?
Solved

Login failed for user 'sa'. Event repeats 2 to 4 times per second on SQL 2000 SP3a

Posted on 2004-09-24
6
Medium Priority
?
582 Views
Last Modified: 2010-07-27
Hi All,

I found my event log with 80,000+ entries of "Login failed for user 'sa'".
I figure it must be an attack of some sort and was wondering if there was something I can do about it.
I am running SQL 2000 SP3a on a Windows Server 2003 Standard (with all the latest patches).
There are 2 backup jobs (1 for system DBs and 1 for user DBs) that run early every morning (but this is occurring right now at 9:30pm) with the 'sa' user.
There are 2 website databases (1 ASP site - accessing via OLEDB connection string under a different user and 1 ASP.Net site accessing via the SQL OLE connector under a different user).

The SQL box is set to "mixed mode"
The SQL agent uses the local Windows system account.

Follows is the actual event message:

Event Type:      Information
Event Source:      MSSQLSERVER
Event Category:      (4)
Event ID:      17055
Date:            9/24/2004
Time:            9:34:50 PM
User:            N/A
Computer:      KPSS1
Description:
18456 :
Login failed for user 'sa'.


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 18 48 00 00 0e 00 00 00   .H......
0008: 06 00 00 00 4b 00 50 00   ....K.P.
0010: 53 00 53 00 31 00 00 00   S.S.1...
0018: 07 00 00 00 6d 00 61 00   ....m.a.
0020: 73 00 74 00 65 00 72 00   s.t.e.r.
0028: 00 00                     ..      


What should I do about this? (other than shutting down port 1433 on the firewall and turning it back on when I need to move data)

TIA
0
Comment
Question by:simplyamazing
  • 5
6 Comments
 
LVL 15

Accepted Solution

by:
jdlambert1 earned 1000 total points
ID: 12148833
If you're web site code is vulnerable to SQL Injection attacks, this may be a brute-strenght attack trying to break the sa password.

You can run Profiler to see if these efforts are coming from your web server or from the outside world.

Your firewall should create 3 zones: Internet, DMZ, and Corporate LAN. Your web server should be on the DMZ, your SQL Server should be on the LAN, and there should be a hole between the DMZ and LAN that only allows the IP addresses of the web server and SQL Server to connect to each other. If you need port 1433 open for data transfers or remote SQL Server management, the firewall should be configured to only allow connections from the specific IP addresses of computers under your control.
0
 
LVL 15

Expert Comment

by:jdlambert1
ID: 12148837
A password attack could also come from the inside, from a rouge employee. In that case, Profiler may identify the exact computer and login.
0
 
LVL 15

Expert Comment

by:jdlambert1
ID: 12148849
Everything in SQL Server and IIS should quit trying to login after a single failure.

And of course, none of your code on the web server or elsewhere should be configured to use the sa account for anything. It should be give an extremely difficult password (written down and kept in a safety deposit box), and another account (or accounts) should be created to use for daily admin, and accounts with the fewest permissions necessary for user & web server access.
 
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 15

Expert Comment

by:jdlambert1
ID: 12148860
read: "rogue" employee
0
 

Author Comment

by:simplyamazing
ID: 12148952
Thanks!

I have a dynamic IP, but it changes only once a week, so I've been successful at blocking the attack.
The events no longer show up (definitely an attack!).  
Maybe Microsoft can put a mini-firewall into SQL that can block attacks so remote connections with dynamic IPs don't require constant changing of the IP address in an external firewall - or use a failed login delay where each subsequent failure makes the delay grow exponentially large (the time between failed logins, that is)!
This would be great for ISPs who share their DBs online where clients connect via EM.
0
 
LVL 15

Expert Comment

by:jdlambert1
ID: 12148983
They've started putting a mini-firewall in XP. It's a start...
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article we will learn how to fix  “Cannot install SQL Server 2014 Service Pack 2: Unable to install windows installer msi file” error ?
Ready to get certified? Check out some courses that help you prepare for third-party exams.
Via a live example, show how to shrink a transaction log file down to a reasonable size.
Viewers will learn how the fundamental information of how to create a table.

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question