RE: Login failed for user 'sa'
From: Donna Lambert (DonnaLambert_at_discussions.microsoft.com)
Date: 04/28/05
- Previous message: Donna Lambert: "Re: Multiple accounts with the name MSSQLSvc..."
- In reply to: Ian Bell: "Login failed for user 'sa'"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 28 Apr 2005 09:36:05 -0700
Yes, you are getting hacked...no SQL doesn't record the address of the attempt.
Throw Network monitor on the SQL server and start sniffing all inbound
traffic. Look for the failed SA attempts. Chances are it's outside your
firewall anyway, and you should be able to ask your Network admin to give you
a log of all inbound traffic to the SQL IP address.
If you haven't moved SQL off port 1433, do so, and block all inbound 1433
traffic!!!
Donna Lambert
"Ian Bell" wrote:
> Hi,
>
> We are getting a lot of entries in the Windows event log indicating 'Login
> failed for user 'sa'' and 'root'. It seems like an obvious hack attempt but
> is there any way of determining the source (ip address) of these attempts. I
> can't understand why SQL doesn't log the ip address of login attempts.
>
> Thanks - Ian
>
>
>
- Previous message: Donna Lambert: "Re: Multiple accounts with the name MSSQLSvc..."
- In reply to: Ian Bell: "Login failed for user 'sa'"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
