sa pswrd attempts
From: cb (spam-nospam@niagaramasters.org)
Date: 12/11/02
- Next message: Gary: "SQL Server 7 Service Account Name"
- Previous message: Narayana Vyas Kondreddi: "Re: MSDE"
- Next in thread: Stamey: "Re: sa pswrd attempts"
- Reply: Stamey: "Re: sa pswrd attempts"
- Reply: Jasper Smith: "Re: sa pswrd attempts"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "cb" <spam-nospam@niagaramasters.org> Date: Wed, 11 Dec 2002 13:04:11 -0500
our network folks notified us that network traffic to one of our NT 4.0 SQL
7.0 machines increased from ~20mgs to 500mgs, suggesting some type of
intrusion.
We could not find too much on the machine (NAV virus scan run, search for
3mg files), then we looked in SQL logs which showed failed sa login
attempts - 4/per second. port scans noted the IP address. After quickly
throwing up Zone Alarm and asking our network folks to block all
inbound/outbound traffic to this IP, we were eventually able to stop this
attack.
When I looked at the logs again, I found another short attack mounted at
5:59 to 6:08 with 4-5 attempts/min on sa. Zone Alarm is set to only allow
access from our local subnets, so I assume this is now an inside attempt. I
fear the only way to stop this is to go to Windows only autentication, which
I am not able to do. Is there a way to log/track what IP or program is
making the attempts on sa (assuming it is possibly an inside job at this
point?).
TIA,
C
- Next message: Gary: "SQL Server 7 Service Account Name"
- Previous message: Narayana Vyas Kondreddi: "Re: MSDE"
- Next in thread: Stamey: "Re: sa pswrd attempts"
- Reply: Stamey: "Re: sa pswrd attempts"
- Reply: Jasper Smith: "Re: sa pswrd attempts"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
