Solved

Login failed for user 'sa'. Event repeats 2 to 4 times per second on SQL 2000 SP3a

Posted on 2004-09-24
6
563 Views
Last Modified: 2010-07-27
Hi All,

I found my event log with 80,000+ entries of "Login failed for user 'sa'".
I figure it must be an attack of some sort and was wondering if there was something I can do about it.
I am running SQL 2000 SP3a on a Windows Server 2003 Standard (with all the latest patches).
There are 2 backup jobs (1 for system DBs and 1 for user DBs) that run early every morning (but this is occurring right now at 9:30pm) with the 'sa' user.
There are 2 website databases (1 ASP site - accessing via OLEDB connection string under a different user and 1 ASP.Net site accessing via the SQL OLE connector under a different user).

The SQL box is set to "mixed mode"
The SQL agent uses the local Windows system account.

Follows is the actual event message:

Event Type:      Information
Event Source:      MSSQLSERVER
Event Category:      (4)
Event ID:      17055
Date:            9/24/2004
Time:            9:34:50 PM
User:            N/A
Computer:      KPSS1
Description:
18456 :
Login failed for user 'sa'.


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 18 48 00 00 0e 00 00 00   .H......
0008: 06 00 00 00 4b 00 50 00   ....K.P.
0010: 53 00 53 00 31 00 00 00   S.S.1...
0018: 07 00 00 00 6d 00 61 00   ....m.a.
0020: 73 00 74 00 65 00 72 00   s.t.e.r.
0028: 00 00                     ..      


What should I do about this? (other than shutting down port 1433 on the firewall and turning it back on when I need to move data)

TIA
0
Comment
Question by:simplyamazing
  • 5
6 Comments
 
LVL 15

Accepted Solution

by:
jdlambert1 earned 250 total points
ID: 12148833
If you're web site code is vulnerable to SQL Injection attacks, this may be a brute-strenght attack trying to break the sa password.

You can run Profiler to see if these efforts are coming from your web server or from the outside world.

Your firewall should create 3 zones: Internet, DMZ, and Corporate LAN. Your web server should be on the DMZ, your SQL Server should be on the LAN, and there should be a hole between the DMZ and LAN that only allows the IP addresses of the web server and SQL Server to connect to each other. If you need port 1433 open for data transfers or remote SQL Server management, the firewall should be configured to only allow connections from the specific IP addresses of computers under your control.
0
 
LVL 15

Expert Comment

by:jdlambert1
ID: 12148837
A password attack could also come from the inside, from a rouge employee. In that case, Profiler may identify the exact computer and login.
0
 
LVL 15

Expert Comment

by:jdlambert1
ID: 12148849
Everything in SQL Server and IIS should quit trying to login after a single failure.

And of course, none of your code on the web server or elsewhere should be configured to use the sa account for anything. It should be give an extremely difficult password (written down and kept in a safety deposit box), and another account (or accounts) should be created to use for daily admin, and accounts with the fewest permissions necessary for user & web server access.
 
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 15

Expert Comment

by:jdlambert1
ID: 12148860
read: "rogue" employee
0
 

Author Comment

by:simplyamazing
ID: 12148952
Thanks!

I have a dynamic IP, but it changes only once a week, so I've been successful at blocking the attack.
The events no longer show up (definitely an attack!).  
Maybe Microsoft can put a mini-firewall into SQL that can block attacks so remote connections with dynamic IPs don't require constant changing of the IP address in an external firewall - or use a failed login delay where each subsequent failure makes the delay grow exponentially large (the time between failed logins, that is)!
This would be great for ISPs who share their DBs online where clients connect via EM.
0
 
LVL 15

Expert Comment

by:jdlambert1
ID: 12148983
They've started putting a mini-firewall in XP. It's a start...
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Introduction SQL Server Integration Services can read XML files, that’s known by every BI developer.  (If you didn’t, don’t worry, I’m aiming this article at newcomers as well.) But how far can you go?  When does the XML Source component become …
International Data Corporation (IDC) prognosticates that before the current the year gets over disbursing on IT framework products to be sent in cloud environs will be $37.1B.
Familiarize people with the process of utilizing SQL Server functions from within Microsoft Access. Microsoft Access is a very powerful client/server development tool. One of the SQL Server objects that you can interact with from within Microsoft Ac…
Via a live example, show how to set up a backup for SQL Server using a Maintenance Plan and how to schedule the job into SQL Server Agent.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now