpmyadmin/index.php - 80 -
GET /phpMyAdmin/index.php - 80 -
GET /phpmyadmin/index.php - 80 -
GET /phpmyadmin1/index.php - 80 -
GET /pma/index.php - 80 - HTTP/1.1
GET /phpMyAdmin-2.5.1/index.php - 80 -
\etc. etc. etc.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPOwnerCommented:
That is a known attacker IP Address

Once your system has been compromised then you cannot trust anything on that system. If they gained access then your only recourse is to restore from a backup and then change the admin logons.
jeffmeverettAuthor Commented:
I do realize that the ip addresses mentioned above are considered to be an attack, but did they get to anything? I am am trying to interpret if the 'Get' line shows that there is an attack. The web server has been running incredibly great! No signs of anything is wrong at least from what I can gather. The processes are low, the firewall is tight with only few neccessary ports open. After an NMAP scan I can only get port 53 to show.  I am not a total beginner but I am about mid-novice at this point so get as technical as you can. What I usually notice is that if I was hacked I would know or realize things are becoming unstable. Are there any other measures to look into to help me recognize if anything is or has been hacked. My developer has been writing code and has not mentioned that anything looks our of place. There is so much to learn and try to prevent, any help or suggestions is appreciated.
David Johnson, CD, MVPOwnerCommented:
It could be that they just copied off you userbase and moved onward..
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Dale BurrellDirectorCommented:
Just doing a GET on a site is normal access - that's not in itself a hack. Unless you specifically provide some mechanism to upload files it isn't possible. And unless you provide unprotected access to the database or other admin functions then they'd still need to login to your system to access that.

Check that there are no new files in the site. Do you have a log of who logs into your site? Ensure that the user which your website runs as doesn't have access to anything else on the server. Send 404's when missing files are accessed.

Running on a real world server you're going to get this sort of thing unfortunately.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jeffmeverettAuthor Commented:
Great info! The only thing I did not understand was the following: "Ensure that the user which your website runs as doesn't have access to anything else on the server. Send 404's when missing files are accessed."  I do have to have admin rights for my remote desktop connection user. For some reason its the only way I can use the Exchange server (that is on the same server, not the best setup) to send emails. Also for some reason I cannot get the user to login without the admin rights. EVEN though I have RDP enabled/set in the Active Directory properties for that user.  There are only 4 users allowed in the whole site and the passwords are simply outrageous. I have it pretty locked down when it comes to the ports. Only 7 open and they are all necessary, and I am still trying to figure out if I need the Kerberos ports open. I do not know how to set it to send the 404's you stated. Is there a setting or editing process to do this? All suggestions are welcome. I am no server wizard that's for sure, but with everyone's help here on EE I am getting through it!
Dale BurrellDirectorCommented:
OK, first tip, make sure that any user that has RDT access cannot FTP into the server unless its secure FTP. The reason being that regular FTP passes credentials in plain text, and if someone is monitoring your connection and spot an FTP password the first thing they will do is attempt to RDT with it. So either ensure all FTP users don't have RDT access, or require that any FTP access is secure.

Now I probably can't answer your questions in enough detail for your specific situation, so you'll probably have to go and read about the concepts.

With the website, I assume you are running IIS - websites (or their application pools) in IIS run under an identify (which is a user). Which identity this is depends on how you've set it up. This might help understand this So back to my point, whichever identity your website is running under needs to have the minimum rights possible  to your server i.e. read rights within the website directory, and maybe, write rights inside a log file directory, and no rights to anywhere else on your server.

How to handle 404's again depends on your website setup, IIS can handle some 404's your site itself may handle others. If you google 404 IIS (your version number) that will help. And if you google 404 (your application environment, asp.met php etc) that will help there. Use Firefox with Firebug or similar to determine that the site really is sending HTTP Status 404 for missing content (ideally without the redirect that can do first).

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.