Solved

How to fix mssqlserver event id 18452??

Posted on 2008-10-31
6
2,179 Views
Last Modified: 2008-10-31
we are running server 2003 R2 enterprise edition and sql server 2000 is installed on the server.  we have noticed that i our event log on the server that there are a lot of failure audits that have showed up, below is what we are getting

Login failed for user 'sa'. the user is not associated with a trusted SQL server connection client [121.14.212.72]

now this ip belong to a cable company in china.  please advise me on how to fix this error.  how do i get rid of this??
0
Comment
Question by:amoos
  • 4
  • 2
6 Comments
 
LVL 59

Expert Comment

by:Kevin Cross
ID: 22855708
Those would indicate failed login attempts.  If the error message display is truly from an IP address in china, my question would be is your SQL server exposed to the Internet?  Are you allowing port 1433 through your firewall?

You can also take a look at this EE question that has links for this event id.
http:/Q_23273770.html
0
 

Author Comment

by:amoos
ID: 22855718
yes port 1433 is allowed through the firewall.  this particular server runs some web portals that are attached onto a sql 2000 database.

what should i do to fix it??  am i being hacked??  is there something wrong with the server??
0
 
LVL 59

Expert Comment

by:Kevin Cross
ID: 22855744
Sounds like they are attempting to.  If you are running web portals, the web server should be talking to the SQL server to get data and so you should not have 1433 unless these web servers are remote to your location.

Even if you web servers are in DMZ, only those systems should be able to communicate through 1433 from your DMZ subnet to LAN subnet.  You don't want a rule going from WAN to LAN for 1433 unless absolutely needed as it is common practice for hackers to scan for SQL instances and try to find holes like blank or weak sa passwords.

Regards,
Kevin
0
Backup Solution for AWS

Read about how CloudBerry Backup fully integrates your backups with Amazon S3 and Amazon Glacier to provide military-grade encryption and dramatically cut storage costs on any platform.

 
LVL 59

Expert Comment

by:Kevin Cross
ID: 22855750
The EventID is loggin failed attempts, so that would indicate that the login attempts are failing, but wouldn't tempt faith since you know this may be going on I would correct the issue by closing unnecessary firewall ports OR at least ensure you are keeping up to date with all microsoft security updates for OS and SQL server as well as following the best practices layed out by tools like Microsoft Baseline Security Analyzer.

Kev
0
 

Author Comment

by:amoos
ID: 22855757
awesome posts.  thank you.  is there anything on the sql side that i need to check or do??  what can i look for??
0
 
LVL 59

Accepted Solution

by:
Kevin Cross earned 500 total points
ID: 22855777
If you have success audits in event log, you can look for any successful connections at odd times for sa.

You can check health of server using tools like the MBSA tool from Microsoft.  Look for any strange changes in your server like higher CPU usage from your normal.

Other than that, you could look for odd data in tables as attacks of this nature are probably more towards tampering with or getting your data.

Just good to check all bases.
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How to handle time out inside the stored procedure 10 27
Virtual server location 6 38
access to sql migration 5 24
Using datetime as triggers 2 22
Why is this different from all of the other step by step guides?  Because I make a living as a DBA and not as a writer and I lived through this experience. Defining the name: When I talk to people they say different names on this subject stuff l…
JSON is being used more and more, besides XML, and you surely wanted to parse the data out into SQL instead of doing it in some Javascript. The below function in SQL Server can do the job for you, returning a quick table with the parsed data.
Familiarize people with the process of retrieving data from SQL Server using an Access pass-thru query. Microsoft Access is a very powerful client/server development tool. One of the ways that you can retrieve data from a SQL Server is by using a pa…
Using examples as well as descriptions, and references to Books Online, show the documentation available for date manipulation functions and by using a select few of these functions, show how date based data can be manipulated with these functions.

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question