Solved

How to fix mssqlserver event id 18452??

Posted on 2008-10-31
6
2,167 Views
Last Modified: 2008-10-31
we are running server 2003 R2 enterprise edition and sql server 2000 is installed on the server.  we have noticed that i our event log on the server that there are a lot of failure audits that have showed up, below is what we are getting

Login failed for user 'sa'. the user is not associated with a trusted SQL server connection client [121.14.212.72]

now this ip belong to a cable company in china.  please advise me on how to fix this error.  how do i get rid of this??
0
Comment
Question by:amoos
  • 4
  • 2
6 Comments
 
LVL 59

Expert Comment

by:Kevin Cross
ID: 22855708
Those would indicate failed login attempts.  If the error message display is truly from an IP address in china, my question would be is your SQL server exposed to the Internet?  Are you allowing port 1433 through your firewall?

You can also take a look at this EE question that has links for this event id.
http:/Q_23273770.html
0
 

Author Comment

by:amoos
ID: 22855718
yes port 1433 is allowed through the firewall.  this particular server runs some web portals that are attached onto a sql 2000 database.

what should i do to fix it??  am i being hacked??  is there something wrong with the server??
0
 
LVL 59

Expert Comment

by:Kevin Cross
ID: 22855744
Sounds like they are attempting to.  If you are running web portals, the web server should be talking to the SQL server to get data and so you should not have 1433 unless these web servers are remote to your location.

Even if you web servers are in DMZ, only those systems should be able to communicate through 1433 from your DMZ subnet to LAN subnet.  You don't want a rule going from WAN to LAN for 1433 unless absolutely needed as it is common practice for hackers to scan for SQL instances and try to find holes like blank or weak sa passwords.

Regards,
Kevin
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 59

Expert Comment

by:Kevin Cross
ID: 22855750
The EventID is loggin failed attempts, so that would indicate that the login attempts are failing, but wouldn't tempt faith since you know this may be going on I would correct the issue by closing unnecessary firewall ports OR at least ensure you are keeping up to date with all microsoft security updates for OS and SQL server as well as following the best practices layed out by tools like Microsoft Baseline Security Analyzer.

Kev
0
 

Author Comment

by:amoos
ID: 22855757
awesome posts.  thank you.  is there anything on the sql side that i need to check or do??  what can i look for??
0
 
LVL 59

Accepted Solution

by:
Kevin Cross earned 500 total points
ID: 22855777
If you have success audits in event log, you can look for any successful connections at odd times for sa.

You can check health of server using tools like the MBSA tool from Microsoft.  Look for any strange changes in your server like higher CPU usage from your normal.

Other than that, you could look for odd data in tables as attacks of this nature are probably more towards tampering with or getting your data.

Just good to check all bases.
0

Featured Post

Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Query Missing Money orders... 6 70
SQL Inner Join Vs SubQueries 9 25
Mssql SQL query 14 28
Test a query 23 17
JSON is being used more and more, besides XML, and you surely wanted to parse the data out into SQL instead of doing it in some Javascript. The below function in SQL Server can do the job for you, returning a quick table with the parsed data.
The Delta outage: 650 cancelled flights, more than 1200 delayed flights, thousands of frustrated customers, tens of millions of dollars in damages – plus untold reputational damage to one of the world’s most trusted airlines. All due to a catastroph…
Using examples as well as descriptions, and references to Books Online, show the documentation available for date manipulation functions and by using a select few of these functions, show how date based data can be manipulated with these functions.
Via a live example, show how to extract information from SQL Server on Database, Connection and Server properties

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now