• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 138
  • Last Modified:

what does these hacking activity stand for from web development consultant compandy?

I have a new web development consulting company who recently worded with us. Today, they called in and told us their IP was blocked. When I checked the firewall report, I found they were doing some "unix password File access Attemp" on my web server. And also, they did "Gneric SQL Injection" Please see the attached report for detail.

Could experts here help me identify what they have done and what purpose they did these?

Thank you.
0
Jason Yu
Asked:
Jason Yu
  • 5
  • 4
  • 3
  • +2
9 Solutions
 
Kyle AbrahamsSenior .Net DeveloperCommented:
Were they hitting the code that they wrote?  They might have been doing a penetration test to make sure their code was solid.
0
 
Jason YuAuthor Commented:
I am sorry for not including the page.
63.113.67.35.html
0
 
Jason YuAuthor Commented:
How could I know if they hit the code that they wrote?
0
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

 
Dave BaldwinFixer of ProblemsCommented:
In your log file, it shows them trying to access your IP address thru port 80 and port 0.  Port 80 is normally the web server and port 0 is not normally used for anything.  With the messages listed, I think they are using the wrong protocol which is why they are not 'getting in'.
0
 
Dave BaldwinFixer of ProblemsCommented:
Maybe your firewall finally blocked them for too many failed access attempts.  ??
0
 
Jason YuAuthor Commented:
yes, the firewall finally blocked them.

what do these mean?

Unix Password File Access Attempt      


      Generic SQL Injection

I just want to make sure they didn't do anything malicious.
0
 
gheistCommented:
Your web server must have access log with more detail...
IDS report does not show URL tried.
Anyway mass of password attempt looks like they are polishing some automated scanner.

If they developed the code they can choose from dozens of automated code review tools before attempting brute-foce scan. Really blocking is right way, but think about automated unblocking, say in 12h or so.
0
 
gheistCommented:
And such scans must be agreed beforehand, so you dont block them.
0
 
Sean JacksonInformation Security AnalystCommented:
Unless you have a prior agreement to perform these tests (and by the very asking of your question I'm guessing you don't) then what they're doing is illegal. They are attacking your systems. I would recommend you contact them and tell them to cease immediately.
0
 
Jason YuAuthor Commented:
Here is some lines from the web server's access log file:

