SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Login Failed for user 'sa'


Login Failed for user 'sa'

Author
Message
GF
GF
Ten Centuries
Ten Centuries (1K reputation)Ten Centuries (1K reputation)Ten Centuries (1K reputation)Ten Centuries (1K reputation)Ten Centuries (1K reputation)Ten Centuries (1K reputation)Ten Centuries (1K reputation)Ten Centuries (1K reputation)

Group: General Forum Members
Points: 1014 Visits: 985
This is on a SQL Server 2000 Machine.
The SQL server does not have access to the internet and is behind firewalls.
Port 1433 is not used on the SQL server and is not open in the firewall.

I am getting this error in the Windows Event Viewer in the Application section, Login Failed for user 'sa'.

In the SQL error Log I get the same message.

I created a SQL Profile Trace and included all the events I could. I used an article on the MSQLTips website for which events to track, but I still get nothing more than the basic error.

The pattern I see is this happens only during the week, Monday - Friday and usually between 8:00 am and 7 pm.
The time difference between the attempts is in minutes and not seconds. Sometimes the difference is in hours.

So to my mind, it is someone working through the web site to gain access.

We have used a app scanner , a brand name that I don't remember, to scan the site and it found some older pages that were vulnerable and these have since been removed.


BTW, I have changed the sa password to a very long password using all sorts of different characters. My Plan is to continue to change it often until we can find where this person is accessing the site and stop it.

My question is what monitoring tool is available to track what is happening when this person tries to log in so we can find the page or pages or find what the access point is and stop it?

I have no budget for this of course.

Thank for any advice in helping me stop these attempts.
Gary



benjamin.reyes
benjamin.reyes
Ten Centuries
Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)

Group: General Forum Members
Points: 1199 Visits: 2286
The windows event usually shows an IP address that the request came from. I usually start there.

Do a tracert on the ip and see where it's coming from.

From there it kinda depends on what you find out about the machine making the attempt.

If it's interenal you can run something like this to see if maybe someone's running an app or a bad crystal report that's requesting way too many privileges.
WMIC /Node:COMPUTERTOFIND ComputerSystem Get Username


Just replace COMPUTERTOFIND with the computer name and it will tell you who's currently logged in there so you can go over to their desk and tell them to stop.

If that doesn't resolve it you can run Netstat at an interval through the day and log the tcp connections that come in.
http://technet.microsoft.com/en-us/library/bb490947.aspx

Or when all else fails or you're really wanting to log and investigate everything at the packet level download Wireshark.
http://www.wireshark.org/
SQLRNNR
SQLRNNR
SSC Guru
SSC Guru (65K reputation)SSC Guru (65K reputation)SSC Guru (65K reputation)SSC Guru (65K reputation)SSC Guru (65K reputation)SSC Guru (65K reputation)SSC Guru (65K reputation)SSC Guru (65K reputation)

Group: General Forum Members
Points: 65557 Visits: 18570
In addition to the advice given, I might go so far as to declare an emergency "hotfix" during the middle of the day for an hour or two.

Block traffic to the SQL box via the firewall and monitor to see if the failed login continues to happen.

I am betting the failed attempt is coming from internal.

When coming from external, the failures will typically be far more frequent.



Jason AKA CirqueDeSQLeil
I have given a name to my pain...
MCM SQL Server, MVP


SQL RNNR

Posting Performance Based Questions - Gail Shaw

GF
GF
Ten Centuries
Ten Centuries (1K reputation)Ten Centuries (1K reputation)Ten Centuries (1K reputation)Ten Centuries (1K reputation)Ten Centuries (1K reputation)Ten Centuries (1K reputation)Ten Centuries (1K reputation)Ten Centuries (1K reputation)

Group: General Forum Members
Points: 1014 Visits: 985
This is what the event viewer shows

Event Type: Information
Event Source: MSSQLSERVER
Event Category: (4)
Event ID: 17055
Date: 7/18/2014
Time: 11:55:22 AM
User: N/A
Computer: <Server Name>
Description:
18456 :
Login failed for user 'sa'.


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

I have tried your suggestion and used
WMIC /Node:ComputertoFind ComputerSystem Get Username and it only shows my login.

I have asked my network admin about wireshack but she has not responded just yet.

I appreciate the advice.

Thanks

Gary



benjamin.reyes
benjamin.reyes
Ten Centuries
Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)

Group: General Forum Members
Points: 1199 Visits: 2286
Re-reading the original post, is there a reason why you haven't disabled the sa?
benjamin.reyes
benjamin.reyes
Ten Centuries
Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)

Group: General Forum Members
Points: 1199 Visits: 2286
Sounds like it's coming from the machine sql server is on? Is there any other apps or services, such as a cluster that may be trying to log into sql server? Have you check the odbc settings for hints? Is anything throwing out errors saying failing to connect?
SQLRNNR
SQLRNNR
SSC Guru
SSC Guru (65K reputation)SSC Guru (65K reputation)SSC Guru (65K reputation)SSC Guru (65K reputation)SSC Guru (65K reputation)SSC Guru (65K reputation)SSC Guru (65K reputation)SSC Guru (65K reputation)

Group: General Forum Members
Points: 65557 Visits: 18570
I wonder if sql auth is even enabled. 18456 can be thrown (commonly) when sql auth is disabled.

Even with SQL Auth disabled, you can change the sa password. Not that it amounts to much of anything.


Are you sure you don't have a service or application running that was trying to login using the sa account? That is a common thing too.



Jason AKA CirqueDeSQLeil
I have given a name to my pain...
MCM SQL Server, MVP


SQL RNNR

Posting Performance Based Questions - Gail Shaw

GF
GF
Ten Centuries
Ten Centuries (1K reputation)Ten Centuries (1K reputation)Ten Centuries (1K reputation)Ten Centuries (1K reputation)Ten Centuries (1K reputation)Ten Centuries (1K reputation)Ten Centuries (1K reputation)Ten Centuries (1K reputation)

Group: General Forum Members
Points: 1014 Visits: 985
Unfortunately we are using mixed mode authentication.

I have put in a request to the boss to change the application so that it will use windows authentication but that was not received very well. I will keep researching that to see if we can do it.

I have looked for anything on the machine that might be trying to connect but have not found anything.

I will check the services and see what is there that I don't know what it is.


Thanks for the help.

Gary



Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search