RE: How can I block attempts to hack into my SQL server?

Thanks for the replies.

The entries come from various IPs so I stopped tracing them a while back.

I already have a rule in ISA to deny traffic incoming and outgoing through
port 1433. perhaps it's not working then? How could I test to see if ISA is
blocking port 1433 like it's supposed to?

"Hate_orphaned_users" wrote:

OrgName: West Wisconsin Telcom Cooperative, Inc
OrgID: WWTC-1
Address: P.O. Box 115
Address: E 4528 County Road C
City: Downsville
StateProv: WI
PostalCode: 54735
Country: US

NetRange: 216.222.160.0 - 216.222.191.255
CIDR: 216.222.160.0/19
NetName: WWTC-1
NetHandle: NET-216-222-160-0-1
Parent: NET-216-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.AIRSTREAMCOMM.NET
NameServer: NS2.NETWORK1.NET
Comment:
RegDate: 2004-07-27
Updated: 2006-05-19

RAbuseHandle: FNGNC-ARIN
RAbuseName: First Network Group Network Center
RAbusePhone: +1-419-739-9240
RAbuseEmail: net-admin@xxxxxxxxxxxx

Well here is the provider of the hacker, traced by the ip address.
E-mail the admin and report abuse.
Maybe he is on the same subnet as you ;)
You can also block incoming connections on youre network interface with
windows.

Greetz,

he is only 19 hops away from me.


I drank alot of beer and ended up in the police department database.
Drank more beer and learned SQL in the dark hours.
DELETE FROM offenders WHERE Title=''MrAA'' AND Year=2006;
I love SQL :)




"Ryan" wrote:

I see these events in the logs of my SBS R2 server running SQL 2005:

Event Type: Failure Audit
Event Source: MSSQLSERVER
Event Category: (4)
Event ID: 18452
Date: 28/12/2006
Time: 10:34:06 PM
User: N/A
Computer: LRGI-MARLIN
Description:
Login failed for user 'sa'. The user is not associated with a trusted SQL
Server connection. [CLIENT: 216.222.166.55]

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 14 48 00 00 0e 00 00 00 .H......
0008: 0c 00 00 00 4c 00 52 00 ....L.R.
0010: 47 00 49 00 2d 00 4d 00 G.I.-.M.
0018: 41 00 52 00 4c 00 49 00 A.R.L.I.
0020: 4e 00 00 00 07 00 00 00 N.......
0028: 6d 00 61 00 73 00 74 00 m.a.s.t.
0030: 65 00 72 00 00 00 e.r...

I have tried blocking incoming and outgoing traffic on port 1433 in ISA
Server and have unchecked the option to allow remote connections to this
server, yet I still get these remote attempts to connect to my SQL server.
My SQL server is set to use windows authentication.

How do I block them? Nobody will need to connect to this SQL server remotely.
.

Relevant Pages

  • Gmail access via Outlook behind SBS2003 with ISA
    ... from the Gmail account would be fine for incoming, but not for outgoing ... It seems that Gmail's SSL pop/smtp connections is blocked, ... presumably by ISA. ...
    (microsoft.public.windows.server.sbs)
  • Outgoing SMTP IP
    ... I am trying to create another External IP on ISA 2004 to use exclusively for SMTP for incoming and outgoing. ...
    (microsoft.public.isa)
  • Re: SP1 ISA fails to upgrade MSDE SP3
    ... John - I'm going to see if your info is applicable and try it out if ... See my post below entitled "SP1: ISA 2004 did not ... > the fully expanded path of "%ProgramFiles%\ Microsoft SQL Server ... >> seems to be working, though, and otherwise the upgrade seems to be OK. ...
    (microsoft.public.windows.server.sbs)
  • ISA2004EE Remote sql logging
    ... Inside each member of the array there is a dns server that forward the ... both have exactly the same configuration), ... I've setted the isa 2004 services depend on dns service. ... After i've configured the array to log to a external sql server (and ...
    (microsoft.public.isa.enterprise)
  • Uninstalled ISA & still cannot get NetMeeting Remote Desktop Sharingto work
    ... accept incoming calls to a client behind ISA... ... because of the current local NetMeeting session that ISA ... >however we have uninstalled ISA and attempting to use RDS ...
    (microsoft.public.isa)
Loading