66.113.67.35 - - [24/Mar/2015:11:56:28 -0700] "GET /sites/all/modules/ckeditor/css/ckeditor-rtl.css?nlqbq0 HTTP/1.1" 200 541
66.113.67.35 - - [24/Mar/2015:11:56:28 -0700] "GET /sites/all/modules/views/css/views-rtl.css?nlqbq0 HTTP/1.1" 200 113
66.113.67.35 - - [24/Mar/2015:11:56:28 -0700] "GET /sites/all/modules/ctools/css/ctools.css?nlqbq0 HTTP/1.1" 200 509
66.113.67.35 - - [24/Mar/2015:11:56:28 -0700] "GET /sites/all/modules/megamenu/megamenu.css?nlqbq0 HTTP/1.1" 200 3988
66.113.67.35 - - [24/Mar/2015:11:56:28 -0700] "GET /sites/all/modules/megamenu/megamenu-skins.css?nlqbq0 HTTP/1.1" 200 5991
66.113.67.35 - - [24/Mar/2015:11:56:28 -0700] "GET /sites/all/modules/panels/css/panels.css?nlqbq0 HTTP/1.1" 200 843
66.113.67.35 - - [24/Mar/2015:11:56:28 -0700] "GET /sites/all/modules/text_resize/text_resize.css?nlqbq0 HTTP/1.1" 200 705
66.113.67.35 - - [24/Mar/2015:11:56:28 -0700] "GET /sites/all/modules/custom/menucrumb/css/menucrumb.css?nlqbq0 HTTP/1.1" 200 420
66.113.67.35 - - [24/Mar/2015:11:56:28 -0700] "GET /sites/all/themes/lac2014/css/lac2014.normalize.css?nlqbq0 HTTP/1.1" 200 11077
66.113.67.35 - - [24/Mar/2015:11:56:28 -0700] "GET /sites/all/themes/lac2014/css/lac2014.hacks.css?nlqbq0 HTTP/1.1" 200 445
66.113.67.35 - - [24/Mar/2015:11:56:28 -0700] "GET /sites/all/themes/lac2014/js/chosen/chosen.css?nlqbq0 HTTP/1.1" 200 12437
66.113.67.35 - - [24/Mar/2015:11:56:28 -0700] "GET /misc/jquery.once.js?v=1.2 HTTP/1.1" 200 2974
66.113.67.35 - - [24/Mar/2015:11:56:28 -0700] "GET /misc/drupal.js?nlqbq0 HTTP/1.1" 200 14544
66.113.67.35 - - [24/Mar/2015:11:56:28 -0700] "GET /sites/all/themes/omega/omega/js/no-js.js?nlqbq0 HTTP/1.1" 200 62
66.113.67.35 - - [24/Mar/2015:11:56:29 -0700] "GET /sites/all/modules/jquery_update/replace/ui/external/jquery.cookie.js?v=67fb34f6a866c40d0570 HTTP/1.1" 200 3655
66.113.67.35 - - [24/Mar/2015:11:56:29 -0700] "GET /sites/all/modules/custom/field_universal_documents/dropzone/dropzone.min.js?nlqbq0 HTTP/1.1" 200 30454
66.113.67.35 - - [24/Mar/2015:11:56:29 -0700] "GET /sites/all/modules/custom/field_universal_documents/field_universal_documents.js?nlqbq0 HTTP/1.1" 200 14464
66.113.67.35 - - [24/Mar/2015:11:56:29 -0700] "GET /sites/all/modules/extlink/extlink.js?nlqbq0 HTTP/1.1" 200 5771
66.113.67.35 - - [24/Mar/2015:11:56:29 -0700] "GET /sites/all/modules/megamenu/megamenu.js?nlqbq0 HTTP/1.1" 200 5174
66.113.67.35 - - [24/Mar/2015:11:56:29 -0700] "GET /sites/all/modules/text_resize/text_resize.js?nlqbq0 HTTP/1.1" 200 5510
66.113.67.35 - - [24/Mar/2015:11:56:29 -0700] "GET /sites/all/modules/google_analytics/googleanalytics.js?nlqbq0 HTTP/1.1" 200 3411
66.113.67.35 - - [24/Mar/2015:11:56:29 -0700] "GET /sites/all/themes/lac2014/js/youtubeIframeFix.js?nlqbq0 HTTP/1.1" 200 538
66.113.67.35 - - [24/Mar/2015:11:56:28 -0700] "GET /sites/all/themes/lac2014/css/lac2014.styles.css?nlqbq0 HTTP/1.1" 200 723480
66.113.67.35 - - [24/Mar/2015:11:56:29 -0700] "GET /sites/all/themes/lac2014/js/jquery.placeholder.js?nlqbq0 HTTP/1.1" 200 3043
66.113.67.35 - - [24/Mar/2015:11:56:29 -0700] "GET /sites/all/themes/lac2014/js/detectmobilebrowser.js?nlqbq0 HTTP/1.1" 200 2217
66.113.67.35 - - [24/Mar/2015:11:56:29 -0700] "GET /sites/all/themes/lac2014/js/global-footer.js?nlqbq0 HTTP/1.1" 200 648
66.113.67.35 - - [24/Mar/2015:11:56:29 -0700] "GET /sites/all/themes/lac2014/js/global-menu.js?nlqbq


Any idea of what they were doing?
0
 
Dave BaldwinFixer of ProblemsCommented:
No, not really.  Those are perfectly normal requests except for the '?nlqbq0' part.  However, if those are the Only requests during that time, that is odd because there aren't any 'pages' there, just javascript and CSS files.
0
 
gheistCommented:
that is cross-site forgery detection. if nlqbq gets in page text they must fix it. If that is all they did it looks within the business scope and your firewall overreacted.
0
 
Jason YuAuthor Commented:
Thank you guys, I will talk to the consultant company. I will close this question.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: CompTIA Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

  • 5
  • 4
  • 3
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now