September 28, 2008 at 10:06 am
Hi,
Can anyone offer an explanation as to why I am finding blocks of thousants(1 second apart from each other) of "Login Failure for user "sa" [CLIENT: 116.252.185.77]" in SQL server 2005 activity log. The IP is not always the same.
I am not using "sa" for any of my applicactions. Are my pages under some sort of attack by a hacker software trying to get in or use up the resourses?
Regards
September 28, 2008 at 1:07 pm
That could well be a hack attempt.
What's the previous line in the error log? (specifically the state?)
How strong is your sa password? If you're not using the account, can you disable it?
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
September 28, 2008 at 3:35 pm
Thank you Gail,
Sevirity 18, State 8
Good point about disabling it.
Is there a way or script that I can use that once any such attempts reach let say 2 or 3, then redirects the client somewhere else or block them?
Regards
Simon
September 28, 2008 at 3:53 pm
One more thing,
I just found that for that past 5 hours it keep on using random usernames.
Severity 14, State 5
Simon
September 28, 2008 at 4:34 pm
It does look like someone (or several someones) is running a brute-force hack attempt against your serves. Can you speak to your network people, see if they can block ip ranges at the firewall?
Unless the connection succeeds, there's nothing you can do from the SQL side, and I don't think you want the connections to succeed.
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
Viewing 5 posts - 1 through 5 (of 5 total)
You must be logged in to reply to this topic. Login to reply