Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Whitehat hackers and interpretation of server logs

Posted on 2012-04-09
8
355 Views
Last Modified: 2012-04-15
My developer got called back to work and cannot help me.  So.... I am trying to figure out how to read server logs and see if these WhiteHat hackers got into my database. I have asked a similar question before and it seems I have this server locked down decently according to some great folks here on EE. From what I understand is if someone really want to hack they are going to do it no matter how protected the server is.
   I am trying to figure out if the below states that these guys are being forwarded to a 403 forbidden error when they attempt to hit me. I do not know how to change this to a 404 or send them off to some other page. What I also cannot figure out is if they are accessing anything. I do not see any changes on my server and everything is running like a dream as usual. I just cant see if they are successful at these attempts because search after search on google I cannot find a detailed explanation on how to read the logs and have them make sense. I am pretty sure this stuff below is normal but I wanted to check with the Experts!!


This was in my server log IIS 7 - I have a sql server and exchange all on the same box, not the best set up I know, but I am working on 2.0 for my site now.

2012-04-09 08:21:10 W3SVC1 SERVER1 XXX.XXX.XXX.XXX  GET /phpMyAdmin/ - 80 - 209.15.236.190 HTTP/1.1 Made+by+ZmEu+@+WhiteHat+Team+-+www.whitehat.ro - - XXX.XXX.XXX.XXX  403 4 5 375 198 86
2012-04-09 08:21:10 W3SVC1 SERVER1 XXX.XXX.XXX.XXX GET /PMA/ - 80 - 209.15.236.190 HTTP/1.1 Made+by+ZmEu+@+WhiteHat+Team+-+www.whitehat.ro - - XXX.XXX.XXX.XXX  403 4 5 375 191 86
2012-04-09 08:21:10 W3SVC1 SERVER1 XXX.XXX.XXX.XXX  GET /pma/ - 80 - 209.15.236.190 HTTP/1.1 Made+by+ZmEu+@+WhiteHat+Team+-+www.whitehat.ro - - XXX.XXX.XXX.XXX 403 4 5 375 191 86
2012-04-09 08:21:10 W3SVC1 SERVER1 XXX.XXX.XXX.XXX  GET /admin/ - 80 - 209.15.236.190 HTTP/1.1 Made+by+ZmEu+@+WhiteHat+Team+-+www.whitehat.ro - - XXX.XXX.XXX.XXX  403 4 5 375 193 87
2012-04-09 08:21:10 W3SVC1 SERVER1 XXX.XXX.XXX.XXX GET /dbadmin/ - 80 - 209.15.236.190 HTTP/1.1 Made+by+ZmEu+@+WhiteHat+Team+-+www.whitehat.ro - - XXX.XXX.XXX.XXX 403 4 5 375 195 87
2012-04-09 08:21:10 W3SVC1 SERVER1 XXX.XXX.XXX.XXX GET /sql/ - 80 - 209.15.236.190 HTTP/1.1 Made+by+ZmEu+@+WhiteHat+Team+-+www.whitehat.ro - - XXX.XXX.XXX.XXX  403 4 5 375 191 87
2012-04-09 08:21:10 W3SVC1 SERVER1 XXX.XXX.XXX.XXX  GET /mysql/ - 80 - 209.15.236.190 HTTP/1.1 Made+by+ZmEu+@+WhiteHat+Team+-+www.whitehat.ro - - XXX.XXX.XXX.XXX 403 4 5 375 193 86
2012-04-09 08:21:10 W3SVC1 SERVER1 XXX.XXX.XXX.XXX  GET /myadmin/ - 80 - 209.15.236.190 HTTP/1.1 Made+by+ZmEu+@+WhiteHat+Team+-+www.whitehat.ro - - XXX.XXX.XXX.XXX 403 4 5 375 195 86
2012-04-09 08:21:10 W3SVC1 SERVER1 XXX.XXX.XXX.XXX  GET /phpmyadmin2/ - 80 - 209.15.236.190 HTTP/1.1 Made+by+ZmEu+@+WhiteHat+Team+-+www.whitehat.ro -XXX.XXX.XXX.XXX 403 4 5 375 199 86
2012-04-09 08:21:10 W3SVC1 SERVER1 XXX.XXX.XXX.XXX  GET /phpMyAdmin2/ - 80 - 209.15.236.190 HTTP/1.1 Made+by+ZmEu+@+WhiteHat+Team+-+www.whitehat.ro - - XXX.XXX.XXX.XXX  403 4 5 375 1 99 86
2012-04-09 08:21:11 W3SVC1 SERVER1 XXX.XXX.XXX.XXX GET /phpMyAdmin-2/ - 80 - 209.15.236.190 HTTP/1.1 Made+by+ZmEu+@+WhiteHat+Team+-+www.whitehat.ro - - XXX.XXX.XXX.XXX  403 4 5 375 200 86
2012-04-09 08:21:11 W3SVC1 SERVER1 XXX.XXX.XXX.XXX GET /php-my-admin/ - 80 - 209.15.236.190 HTTP/1.1 Made+by+ZmEu+@+WhiteHat+Team+-+www.whitehat.ro - - XXX.XXX.XXX.XXX  403 4 5 375 200 87
2012-04-09 08:21:11 W3SVC1 SERVER1 XXX.XXX.XXX.XXX GET /sqlmanager/ - 80 - 209.15.236.190 HTTP/1.1 Made+
0
Comment
Question by:jeffmeverett
  • 5
  • 3
8 Comments
 
