This is a typical attack you see on websites. its scripted and the scripts grow in time. (more iterations added). When they find a way to use the editor they add texts to the website (adds, defacing etc) Thats why you always need to check logs. (manual or automatically). They try and try and try and try over and over again.

I have noticed attacks on several locations:

Website Logins

As you can see in the printscreen above this is jst a script that tries all the most common locations. Easy to recognise as they are all just trying to get a response (other then 404:  not found)  testing http://mydomainname/   .../FckEditor/editor/... or ../../login.php)

Database entry points

To enable access to the server i can open specific ports to use remote tools. These ports are tested with the default accounts sa, su, admin, etc...and passwords (brute force) 

server login points

Hour after hour they let scripts run, just like the database entry points or even the one above. administrator, admin, su.

Datum

Naam

Status

28-11-2014

DGU Initieel

document

20-05-2016

DGU

Vervanging van BizTalk server QBIZPROD door BTSS1001.