I'm getting repeating "Login failed for user 'sa'" messages in my SQL Server
log - every 20 to 30 seconds. These are also being recorded to the Event
Viewer / Application log. This is a SQL Server 2000 SP4 instance inside the
firewall.
I'm running SQL Profiler and capturing as follows:
Events:
Security Audig - Audit Login Failed
Sessions - ExistingConnection
Stored Procedures - RPC:Completed
Data Columns: All columns
SQL Profiler is returning:
Application Name: OSQL-32
ClientProcessID: <differs>
DatabaseID: 1
Error: 18456
Hostname: <server name>
LoginName: sa
LoginSid: 0x01
StartTime: <differs>
Success: 0
TextData: Login failed for user 'sa'.
I don't see much useful information here that can help me track down where
this is coming from; all the other data columns are empty. Am I missing
something? Is there some other tool I could use to track this down?
I'm guessing it's something on the server, based upon the ApplicationName
and HostName values being returned. Could it be a monitoring agent, i.e. MO
M?
Thanks,
MikeIn most cases this is usually a drone (BotNet) PC hijacked and trying to gai
n
access to your SQL server using the sa account. Why Microsoft haven't
produced any useful tools to:
1. Track to the source
2. Automatically filter out traffic once the repeatative pattern has been
established and notify
But there again, I don't expect much from a company like Microsoft who's
moto is "just enough effort to get revenue and leverage the profit".
netstat should help you identify the IP (in your case it sounds like someone
behind your firewall has infested a PC with a BotNet -- since it happens
every 20-30 seconds it should be pretty clear which IP is the source.
You can also use ActivePorts (freeware) to identify the source connections.
Anyway, why these tools aren't built into SQL 2005 is beyond me -- but I
guess that just goes to show you Microsoft's true "commitment" to security
and why their OS/services are such a easy target when compared to *nix based
platforms.
"mikron2" wrote:
> I'm getting repeating "Login failed for user 'sa'" messages in my SQL Serv
er
> log - every 20 to 30 seconds. These are also being recorded to the Event
> Viewer / Application log. This is a SQL Server 2000 SP4 instance inside t
he
> firewall.
>
> I'm running SQL Profiler and capturing as follows:
> Events:
> Security Audig - Audit Login Failed
> Sessions - ExistingConnection
> Stored Procedures - RPC:Completed
> Data Columns: All columns
> SQL Profiler is returning:
> Application Name: OSQL-32
> ClientProcessID: <differs>
> DatabaseID: 1
> Error: 18456
> Hostname: <server name>
> LoginName: sa
> LoginSid: 0x01
> StartTime: <differs>
> Success: 0
> TextData: Login failed for user 'sa'.
> I don't see much useful information here that can help me track down where
> this is coming from; all the other data columns are empty. Am I missing
> something? Is there some other tool I could use to track this down?
> I'm guessing it's something on the server, based upon the ApplicationName
> and HostName values being returned. Could it be a monitoring agent, i.e.
MOM?
> Thanks,
> Mike
>
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment