March 6, 2009 at 8:59 am
For the last few days I've been having a logon failure appear in the security eventlog on my db server. The attempts have been occurring like clockwork every 29 minutes.
I managed to trace the failure back to one of my SQL server instances but still haven't been able to work out what is generating the logon attempt.
Here is the latest eventlog entry.
Event Type:Failure Audit
Event Source:Security
Event Category:Logon/Logoff
Event ID:529
Date:3/6/2009
Time:10:29:00 AM
User:NT AUTHORITY\SYSTEM
Computer:DBServer
Description:
Logon Failure:
Reason:Unknown user name or bad password
User Name:
Domain:
Logon Type:3
Logon Process:Authz
Authentication Package:Kerberos
Workstation Name:DBServer
Caller User Name:MyLocalAdminLogin
Caller Domain:MyDomain
Caller Logon ID:(0x0,0x1B11086B)
Caller Process ID:6364
Transited Services:-
Source Network Address:-
Source Port:-
I've checked the error logs for the database and the application eventlog and there are no coinciding entries.
Even restarting the database services didn't cause the attempts to skip a beat.
It doesn't seem like an external threat and there isn't anyone in my office who would be capable of an attack like this.
Does anyone have any ideas?
March 6, 2009 at 9:30 am
Since this is coming every 29 minutes without fail, I have a feeling that there is some monitoring service set up. Maybe MOM or some other software. This scheduled to run every 30 min or so. The user that was set up to do the monitoring might have been disabled or deleted
That could be why you are seeing this in the Event log.
-Roy
March 6, 2009 at 11:58 am
Thanks for the idea. I hadn't thought about that vector.
I tried disabling the monitoring software (SQL SPY 6) and it did not have an effect the failures are still appearing.
Thanks again
March 6, 2009 at 1:36 pm
This is probably a network login. Maybe MOM or Altris or some other software like that.
-Roy
March 6, 2009 at 2:13 pm
You were right. After doing a couple packet captures I managed to sort out where the attempt was coming from.
Management decided to outsource our exchange server administration and they failed to see a need to notify that they installed monitoring software, or configure it properly for that matter.
Thanks again for your help!
March 6, 2009 at 2:16 pm
You are welcome and I am glad you sorted it out.
-Roy
March 7, 2009 at 8:42 am
What did you use for monitoring packets.........on sql by the way.
March 9, 2009 at 3:14 pm
It wasn't so much monitoring as it was capture. I used WireShark on the server to capture packets during the time frame I expected the next failed logon to occur. That was where I found the kerberos unknown client failure packet and it provided me with the originating IP address.
March 9, 2009 at 4:00 pm
Thanks for sharing.........
Viewing 9 posts - 1 through 8 (of 8 total)
You must be logged in to reply to this topic. Login to reply