RE: "login failed for user ..." appears in event viewer repeatedly
- From: Sean McCown <SeanMcCown@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 30 Jun 2008 12:50:01 -0700
That certainly sounds like a brute force attack to me.
Now you've gotta figure out where it's coming from.
On that computer, you'll wanna find out what's actually running when that
happens. Can you tie it down to a specific user acct? In your profiler
trace does it give you an application name? If so, then you can see where
it's coming from on that box based on that. You can also capture your
sysprocesses table every 5secs or so and save it to a table and search
through it for more information. Now that you have the box isolated you can
do these things.
So that's what I'd do. That code is running from something on that box.
Either an NT-level file or a job, or something, right... so now you have to
find that. See if your profiler trace captured the app name. If so, search
the box for signs of that. If not, then capture sysprocesses every few secs
and see what you come up with there. Between sysprocesses and profiler you
should be able to tie it to a spid and see where this is coming from. Also,
on the offending box, capture a perfmon trace on all the processes in the
process class. Use _Total... this way, you can tie the sysprocesses entries
to the NT entry if it turns out to be a windows file.
Is all this clear?
--
Read my book reviews at:
http://www.ITBookworm.com
Blog Author of:
Database Underground -- http://weblog.infoworld.com/dbunderground/
DBA Rant – http://dbarant.blogspot.com
"KT" wrote:
Hello again..
I have done some more troubleshooting and I could use some additional
guidance.
I used SQL profiler to audit logins and login failures.
What I found is that one offending computer in the network started trying to
login to SQL, about once per second. The accounts tried were sa, admin and
root. One account would be tried for a few minutes, then it would move to
another account. This went on for about 20 minutes, then stopped.
I have an sa account on SQL along with others. I do not have admin or root
accounts set up. It appears that some exploit is coming the that workstation.
Does this sound correct, and how do I troubleshoot this?
Thanks again for your help.
KT
"KT" wrote:
Hello.
I have messages in event viewer several times per minute that say "Login
failed for user ....". The errors rotate through all the accounts that I have
setup in SQL.
I need direction in how to determine what is trying to login and how to
correct it. Are these attempts to compromise my system?
Thank you for your help.
KT
- Prev by Date: RE: "login failed for user ..." appears in event viewer repeatedly
- Next by Date: RE: "login failed for user ..." appears in event viewer repeatedly
- Previous by thread: RE: "login failed for user ..." appears in event viewer repeatedly
- Next by thread: RE: "login failed for user ..." appears in event viewer repeatedly
- Index(es):
Relevant Pages
|
