what does these hacking activity stand for from web development consultant compandy?

I have a new web development consulting company who recently worded with us. Today, they called in and told us their IP was blocked. When I checked the firewall report, I found they were doing some "unix password File access Attemp" on my web server. And also, they did "Gneric SQL Injection" Please see the attached report for detail.

Could experts here help me identify what they have done and what purpose they did these?

Thank you.
Jason YuAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Kyle AbrahamsSenior .Net DeveloperCommented:
Were they hitting the code that they wrote?  They might have been doing a penetration test to make sure their code was solid.
0
Jason YuAuthor Commented:
I am sorry for not including the page.
63.113.67.35.html
0
Jason YuAuthor Commented:
How could I know if they hit the code that they wrote?
0
Acronis Data Cloud 7.8 Enhances Cyber Protection

A closer look at five essential enhancements that benefit end-users and help MSPs take their cloud data protection business further.

Dave BaldwinFixer of ProblemsCommented:
In your log file, it shows them trying to access your IP address thru port 80 and port 0.  Port 80 is normally the web server and port 0 is not normally used for anything.  With the messages listed, I think they are using the wrong protocol which is why they are not 'getting in'.
0
Dave BaldwinFixer of ProblemsCommented:
Maybe your firewall finally blocked them for too many failed access attempts.  ??
0
Jason YuAuthor Commented:
yes, the firewall finally blocked them.

what do these mean?

Unix Password File Access Attempt      


      Generic SQL Injection

I just want to make sure they didn't do anything malicious.
0
gheistCommented:
Your web server must have access log with more detail...
IDS report does not show URL tried.
Anyway mass of password attempt looks like they are polishing some automated scanner.

If they developed the code they can choose from dozens of automated code review tools before attempting brute-foce scan. Really blocking is right way, but think about automated unblocking, say in 12h or so.
0
gheistCommented:
And such scans must be agreed beforehand, so you dont block them.
0
Sean JacksonInformation Security AnalystCommented:
Unless you have a prior agreement to perform these tests (and by the very asking of your question I'm guessing you don't) then what they're doing is illegal. They are attacking your systems. I would recommend you contact them and tell them to cease immediately.
0
Jason YuAuthor Commented:
Here is some lines from the web server's access log file:

