webserver hacked

[selina]

hi,
our webserver has been hacked and we dont' know when it happened. the guy who looks after this server is not in today.
i want to look into logs to see how it happened and when. where is the log saved by default?

the following is the contect that replaced our website.


----------------------------------------------

[ SPYKIDS Group ]



Mais bunitinhus que um Ford Ka

Mais fofos que um Etiópio

Mais meigos que um Rinoceronte

YOU ARE OWNED!



#SPYKIDS on gigachat.net

:: Members::
poerschke - _CaKe_ - guns_1 - Hualdo - Creative_MX - Lemarck

 

[office politics]

iis default
C:\WINDOWS\system32\LogFiles

 

[selina]

thanks.
i found the column in the log with 'ip-cs' heading on it. what is it?
is this the ip address of whoever access the server?

 

[Law]

Was it because you were running a web server on a domain controller?

 

[selina]

i don't think having it as a DC caused the hackers to get in. it's definitely a huge security hole but i'm not the one who designed it. i'm just having to clean up after other people's screwups.

and the heading that i was talking about on the log file is 'c-ip' followed by 'cs-username', 's-ip', 's-port' 'cs-method'....
i suppose 'c-ip' is the ip address which hackers got in from?