[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 360
  • Last Modified:

Whitehat hackers and interpretation of server logs

My developer got called back to work and cannot help me.  So.... I am trying to figure out how to read server logs and see if these WhiteHat hackers got into my database. I have asked a similar question before and it seems I have this server locked down decently according to some great folks here on EE. From what I understand is if someone really want to hack they are going to do it no matter how protected the server is.
   I am trying to figure out if the below states that these guys are being forwarded to a 403 forbidden error when they attempt to hit me. I do not know how to change this to a 404 or send them off to some other page. What I also cannot figure out is if they are accessing anything. I do not see any changes on my server and everything is running like a dream as usual. I just cant see if they are successful at these attempts because search after search on google I cannot find a detailed explanation on how to read the logs and have them make sense. I am pretty sure this stuff below is normal but I wanted to check with the Experts!!


This was in my server log IIS 7 - I have a sql server and exchange all on the same box, not the best set up I know, but I am working on 2.0 for my site now.

2012-04-09 08:21:10 W3SVC1 SERVER1 XXX.XXX.XXX.XXX  GET /phpMyAdmin/ - 80 - 209.15.236.190 HTTP/1.1 Made+by+ZmEu+@+WhiteHat+Team+-+www.whitehat.ro - - XXX.XXX.XXX.XXX  403 4 5 375 198 86
2012-04-09 08:21:10 W3SVC1 SERVER1 XXX.XXX.XXX.XXX GET /PMA/ - 80 - 209.15.236.190 HTTP/1.1 Made+by+ZmEu+@+WhiteHat+Team+-+www.whitehat.ro - - XXX.XXX.XXX.XXX  403 4 5 375 191 86
2012-04-09 08:21:10 W3SVC1 SERVER1 XXX.XXX.XXX.XXX  GET /pma/ - 80 - 209.15.236.190 HTTP/1.1 Made+by+ZmEu+@+WhiteHat+Team+-+www.whitehat.ro - - XXX.XXX.XXX.XXX 403 4 5 375 191 86
2012-04-09 08:21:10 W3SVC1 SERVER1 XXX.XXX.XXX.XXX  GET /admin/ - 80 - 209.15.236.190 HTTP/1.1 Made+by+ZmEu+@+WhiteHat+Team+-+www.whitehat.ro - - XXX.XXX.XXX.XXX  403 4 5 375 193 87
2012-04-09 08:21:10 W3SVC1 SERVER1 XXX.XXX.XXX.XXX GET /dbadmin/ - 80 - 209.15.236.190 HTTP/1.1 Made+by+ZmEu+@+WhiteHat+Team+-+www.whitehat.ro - - XXX.XXX.XXX.XXX 403 4 5 375 195 87
2012-04-09 08:21:10 W3SVC1 SERVER1 XXX.XXX.XXX.XXX GET /sql/ - 80 - 209.15.236.190 HTTP/1.1 Made+by+ZmEu+@+WhiteHat+Team+-+www.whitehat.ro - - XXX.XXX.XXX.XXX  403 4 5 375 191 87
2012-04-09 08:21:10 W3SVC1 SERVER1 XXX.XXX.XXX.XXX  GET /mysql/ - 80 - 209.15.236.190 HTTP/1.1 Made+by+ZmEu+@+WhiteHat+Team+-+www.whitehat.ro - - XXX.XXX.XXX.XXX 403 4 5 375 193 86
2012-04-09 08:21:10 W3SVC1 SERVER1 XXX.XXX.XXX.XXX  GET /myadmin/ - 80 - 209.15.236.190 HTTP/1.1 Made+by+ZmEu+@+WhiteHat+Team+-+www.whitehat.ro - - XXX.XXX.XXX.XXX 403 4 5 375 195 86
2012-04-09 08:21:10 W3SVC1 SERVER1 XXX.XXX.XXX.XXX  GET /phpmyadmin2/ - 80 - 209.15.236.190 HTTP/1.1 Made+by+ZmEu+@+WhiteHat+Team+-+www.whitehat.ro -XXX.XXX.XXX.XXX 403 4 5 375 199 86
2012-04-09 08:21:10 W3SVC1 SERVER1 XXX.XXX.XXX.XXX  GET /phpMyAdmin2/ - 80 - 209.15.236.190 HTTP/1.1 Made+by+ZmEu+@+WhiteHat+Team+-+www.whitehat.ro - - XXX.XXX.XXX.XXX  403 4 5 375 1 99 86
2012-04-09 08:21:11 W3SVC1 SERVER1 XXX.XXX.XXX.XXX GET /phpMyAdmin-2/ - 80 - 209.15.236.190 HTTP/1.1 Made+by+ZmEu+@+WhiteHat+Team+-+www.whitehat.ro - - XXX.XXX.XXX.XXX  403 4 5 375 200 86
2012-04-09 08:21:11 W3SVC1 SERVER1 XXX.XXX.XXX.XXX GET /php-my-admin/ - 80 - 209.15.236.190 HTTP/1.1 Made+by+ZmEu+@+WhiteHat+Team+-+www.whitehat.ro - - XXX.XXX.XXX.XXX  403 4 5 375 200 87
2012-04-09 08:21:11 W3SVC1 SERVER1 XXX.XXX.XXX.XXX GET /sqlmanager/ - 80 - 209.15.236.190 HTTP/1.1 Made+
0
jeffmeverett
Asked:
jeffmeverett
  • 5
  • 3
5 Solutions
 
AnuroopsunddCommented:
you can use some IIS  log analyzer tool to check what has happened. and what information this attacker has got from your server.
seems some tool or script was run against the server seeing the time stamp...
0
 
jeffmeverettAuthor Commented:
Where do you find the analyzer? Is this log analyzer you refer to that same as the 'logging' icon you click to view the logs in Internet Information Server Console? Or is this a different analyzer from a SQL something or another?
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
jeffmeverettAuthor Commented:
Can you please tell me the name of the software? The link takes me to an site in India but will not let me go any further. Thanks! I will keep you posted on any developments.
0
 
AnuroopsunddCommented:
FYI.. below is the sample of report you get from these software.. where you can see what ip what files and what has been accessed..
http://www.loganalyzer.net/sample/
0
 
jeffmeverettAuthor Commented:
So basically just install this on my public server and take a look at things? This program will not cause any changes to the NIC or anything like that correct? I should not have to worry about anything changing any current configuration or any type of reboot maybe necessary? I cant reboot at this time because I have my designer making some changes. Would there be any problems with the program being in 'promiscuous' mode? If you get the chance please let me know thanks for all your help thus far!
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now