66.113.67.35 - - [24/Mar/2015:11:56:28 -0700] "GET /sites/all/modules/ckeditor/css/ckeditor-rtl.css?nlqbq0 HTTP/1.1" 200 541
66.113.67.35 - - [24/Mar/2015:11:56:28 -0700] "GET /sites/all/modules/views/css/views-rtl.css?nlqbq0 HTTP/1.1" 200 113
66.113.67.35 - - [24/Mar/2015:11:56:28 -0700] "GET /sites/all/modules/ctools/css/ctools.css?nlqbq0 HTTP/1.1" 200 509
66.113.67.35 - - [24/Mar/2015:11:56:28 -0700] "GET /sites/all/modules/megamenu/megamenu.css?nlqbq0 HTTP/1.1" 200 3988
66.113.67.35 - - [24/Mar/2015:11:56:28 -0700] "GET /sites/all/modules/megamenu/megamenu-skins.css?nlqbq0 HTTP/1.1" 200 5991
66.113.67.35 - - [24/Mar/2015:11:56:28 -0700] "GET /sites/all/modules/panels/css/panels.css?nlqbq0 HTTP/1.1" 200 843
66.113.67.35 - - [24/Mar/2015:11:56:28 -0700] "GET /sites/all/modules/text_resize/text_resize.css?nlqbq0 HTTP/1.1" 200 705
66.113.67.35 - - [24/Mar/2015:11:56:28 -0700] "GET /sites/all/modules/custom/menucrumb/css/menucrumb.css?nlqbq0 HTTP/1.1" 200 420
66.113.67.35 - - [24/Mar/2015:11:56:28 -0700] "GET /sites/all/themes/lac2014/css/lac2014.normalize.css?nlqbq0 HTTP/1.1" 200 11077
66.113.67.35 - - [24/Mar/2015:11:56:28 -0700] "GET /sites/all/themes/lac2014/css/lac2014.hacks.css?nlqbq0 HTTP/1.1" 200 445
66.113.67.35 - - [24/Mar/2015:11:56:28 -0700] "GET /sites/all/themes/lac2014/js/chosen/chosen.css?nlqbq0 HTTP/1.1" 200 12437
66.113.67.35 - - [24/Mar/2015:11:56:28 -0700] "GET /misc/jquery.once.js?v=1.2 HTTP/1.1" 200 2974
66.113.67.35 - - [24/Mar/2015:11:56:28 -0700] "GET /misc/drupal.js?nlqbq0 HTTP/1.1" 200 14544
66.113.67.35 - - [24/Mar/2015:11:56:28 -0700] "GET /sites/all/themes/omega/omega/js/no-js.js?nlqbq0 HTTP/1.1" 200 62
66.113.67.35 - - [24/Mar/2015:11:56:29 -0700] "GET /sites/all/modules/jquery_update/replace/ui/external/jquery.cookie.js?v=67fb34f6a866c40d0570 HTTP/1.1" 200 3655
66.113.67.35 - - [24/Mar/2015:11:56:29 -0700] "GET /sites/all/modules/custom/field_universal_documents/dropzone/dropzone.min.js?nlqbq0 HTTP/1.1" 200 30454
66.113.67.35 - - [24/Mar/2015:11:56:29 -0700] "GET /sites/all/modules/custom/field_universal_documents/field_universal_documents.js?nlqbq0 HTTP/1.1" 200 14464
66.113.67.35 - - [24/Mar/2015:11:56:29 -0700] "GET /sites/all/modules/extlink/extlink.js?nlqbq0 HTTP/1.1" 200 5771
66.113.67.35 - - [24/Mar/2015:11:56:29 -0700] "GET /sites/all/modules/megamenu/megamenu.js?nlqbq0 HTTP/1.1" 200 5174
66.113.67.35 - - [24/Mar/2015:11:56:29 -0700] "GET /sites/all/modules/text_resize/text_resize.js?nlqbq0 HTTP/1.1" 200 5510
66.113.67.35 - - [24/Mar/2015:11:56:29 -0700] "GET /sites/all/modules/google_analytics/googleanalytics.js?nlqbq0 HTTP/1.1" 200 3411
66.113.67.35 - - [24/Mar/2015:11:56:29 -0700] "GET /sites/all/themes/lac2014/js/youtubeIframeFix.js?nlqbq0 HTTP/1.1" 200 538
66.113.67.35 - - [24/Mar/2015:11:56:28 -0700] "GET /sites/all/themes/lac2014/css/lac2014.styles.css?nlqbq0 HTTP/1.1" 200 723480
66.113.67.35 - - [24/Mar/2015:11:56:29 -0700] "GET /sites/all/themes/lac2014/js/jquery.placeholder.js?nlqbq0 HTTP/1.1" 200 3043
66.113.67.35 - - [24/Mar/2015:11:56:29 -0700] "GET /sites/all/themes/lac2014/js/detectmobilebrowser.js?nlqbq0 HTTP/1.1" 200 2217
66.113.67.35 - - [24/Mar/2015:11:56:29 -0700] "GET /sites/all/themes/lac2014/js/global-footer.js?nlqbq0 HTTP/1.1" 200 648
66.113.67.35 - - [24/Mar/2015:11:56:29 -0700] "GET /sites/all/themes/lac2014/js/global-menu.js?nlqbq


Any idea of what they were doing?
0
Dave BaldwinFixer of ProblemsCommented:
No, not really.  Those are perfectly normal requests except for the '?nlqbq0' part.  However, if those are the Only requests during that time, that is odd because there aren't any 'pages' there, just javascript and CSS files.
0
gheistCommented:
that is cross-site forgery detection. if nlqbq gets in page text they must fix it. If that is all they did it looks within the business scope and your firewall overreacted.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Jason YuAuthor Commented:
Thank you guys, I will talk to the consultant company. I will close this question.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Security

From novice to tech pro — start learning today.