February 26, 2009 at 5:36 am
I've just inheritied a SQL 2005 SP2 system which no one knows anything about. While taking a look at the activity log I see dozens and dozens of the following errors:
login failed for user 'sa'.[CLIENT: ]
Error: 18456, Severity: 14, State: 8
They run all night long and happen as frequently as a second apart or as far as a few minutes. Then there are periods where hours go by and then it's right back at it again. State 8 tells me it's a password mismatch and I know it's coming from the local machine so it's probably not a hack (it's also been going on for at least a year based on the logs).
The instance is in mixed mode (Windows/SQL auth), sa has it's default database set to master. There is a maintenance plan with 5 sql jobs associated with it. They are all owned by sa and they are all running fine with no errors or failed jobs. There are no scheduled tasks on the server.
So two questions:
1. Anyone seen this before and have a fix?
2. Any ideas on how I can track down what is trying to connect to database?
Thanks.
February 26, 2009 at 1:06 pm
I'd recommend running a trace (SQL Server Profiler) targeted at sa to track down where the activity is coming from.
February 26, 2009 at 2:25 pm
You could also ping the Client IP address and find out who owns the machine on the network. Its probably an old job that was setup and forgotten about.
February 26, 2009 at 6:30 pm
the IP address is your clue to figure out the origin!
* Noel
February 27, 2009 at 5:20 am
I ran a SQL Profiler trace and determined it was the Report Server going mad against the database. So I know what it is at least. Here's my next question - since I inherited this system with no backstroy whatsoever and no previous experience with SSRS - how the hell do I figure out if it's even being used or it was just installed and forgotten about?
February 27, 2009 at 8:53 am
jbessell (2/27/2009)
I ran a SQL Profiler trace and determined it was the Report Server going mad against the database. So I know what it is at least. Here's my next question - since I inherited this system with no backstroy whatsoever and no previous experience with SSRS - how the hell do I figure out if it's even being used or it was just installed and forgotten about?
Look through your SSRS data sources and see who is using sa ...
February 27, 2009 at 10:08 am
SSRS has log files that may give you a clue. Default is under C:\Program Files\Microsoft SQL Server\MSSQL.1\Reporting Services\Log Files.
Between this and IIS log files you should be able to determine if it's being used.
Greg E
February 27, 2009 at 11:40 am
Okay, I checked the logs directory and found that there are a handfull of logs dated from March 2008 when this system was supposedly installed and nothing else. But then I found another directory with more logfiles and those ones are current so I guess something is going on.
February 27, 2009 at 11:48 am
That would seem likely.
http:\\servername\reports and see if anything shows up might be interesting.
Make sure you look at the IIS logs too under the Windows\System32\Log Files folder too.
Greg E
Viewing 9 posts - 1 through 9 (of 9 total)
You must be logged in to reply to this topic. Login to reply