RE: Repeated "Login failed for user 'sa'" entries in SQL Server log

---

• From: Rob A. <RobA@xxxxxxxxxxxxxxxxxxxxxxxxx>
• Date: Thu, 14 Jun 2007 10:38:00 -0700

---

In most cases this is usually a drone (BotNet) PC hijacked and trying to gain
access to your SQL server using the sa account. Why Microsoft haven't
produced any useful tools to:

1. Track to the source
2. Automatically filter out traffic once the repeatative pattern has been
established and notify

But there again, I don't expect much from a company like Microsoft who's
moto is "just enough effort to get revenue and leverage the profit".

netstat should help you identify the IP (in your case it sounds like someone
behind your firewall has infested a PC with a BotNet -- since it happens
every 20-30 seconds it should be pretty clear which IP is the source.

You can also use ActivePorts (freeware) to identify the source connections.

Anyway, why these tools aren't built into SQL 2005 is beyond me -- but I
guess that just goes to show you Microsoft's true "commitment" to security
and why their OS/services are such a easy target when compared to *nix based
platforms.


"mikron2" wrote:

I'm getting repeating "Login failed for user 'sa'" messages in my SQL Server
log - every 20 to 30 seconds. These are also being recorded to the Event
Viewer / Application log. This is a SQL Server 2000 SP4 instance inside the
firewall.


I'm running SQL Profiler and capturing as follows:

Events:
Security Audig - Audit Login Failed
Sessions - ExistingConnection
Stored Procedures - RPC:Completed

Data Columns: All columns

SQL Profiler is returning:

Application Name: OSQL-32
ClientProcessID: <differs>
DatabaseID: 1
Error: 18456
Hostname: <server name>
LoginName: sa
LoginSid: 0x01
StartTime: <differs>
Success: 0
TextData: Login failed for user 'sa'.

I don't see much useful information here that can help me track down where
this is coming from; all the other data columns are empty. Am I missing
something? Is there some other tool I could use to track this down?

I'm guessing it's something on the server, based upon the ApplicationName
and HostName values being returned. Could it be a monitoring agent, i.e. MOM?

Thanks,

Mike

.

---

• Prev by Date: Re: permissions required for executing CDOSys stored procedures
• Next by Date: Re: permissions required for executing CDOSys stored procedures
• Previous by thread: SQL2000-user not grantable to login
• Next by thread: Re: Deny access to column in table
• Index(es):
  • Date
  • Thread

---

Relevant Pages RE: Server cant be seen from the network ... Microsoft CSS Online Newsgroup Support ... I discovered that if I turned the SQL server ... NAT issues caused with the installation of the "full" SQL ... (microsoft.public.windows.server.sbs) Re: Cannot setup SQL Mail on SBS 2003 ... the newsgroups are staffed weekdays by Microsoft Support professionals to ... server since Exchange server has intalled on the box. ... However if you want to configure SQL to send mail you need to install ... Microsoft CSS Online Newsgroup Support ... (microsoft.public.windows.server.sbs) RE: VSS Errors using NTBackup ... BTW this server is also running ISA2004 SP2 logging to MSDE. ... net start "Microsoft Firewall" ... This newsgroup only focuses on SBS technical issues. ... On a SQL Server ... (microsoft.public.windows.server.sbs) RE: Monitoring & Reporting Wont install! (msde install fails!) ... Perform a clean boot on the server. ... SQL Server SP4\MSDE". ... Please paste the output in the newsgroup. ... Microsoft CSS Online Newsgroup Support ... (microsoft.public.windows.server.sbs) RE: Problems upgrading SQL MSDE for Sharepoint ... I am glad to know the upgrade Sharepoint ... Microsoft CSS Online Newsgroup Support ... With this working I was able to start upgrading SQL MSDE for SharePoint. ... >white paper to backup your SBS server first. ... (microsoft.public.windows.server.sbs)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(18)