Solved

Login failed for user 'sa'. Event repeats 2 to 4 times per second on SQL 2000 SP3a

Posted on 2004-09-24
6
571 Views
Last Modified: 2010-07-27
Hi All,

I found my event log with 80,000+ entries of "Login failed for user 'sa'".
I figure it must be an attack of some sort and was wondering if there was something I can do about it.
I am running SQL 2000 SP3a on a Windows Server 2003 Standard (with all the latest patches).
There are 2 backup jobs (1 for system DBs and 1 for user DBs) that run early every morning (but this is occurring right now at 9:30pm) with the 'sa' user.
There are 2 website databases (1 ASP site - accessing via OLEDB connection string under a different user and 1 ASP.Net site accessing via the SQL OLE connector under a different user).

The SQL box is set to "mixed mode"
The SQL agent uses the local Windows system account.

Follows is the actual event message:

Event Type:      Information
Event Source:      MSSQLSERVER
Event Category:      (4)
Event ID:      17055
Date:            9/24/2004
Time:            9:34:50 PM
User:            N/A
Computer:      KPSS1
Description:
18456 :
Login failed for user 'sa'.


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 18 48 00 00 0e 00 00 00   .H......
0008: 06 00 00 00 4b 00 50 00   ....K.P.
0010: 53 00 53 00 31 00 00 00   S.S.1...
0018: 07 00 00 00 6d 00 61 00   ....m.a.
0020: 73 00 74 00 65 00 72 00   s.t.e.r.
0028: 00 00                     ..      


What should I do about this? (other than shutting down port 1433 on the firewall and turning it back on when I need to move data)

TIA
0
Comment
Question by:simplyamazing
  • 5
6 Comments
 
LVL 15

Accepted Solution

by:
jdlambert1 earned 250 total points
ID: 12148833
If you're web site code is vulnerable to SQL Injection attacks, this may be a brute-strenght attack trying to break the sa password.

You can run Profiler to see if these efforts are coming from your web server or from the outside world.

Your firewall should create 3 zones: Internet, DMZ, and Corporate LAN. Your web server should be on the DMZ, your SQL Server should be on the LAN, and there should be a hole between the DMZ and LAN that only allows the IP addresses of the web server and SQL Server to connect to each other. If you need port 1433 open for data transfers or remote SQL Server management, the firewall should be configured to only allow connections from the specific IP addresses of computers under your control.
0
 
LVL 15

Expert Comment

by:jdlambert1
ID: 12148837
A password attack could also come from the inside, from a rouge employee. In that case, Profiler may identify the exact computer and login.
0
 
LVL 15

Expert Comment

by:jdlambert1
ID: 12148849
Everything in SQL Server and IIS should quit trying to login after a single failure.

And of course, none of your code on the web server or elsewhere should be configured to use the sa account for anything. It should be give an extremely difficult password (written down and kept in a safety deposit box), and another account (or accounts) should be created to use for daily admin, and accounts with the fewest permissions necessary for user & web server access.
 
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 15

Expert Comment

by:jdlambert1
ID: 12148860
read: "rogue" employee
0
 

Author Comment

by:simplyamazing
ID: 12148952
Thanks!

I have a dynamic IP, but it changes only once a week, so I've been successful at blocking the attack.
The events no longer show up (definitely an attack!).  
Maybe Microsoft can put a mini-firewall into SQL that can block attacks so remote connections with dynamic IPs don't require constant changing of the IP address in an external firewall - or use a failed login delay where each subsequent failure makes the delay grow exponentially large (the time between failed logins, that is)!
This would be great for ISPs who share their DBs online where clients connect via EM.
0
 
LVL 15

Expert Comment

by:jdlambert1
ID: 12148983
They've started putting a mini-firewall in XP. It's a start...
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Nowadays, some of developer are too much worried about data. Who is using data, who is updating it etc. etc. Because, data is more costlier in term of money and information. So security of data is focusing concern in days. Lets' understand the Au…
Load balancing is the method of dividing the total amount of work performed by one computer between two or more computers. Its aim is to get more work done in the same amount of time, ensuring that all the users get served faster.
Using examples as well as descriptions, and references to Books Online, show the documentation available for date manipulation functions and by using a select few of these functions, show how date based data can be manipulated with these functions.
Via a live example, show how to extract information from SQL Server on Database, Connection and Server properties

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question