Solved

How to fix mssqlserver event id 18452??

Posted on 2008-10-31
6
2,170 Views
Last Modified: 2008-10-31
we are running server 2003 R2 enterprise edition and sql server 2000 is installed on the server.  we have noticed that i our event log on the server that there are a lot of failure audits that have showed up, below is what we are getting

Login failed for user 'sa'. the user is not associated with a trusted SQL server connection client [121.14.212.72]

now this ip belong to a cable company in china.  please advise me on how to fix this error.  how do i get rid of this??
0
Comment
Question by:amoos
  • 4
  • 2
6 Comments
 
LVL 59

Expert Comment

by:Kevin Cross
ID: 22855708
Those would indicate failed login attempts.  If the error message display is truly from an IP address in china, my question would be is your SQL server exposed to the Internet?  Are you allowing port 1433 through your firewall?

You can also take a look at this EE question that has links for this event id.
http:/Q_23273770.html
0
 

Author Comment

by:amoos
ID: 22855718
yes port 1433 is allowed through the firewall.  this particular server runs some web portals that are attached onto a sql 2000 database.

what should i do to fix it??  am i being hacked??  is there something wrong with the server??
0
 
LVL 59

Expert Comment

by:Kevin Cross
ID: 22855744
Sounds like they are attempting to.  If you are running web portals, the web server should be talking to the SQL server to get data and so you should not have 1433 unless these web servers are remote to your location.

Even if you web servers are in DMZ, only those systems should be able to communicate through 1433 from your DMZ subnet to LAN subnet.  You don't want a rule going from WAN to LAN for 1433 unless absolutely needed as it is common practice for hackers to scan for SQL instances and try to find holes like blank or weak sa passwords.

Regards,
Kevin
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 59

Expert Comment

by:Kevin Cross
ID: 22855750
The EventID is loggin failed attempts, so that would indicate that the login attempts are failing, but wouldn't tempt faith since you know this may be going on I would correct the issue by closing unnecessary firewall ports OR at least ensure you are keeping up to date with all microsoft security updates for OS and SQL server as well as following the best practices layed out by tools like Microsoft Baseline Security Analyzer.

Kev
0
 

Author Comment

by:amoos
ID: 22855757
awesome posts.  thank you.  is there anything on the sql side that i need to check or do??  what can i look for??
0
 
LVL 59

Accepted Solution

by:
Kevin Cross earned 500 total points
ID: 22855777
If you have success audits in event log, you can look for any successful connections at odd times for sa.

You can check health of server using tools like the MBSA tool from Microsoft.  Look for any strange changes in your server like higher CPU usage from your normal.

Other than that, you could look for odd data in tables as attacks of this nature are probably more towards tampering with or getting your data.

Just good to check all bases.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

For both online and offline retail, the cross-channel business is the most recent pattern in the B2C trade space.
Ever wondered why sometimes your SQL Server is slow or unresponsive with connections spiking up but by the time you go in, all is well? The following article will show you how to install and configure a SQL job that will send you email alerts includ…
Via a live example, show how to extract insert data into a SQL Server database table using the Import/Export option and Bulk Insert.
Viewers will learn how to use the SELECT statement in SQL and will be exposed to the many uses the SELECT statement has.

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question