RE: "login failed for user ..." appears in event viewer repeatedly

Thanks Sean.

Looks like our messages went past each other.

Upon further examination, I found I was mistaken about the computer name the
logins are originating from. The user's name is betty and the computer name
that it is coming from is bettys. Upon further examination, I found that this
isn't her computer name, (it was close) and I do not have a computer with
that name on the network. That user is having intermittent lockups using a
certain app that uses SQL. So, I thought that these two were tied together,
but they may be separate issues.

It looks like I am getting hit somehow. I need to figure out where this is
coming from.

Also, I looked closer at the SQL accounts. I do have an sa, but there are
two other accounts that are being tried that I do not have. They are admin
and root.

At this point, I would welcome suggestions on how to pinpoint where this is
coming from, and how to stop it.

Thanks for your help.

KT

"KT" wrote:

Hello again.

I have done some more troubleshooting and I could use some additional
guidance.

I used SQL profiler to audit logins and login failures.

What I found is that one offending computer in the network started trying to
login to SQL, about once per second. The accounts tried were sa, admin and
root. One account would be tried for a few minutes, then it would move to
another account. This went on for about 20 minutes, then stopped.

I have an sa account on SQL along with others. I do not have admin or root
accounts set up. It appears that some exploit is coming the that workstation.

Does this sound correct, and how do I troubleshoot this?

Thanks again for your help.

KT


"KT" wrote:

Hello.

I have messages in event viewer several times per minute that say "Login
failed for user ....". The errors rotate through all the accounts that I have
setup in SQL.

I need direction in how to determine what is trying to login and how to
correct it. Are these attempts to compromise my system?

Thank you for your help.

KT
.

Relevant Pages

  • RE: "login failed for user ..." appears in event viewer repeatedly
    ... OK, did I hear you right, you've determined that the attacks are coming from ... holes to that segment and/or box to just the SQL ports. ... I looked closer at the SQL accounts. ... I used SQL profiler to audit logins and login failures. ...
    (microsoft.public.sqlserver.security)
  • RE: "login failed for user ..." appears in event viewer repeatedly
    ... then capture sysprocesses every few secs ... I used SQL profiler to audit logins and login failures. ... accounts set up. ...
    (microsoft.public.sqlserver.security)
  • Re: Repost: Local logon and Network Access settings
    ... think require network login since they are over the wire do in fact ... In the default situation, Authenticated Users ... is a member of User on a member machine, and, Users are granted ... user accounts that should be allowed to log into the machines in SomeOU. ...
    (microsoft.public.windows.group_policy)
  • Re: Repost: Local logon and Network Access settings
    ... > think require network login since they are over the wire do in fact ... In the default situation, Authenticated Users ... > is a member of User on a member machine, and, Users are granted ... > user accounts that should be allowed to log into the machines in SomeOU. ...
    (microsoft.public.windows.group_policy)
  • =?ISO-8859-1?Q?Re:_RE:_Prob:_failed_to_verify_krb5_credentials:_Server_not_?= =?ISO-8859
    ... Every user shall login with its already existing AD accounts. ... These are the logins, which I try to enter in the login prompt when I visit http://wiki.test.lan:8080. ... I did a nslookup on the unix system and it showed me the server as ... AD, thats also in the keytab file, is TWikiUser. ...
    (comp.protocols.kerberos)