LVL 17

Accepted Solution

by:
Anuroopsundd earned 500 total points
ID: 37824528
you can use some IIS  log analyzer tool to check what has happened. and what information this attacker has got from your server.
seems some tool or script was run against the server seeing the time stamp...
0
 

Author Comment

by:jeffmeverett
ID: 37824690
Where do you find the analyzer? Is this log analyzer you refer to that same as the 'logging' icon you click to view the logs in Internet Information Server Console? Or is this a different analyzer from a SQL something or another?
0
 
LVL 17

Assisted Solution

by:Anuroopsundd
Anuroopsundd earned 500 total points
ID: 37824798
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 

Author Comment

by:jeffmeverett
ID: 37824827
Can you please tell me the name of the software? The link takes me to an site in India but will not let me go any further. Thanks! I will keep you posted on any developments.
0
 
LVL 17

Assisted Solution

by:Anuroopsundd
Anuroopsundd earned 500 total points
ID: 37824871
0
 
LVL 17

Assisted Solution

by:Anuroopsundd
Anuroopsundd earned 500 total points
ID: 37824879
0
 
LVL 17

Assisted Solution

by:Anuroopsundd
Anuroopsundd earned 500 total points
ID: 37824894
FYI.. below is the sample of report you get from these software.. where you can see what ip what files and what has been accessed..
http://www.loganalyzer.net/sample/
0
 

Author Comment

by:jeffmeverett
ID: 37825080
So basically just install this on my public server and take a look at things? This program will not cause any changes to the NIC or anything like that correct? I should not have to worry about anything changing any current configuration or any type of reboot maybe necessary? I cant reboot at this time because I have my designer making some changes. Would there be any problems with the program being in 'promiscuous' mode? If you get the chance please let me know thanks for all your help thus far!
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How to set IPSec under Server 2008 R2 and Server 2012 R2 3 42
Job - date manual 1 35
Reverse DND setup 6 38
SQL Server 2008 R2, need a pivot/cross tab query... 4 26
Occasionally there is a need to clean table columns, especially if you have inherited legacy data. There are obviously many ways to accomplish that, including elaborate UPDATE queries with anywhere from one to numerous REPLACE functions (even within…
This article explains how to install and use the NTBackup utility that comes with Windows Server.
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question