Solved

Whitehat hackers and interpretation of server logs

Posted on 2012-04-09
8
357 Views
Last Modified: 2012-04-15
My developer got called back to work and cannot help me.  So.... I am trying to figure out how to read server logs and see if these WhiteHat hackers got into my database. I have asked a similar question before and it seems I have this server locked down decently according to some great folks here on EE. From what I understand is if someone really want to hack they are going to do it no matter how protected the server is.
   I am trying to figure out if the below states that these guys are being forwarded to a 403 forbidden error when they attempt to hit me. I do not know how to change this to a 404 or send them off to some other page. What I also cannot figure out is if they are accessing anything. I do not see any changes on my server and everything is running like a dream as usual. I just cant see if they are successful at these attempts because search after search on google I cannot find a detailed explanation on how to read the logs and have them make sense. I am pretty sure this stuff below is normal but I wanted to check with the Experts!!


This was in my server log IIS 7 - I have a sql server and exchange all on the same box, not the best set up I know, but I am working on 2.0 for my site now.

2012-04-09 08:21:10 W3SVC1 SERVER1 XXX.XXX.XXX.XXX  GET /phpMyAdmin/ - 80 - 209.15.236.190 HTTP/1.1 Made+by+ZmEu+@+WhiteHat+Team+-+www.whitehat.ro - - XXX.XXX.XXX.XXX  403 4 5 375 198 86
2012-04-09 08:21:10 W3SVC1 SERVER1 XXX.XXX.XXX.XXX GET /PMA/ - 80 - 209.15.236.190 HTTP/1.1 Made+by+ZmEu+@+WhiteHat+Team+-+www.whitehat.ro - - XXX.XXX.XXX.XXX  403 4 5 375 191 86
2012-04-09 08:21:10 W3SVC1 SERVER1 XXX.XXX.XXX.XXX  GET /pma/ - 80 - 209.15.236.190 HTTP/1.1 Made+by+ZmEu+@+WhiteHat+Team+-+www.whitehat.ro - - XXX.XXX.XXX.XXX 403 4 5 375 191 86
2012-04-09 08:21:10 W3SVC1 SERVER1 XXX.XXX.XXX.XXX  GET /admin/ - 80 - 209.15.236.190 HTTP/1.1 Made+by+ZmEu+@+WhiteHat+Team+-+www.whitehat.ro - - XXX.XXX.XXX.XXX  403 4 5 375 193 87
2012-04-09 08:21:10 W3SVC1 SERVER1 XXX.XXX.XXX.XXX GET /dbadmin/ - 80 - 209.15.236.190 HTTP/1.1 Made+by+ZmEu+@+WhiteHat+Team+-+www.whitehat.ro - - XXX.XXX.XXX.XXX 403 4 5 375 195 87
2012-04-09 08:21:10 W3SVC1 SERVER1 XXX.XXX.XXX.XXX GET /sql/ - 80 - 209.15.236.190 HTTP/1.1 Made+by+ZmEu+@+WhiteHat+Team+-+www.whitehat.ro - - XXX.XXX.XXX.XXX  403 4 5 375 191 87
2012-04-09 08:21:10 W3SVC1 SERVER1 XXX.XXX.XXX.XXX  GET /mysql/ - 80 - 209.15.236.190 HTTP/1.1 Made+by+ZmEu+@+WhiteHat+Team+-+www.whitehat.ro - - XXX.XXX.XXX.XXX 403 4 5 375 193 86
2012-04-09 08:21:10 W3SVC1 SERVER1 XXX.XXX.XXX.XXX  GET /myadmin/ - 80 - 209.15.236.190 HTTP/1.1 Made+by+ZmEu+@+WhiteHat+Team+-+www.whitehat.ro - - XXX.XXX.XXX.XXX 403 4 5 375 195 86
2012-04-09 08:21:10 W3SVC1 SERVER1 XXX.XXX.XXX.XXX  GET /phpmyadmin2/ - 80 - 209.15.236.190 HTTP/1.1 Made+by+ZmEu+@+WhiteHat+Team+-+www.whitehat.ro -XXX.XXX.XXX.XXX 403 4 5 375 199 86
2012-04-09 08:21:10 W3SVC1 SERVER1 XXX.XXX.XXX.XXX  GET /phpMyAdmin2/ - 80 - 209.15.236.190 HTTP/1.1 Made+by+ZmEu+@+WhiteHat+Team+-+www.whitehat.ro - - XXX.XXX.XXX.XXX  403 4 5 375 1 99 86
2012-04-09 08:21:11 W3SVC1 SERVER1 XXX.XXX.XXX.XXX GET /phpMyAdmin-2/ - 80 - 209.15.236.190 HTTP/1.1 Made+by+ZmEu+@+WhiteHat+Team+-+www.whitehat.ro - - XXX.XXX.XXX.XXX  403 4 5 375 200 86
2012-04-09 08:21:11 W3SVC1 SERVER1 XXX.XXX.XXX.XXX GET /php-my-admin/ - 80 - 209.15.236.190 HTTP/1.1 Made+by+ZmEu+@+WhiteHat+Team+-+www.whitehat.ro - - XXX.XXX.XXX.XXX  403 4 5 375 200 87
2012-04-09 08:21:11 W3SVC1 SERVER1 XXX.XXX.XXX.XXX GET /sqlmanager/ - 80 - 209.15.236.190 HTTP/1.1 Made+
0
Comment
Question by:jeffmeverett
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
8 Comments
 
LVL 17

Accepted Solution

by:
Anuroopsundd earned 500 total points
ID: 37824528
you can use some IIS  log analyzer tool to check what has happened. and what information this attacker has got from your server.
seems some tool or script was run against the server seeing the time stamp...
0
 

Author Comment

by:jeffmeverett
ID: 37824690
Where do you find the analyzer? Is this log analyzer you refer to that same as the 'logging' icon you click to view the logs in Internet Information Server Console? Or is this a different analyzer from a SQL something or another?
0
 
LVL 17

Assisted Solution

by:Anuroopsundd
Anuroopsundd earned 500 total points
ID: 37824798
0
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

 

Author Comment

by:jeffmeverett
ID: 37824827
Can you please tell me the name of the software? The link takes me to an site in India but will not let me go any further. Thanks! I will keep you posted on any developments.
0
 
LVL 17

Assisted Solution

by:Anuroopsundd
Anuroopsundd earned 500 total points
ID: 37824871
0
 
LVL 17

Assisted Solution

by:Anuroopsundd
Anuroopsundd earned 500 total points
ID: 37824879
0
 
LVL 17

Assisted Solution

by:Anuroopsundd
Anuroopsundd earned 500 total points
ID: 37824894
FYI.. below is the sample of report you get from these software.. where you can see what ip what files and what has been accessed..
http://www.loganalyzer.net/sample/
0
 

Author Comment

by:jeffmeverett
ID: 37825080
So basically just install this on my public server and take a look at things? This program will not cause any changes to the NIC or anything like that correct? I should not have to worry about anything changing any current configuration or any type of reboot maybe necessary? I cant reboot at this time because I have my designer making some changes. Would there be any problems with the program being in 'promiscuous' mode? If you get the chance please let me know thanks for all your help thus far!
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question