Solved

Login failed for user 'sa'. Event repeats 2 to 4 times per second on SQL 2000 SP3a

Posted on 2004-09-24
6
566 Views
Last Modified: 2010-07-27
Hi All,

I found my event log with 80,000+ entries of "Login failed for user 'sa'".
I figure it must be an attack of some sort and was wondering if there was something I can do about it.
I am running SQL 2000 SP3a on a Windows Server 2003 Standard (with all the latest patches).
There are 2 backup jobs (1 for system DBs and 1 for user DBs) that run early every morning (but this is occurring right now at 9:30pm) with the 'sa' user.
There are 2 website databases (1 ASP site - accessing via OLEDB connection string under a different user and 1 ASP.Net site accessing via the SQL OLE connector under a different user).

The SQL box is set to "mixed mode"
The SQL agent uses the local Windows system account.

Follows is the actual event message:

Event Type:      Information
Event Source:      MSSQLSERVER
Event Category:      (4)
Event ID:      17055
Date:            9/24/2004
Time:            9:34:50 PM
User:            N/A
Computer:      KPSS1
Description:
18456 :
Login failed for user 'sa'.


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 18 48 00 00 0e 00 00 00   .H......
0008: 06 00 00 00 4b 00 50 00   ....K.P.
0010: 53 00 53 00 31 00 00 00   S.S.1...
0018: 07 00 00 00 6d 00 61 00   ....m.a.
0020: 73 00 74 00 65 00 72 00   s.t.e.r.
0028: 00 00                     ..      


What should I do about this? (other than shutting down port 1433 on the firewall and turning it back on when I need to move data)

TIA
0
Comment
Question by:simplyamazing
  • 5
6 Comments
 
LVL 15

Accepted Solution

by:
jdlambert1 earned 250 total points
ID: 12148833
If you're web site code is vulnerable to SQL Injection attacks, this may be a brute-strenght attack trying to break the sa password.

You can run Profiler to see if these efforts are coming from your web server or from the outside world.

Your firewall should create 3 zones: Internet, DMZ, and Corporate LAN. Your web server should be on the DMZ, your SQL Server should be on the LAN, and there should be a hole between the DMZ and LAN that only allows the IP addresses of the web server and SQL Server to connect to each other. If you need port 1433 open for data transfers or remote SQL Server management, the firewall should be configured to only allow connections from the specific IP addresses of computers under your control.
0
 
LVL 15

Expert Comment

by:jdlambert1
ID: 12148837
A password attack could also come from the inside, from a rouge employee. In that case, Profiler may identify the exact computer and login.
0
 
LVL 15

Expert Comment

by:jdlambert1
ID: 12148849
Everything in SQL Server and IIS should quit trying to login after a single failure.

And of course, none of your code on the web server or elsewhere should be configured to use the sa account for anything. It should be give an extremely difficult password (written down and kept in a safety deposit box), and another account (or accounts) should be created to use for daily admin, and accounts with the fewest permissions necessary for user & web server access.
 
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 15

Expert Comment

by:jdlambert1
ID: 12148860
read: "rogue" employee
0
 

Author Comment

by:simplyamazing
ID: 12148952
Thanks!

I have a dynamic IP, but it changes only once a week, so I've been successful at blocking the attack.
The events no longer show up (definitely an attack!).  
Maybe Microsoft can put a mini-firewall into SQL that can block attacks so remote connections with dynamic IPs don't require constant changing of the IP address in an external firewall - or use a failed login delay where each subsequent failure makes the delay grow exponentially large (the time between failed logins, that is)!
This would be great for ISPs who share their DBs online where clients connect via EM.
0
 
LVL 15

Expert Comment

by:jdlambert1
ID: 12148983
They've started putting a mini-firewall in XP. It's a start...
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Introduction SQL Server Integration Services can read XML files, that’s known by every BI developer.  (If you didn’t, don’t worry, I’m aiming this article at newcomers as well.) But how far can you go?  When does the XML Source component become …
The Delta outage: 650 cancelled flights, more than 1200 delayed flights, thousands of frustrated customers, tens of millions of dollars in damages – plus untold reputational damage to one of the world’s most trusted airlines. All due to a catastroph…
Familiarize people with the process of utilizing SQL Server functions from within Microsoft Access. Microsoft Access is a very powerful client/server development tool. One of the SQL Server objects that you can interact with from within Microsoft Ac…
Viewers will learn how to use the INSERT statement to insert data into their tables. It will also introduce the NULL statement, to show them what happens when no value is giving for any given column.

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now