This is on a SQL Server 2000 Machine.
The SQL server does not have access to the internet and is behind firewalls.
Port 1433 is not used on the SQL server and is not open in the firewall.
I am getting this error in the Windows Event Viewer in the Application section, Login Failed for user 'sa'.
In the SQL error Log I get the same message.
I created a SQL Profile Trace and included all the events I could. I used an article on the MSQLTips website for which events to track, but I still get nothing more than the basic error.
The pattern I see is this happens only during the week, Monday - Friday and usually between 8:00 am and 7 pm.
The time difference between the attempts is in minutes and not seconds. Sometimes the difference is in hours.
So to my mind, it is someone working through the web site to gain access.
We have used a app scanner , a brand name that I don't remember, to scan the site and it found some older pages that were vulnerable and these have since been removed.
BTW, I have changed the sa password to a very long password using all sorts of different characters. My Plan is to continue to change it often until we can find where this person is accessing the site and stop it.
My question is what monitoring tool is available to track what is happening when this person tries to log in so we can find the page or pages or find what the access point is and stop it?
I have no budget for this of course.
Thank for any advice in helping me stop these attempts.