Solved

Whitehat hackers and interpretation of server logs

Posted on 2012-04-09
8
350 Views
Last Modified: 2012-04-15
My developer got called back to work and cannot help me.  So.... I am trying to figure out how to read server logs and see if these WhiteHat hackers got into my database. I have asked a similar question before and it seems I have this server locked down decently according to some great folks here on EE. From what I understand is if someone really want to hack they are going to do it no matter how protected the server is.
   I am trying to figure out if the below states that these guys are being forwarded to a 403 forbidden error when they attempt to hit me. I do not know how to change this to a 404 or send them off to some other page. What I also cannot figure out is if they are accessing anything. I do not see any changes on my server and everything is running like a dream as usual. I just cant see if they are successful at these attempts because search after search on google I cannot find a detailed explanation on how to read the logs and have them make sense. I am pretty sure this stuff below is normal but I wanted to check with the Experts!!


This was in my server log IIS 7 - I have a sql server and exchange all on the same box, not the best set up I know, but I am working on 2.0 for my site now.

2012-04-09 08:21:10 W3SVC1 SERVER1 XXX.XXX.XXX.XXX  GET /phpMyAdmin/ - 80 - 209.15.236.190 HTTP/1.1 Made+by+ZmEu+@+WhiteHat+Team+-+www.whitehat.ro - - XXX.XXX.XXX.XXX  403 4 5 375 198 86
2012-04-09 08:21:10 W3SVC1 SERVER1 XXX.XXX.XXX.XXX GET /PMA/ - 80 - 209.15.236.190 HTTP/1.1 Made+by+ZmEu+@+WhiteHat+Team+-+www.whitehat.ro - - XXX.XXX.XXX.XXX  403 4 5 375 191 86
2012-04-09 08:21:10 W3SVC1 SERVER1 XXX.XXX.XXX.XXX  GET /pma/ - 80 - 209.15.236.190 HTTP/1.1 Made+by+ZmEu+@+WhiteHat+Team+-+www.whitehat.ro - - XXX.XXX.XXX.XXX 403 4 5 375 191 86
2012-04-09 08:21:10 W3SVC1 SERVER1 XXX.XXX.XXX.XXX  GET /admin/ - 80 - 209.15.236.190 HTTP/1.1 Made+by+ZmEu+@+WhiteHat+Team+-+www.whitehat.ro - - XXX.XXX.XXX.XXX  403 4 5 375 193 87
2012-04-09 08:21:10 W3SVC1 SERVER1 XXX.XXX.XXX.XXX GET /dbadmin/ - 80 - 209.15.236.190 HTTP/1.1 Made+by+ZmEu+@+WhiteHat+Team+-+www.whitehat.ro - - XXX.XXX.XXX.XXX 403 4 5 375 195 87
2012-04-09 08:21:10 W3SVC1 SERVER1 XXX.XXX.XXX.XXX GET /sql/ - 80 - 209.15.236.190 HTTP/1.1 Made+by+ZmEu+@+WhiteHat+Team+-+www.whitehat.ro - - XXX.XXX.XXX.XXX  403 4 5 375 191 87
2012-04-09 08:21:10 W3SVC1 SERVER1 XXX.XXX.XXX.XXX  GET /mysql/ - 80 - 209.15.236.190 HTTP/1.1 Made+by+ZmEu+@+WhiteHat+Team+-+www.whitehat.ro - - XXX.XXX.XXX.XXX 403 4 5 375 193 86
2012-04-09 08:21:10 W3SVC1 SERVER1 XXX.XXX.XXX.XXX  GET /myadmin/ - 80 - 209.15.236.190 HTTP/1.1 Made+by+ZmEu+@+WhiteHat+Team+-+www.whitehat.ro - - XXX.XXX.XXX.XXX 403 4 5 375 195 86
2012-04-09 08:21:10 W3SVC1 SERVER1 XXX.XXX.XXX.XXX  GET /phpmyadmin2/ - 80 - 209.15.236.190 HTTP/1.1 Made+by+ZmEu+@+WhiteHat+Team+-+www.whitehat.ro -XXX.XXX.XXX.XXX 403 4 5 375 199 86
2012-04-09 08:21:10 W3SVC1 SERVER1 XXX.XXX.XXX.XXX  GET /phpMyAdmin2/ - 80 - 209.15.236.190 HTTP/1.1 Made+by+ZmEu+@+WhiteHat+Team+-+www.whitehat.ro - - XXX.XXX.XXX.XXX  403 4 5 375 1 99 86
2012-04-09 08:21:11 W3SVC1 SERVER1 XXX.XXX.XXX.XXX GET /phpMyAdmin-2/ - 80 - 209.15.236.190 HTTP/1.1 Made+by+ZmEu+@+WhiteHat+Team+-+www.whitehat.ro - - XXX.XXX.XXX.XXX  403 4 5 375 200 86
2012-04-09 08:21:11 W3SVC1 SERVER1 XXX.XXX.XXX.XXX GET /php-my-admin/ - 80 - 209.15.236.190 HTTP/1.1 Made+by+ZmEu+@+WhiteHat+Team+-+www.whitehat.ro - - XXX.XXX.XXX.XXX  403 4 5 375 200 87
2012-04-09 08:21:11 W3SVC1 SERVER1 XXX.XXX.XXX.XXX GET /sqlmanager/ - 80 - 209.15.236.190 HTTP/1.1 Made+
0
Comment
Question by:jeffmeverett
  • 5
  • 3
8 Comments
 
LVL 17

Accepted Solution

by:
Anuroopsundd earned 500 total points
ID: 37824528
you can use some IIS  log analyzer tool to check what has happened. and what information this attacker has got from your server.
seems some tool or script was run against the server seeing the time stamp...
0
 

Author Comment

by:jeffmeverett
ID: 37824690
Where do you find the analyzer? Is this log analyzer you refer to that same as the 'logging' icon you click to view the logs in Internet Information Server Console? Or is this a different analyzer from a SQL something or another?
0
 
LVL 17

Assisted Solution

by:Anuroopsundd
Anuroopsundd earned 500 total points
ID: 37824798
0
 

Author Comment

by:jeffmeverett
ID: 37824827
Can you please tell me the name of the software? The link takes me to an site in India but will not let me go any further. Thanks! I will keep you posted on any developments.
0
Promote certifications in your email signature

Has your company recently won an award or achieved a certification? They'll no doubt want to show it off. Email signature images used to promote certifications & awards can instantly establish credibility with a recipient and provide you with numerous benefits.

 
LVL 17

Assisted Solution

by:Anuroopsundd
Anuroopsundd earned 500 total points
ID: 37824871
0
 
LVL 17

Assisted Solution

by:Anuroopsundd
Anuroopsundd earned 500 total points
ID: 37824879
0
 
LVL 17

Assisted Solution

by:Anuroopsundd
Anuroopsundd earned 500 total points
ID: 37824894
FYI.. below is the sample of report you get from these software.. where you can see what ip what files and what has been accessed..
http://www.loganalyzer.net/sample/
0
 

Author Comment

by:jeffmeverett
ID: 37825080
So basically just install this on my public server and take a look at things? This program will not cause any changes to the NIC or anything like that correct? I should not have to worry about anything changing any current configuration or any type of reboot maybe necessary? I cant reboot at this time because I have my designer making some changes. Would there be any problems with the program being in 'promiscuous' mode? If you get the chance please let me know thanks for all your help thus far!
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

OfficeMate Freezes on login or does not load after login credentials are input.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now