Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2202
  • Last Modified:

How to fix mssqlserver event id 18452??

we are running server 2003 R2 enterprise edition and sql server 2000 is installed on the server.  we have noticed that i our event log on the server that there are a lot of failure audits that have showed up, below is what we are getting

Login failed for user 'sa'. the user is not associated with a trusted SQL server connection client [121.14.212.72]

now this ip belong to a cable company in china.  please advise me on how to fix this error.  how do i get rid of this??
0
amoos
Asked:
amoos
  • 4
  • 2
1 Solution
 
Kevin CrossChief Technology OfficerCommented:
Those would indicate failed login attempts.  If the error message display is truly from an IP address in china, my question would be is your SQL server exposed to the Internet?  Are you allowing port 1433 through your firewall?

You can also take a look at this EE question that has links for this event id.
http:/Q_23273770.html
0
 
amoosAuthor Commented:
yes port 1433 is allowed through the firewall.  this particular server runs some web portals that are attached onto a sql 2000 database.

what should i do to fix it??  am i being hacked??  is there something wrong with the server??
0
 
Kevin CrossChief Technology OfficerCommented:
Sounds like they are attempting to.  If you are running web portals, the web server should be talking to the SQL server to get data and so you should not have 1433 unless these web servers are remote to your location.

Even if you web servers are in DMZ, only those systems should be able to communicate through 1433 from your DMZ subnet to LAN subnet.  You don't want a rule going from WAN to LAN for 1433 unless absolutely needed as it is common practice for hackers to scan for SQL instances and try to find holes like blank or weak sa passwords.

Regards,
Kevin
0
Configuration Guide and Best Practices

Read the guide to learn how to orchestrate Data ONTAP, create application-consistent backups and enable fast recovery from NetApp storage snapshots. Version 9.5 also contains performance and scalability enhancements to meet the needs of the largest enterprise environments.

 
Kevin CrossChief Technology OfficerCommented:
The EventID is loggin failed attempts, so that would indicate that the login attempts are failing, but wouldn't tempt faith since you know this may be going on I would correct the issue by closing unnecessary firewall ports OR at least ensure you are keeping up to date with all microsoft security updates for OS and SQL server as well as following the best practices layed out by tools like Microsoft Baseline Security Analyzer.

Kev
0
 
amoosAuthor Commented:
awesome posts.  thank you.  is there anything on the sql side that i need to check or do??  what can i look for??
0
 
Kevin CrossChief Technology OfficerCommented:
If you have success audits in event log, you can look for any successful connections at odd times for sa.

You can check health of server using tools like the MBSA tool from Microsoft.  Look for any strange changes in your server like higher CPU usage from your normal.

Other than that, you could look for odd data in tables as attacks of this nature are probably more towards tampering with or getting your data.

Just good to check all bases.
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now