Solved

Login failed for user 'sa'. Event repeats 2 to 4 times per second on SQL 2000 SP3a

Posted on 2004-09-24
6
575 Views
Last Modified: 2010-07-27
Hi All,

I found my event log with 80,000+ entries of "Login failed for user 'sa'".
I figure it must be an attack of some sort and was wondering if there was something I can do about it.
I am running SQL 2000 SP3a on a Windows Server 2003 Standard (with all the latest patches).
There are 2 backup jobs (1 for system DBs and 1 for user DBs) that run early every morning (but this is occurring right now at 9:30pm) with the 'sa' user.
There are 2 website databases (1 ASP site - accessing via OLEDB connection string under a different user and 1 ASP.Net site accessing via the SQL OLE connector under a different user).

The SQL box is set to "mixed mode"
The SQL agent uses the local Windows system account.

Follows is the actual event message:

Event Type:      Information
Event Source:      MSSQLSERVER
Event Category:      (4)
Event ID:      17055
Date:            9/24/2004
Time:            9:34:50 PM
User:            N/A
Computer:      KPSS1
Description:
18456 :
Login failed for user 'sa'.


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 18 48 00 00 0e 00 00 00   .H......
0008: 06 00 00 00 4b 00 50 00   ....K.P.
0010: 53 00 53 00 31 00 00 00   S.S.1...
0018: 07 00 00 00 6d 00 61 00   ....m.a.
0020: 73 00 74 00 65 00 72 00   s.t.e.r.
0028: 00 00                     ..      


What should I do about this? (other than shutting down port 1433 on the firewall and turning it back on when I need to move data)

TIA
0
Comment
Question by:simplyamazing
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
6 Comments
 
LVL 15

Accepted Solution

by:
jdlambert1 earned 250 total points
ID: 12148833
If you're web site code is vulnerable to SQL Injection attacks, this may be a brute-strenght attack trying to break the sa password.

You can run Profiler to see if these efforts are coming from your web server or from the outside world.

Your firewall should create 3 zones: Internet, DMZ, and Corporate LAN. Your web server should be on the DMZ, your SQL Server should be on the LAN, and there should be a hole between the DMZ and LAN that only allows the IP addresses of the web server and SQL Server to connect to each other. If you need port 1433 open for data transfers or remote SQL Server management, the firewall should be configured to only allow connections from the specific IP addresses of computers under your control.
0
 
LVL 15

Expert Comment

by:jdlambert1
ID: 12148837
A password attack could also come from the inside, from a rouge employee. In that case, Profiler may identify the exact computer and login.
0
 
LVL 15

Expert Comment

by:jdlambert1
ID: 12148849
Everything in SQL Server and IIS should quit trying to login after a single failure.

And of course, none of your code on the web server or elsewhere should be configured to use the sa account for anything. It should be give an extremely difficult password (written down and kept in a safety deposit box), and another account (or accounts) should be created to use for daily admin, and accounts with the fewest permissions necessary for user & web server access.
 
0
Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 15

Expert Comment

by:jdlambert1
ID: 12148860
read: "rogue" employee
0
 

Author Comment

by:simplyamazing
ID: 12148952
Thanks!

I have a dynamic IP, but it changes only once a week, so I've been successful at blocking the attack.
The events no longer show up (definitely an attack!).  
Maybe Microsoft can put a mini-firewall into SQL that can block attacks so remote connections with dynamic IPs don't require constant changing of the IP address in an external firewall - or use a failed login delay where each subsequent failure makes the delay grow exponentially large (the time between failed logins, that is)!
This would be great for ISPs who share their DBs online where clients connect via EM.
0
 
LVL 15

Expert Comment

by:jdlambert1
ID: 12148983
They've started putting a mini-firewall in XP. It's a start...
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Introduction In my previous article (http://www.experts-exchange.com/Microsoft/Development/MS-SQL-Server/SSIS/A_9150-Loading-XML-Using-SSIS.html) I showed you how the XML Source component can be used to load XML files into a SQL Server database, us…
Ever needed a SQL 2008 Database replicated/mirrored/log shipped on another server but you can't take the downtime inflicted by initial snapshot or disconnect while T-logs are restored or mirror applied? You can use SQL Server Initialize from Backup…
Via a live example, show how to backup a database, simulate a failure backup the tail of the database transaction log and perform the restore.
Via a live example, show how to setup several different housekeeping processes for a SQL Server.

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question