Solved

How to fix mssqlserver event id 18452??

Posted on 2008-10-31
6
2,185 Views
Last Modified: 2008-10-31
we are running server 2003 R2 enterprise edition and sql server 2000 is installed on the server.  we have noticed that i our event log on the server that there are a lot of failure audits that have showed up, below is what we are getting

Login failed for user 'sa'. the user is not associated with a trusted SQL server connection client [121.14.212.72]

now this ip belong to a cable company in china.  please advise me on how to fix this error.  how do i get rid of this??
0
Comment
Question by:amoos
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
6 Comments
 
LVL 60

Expert Comment

by:Kevin Cross
ID: 22855708
Those would indicate failed login attempts.  If the error message display is truly from an IP address in china, my question would be is your SQL server exposed to the Internet?  Are you allowing port 1433 through your firewall?

You can also take a look at this EE question that has links for this event id.
http:/Q_23273770.html
0
 

Author Comment

by:amoos
ID: 22855718
yes port 1433 is allowed through the firewall.  this particular server runs some web portals that are attached onto a sql 2000 database.

what should i do to fix it??  am i being hacked??  is there something wrong with the server??
0
 
LVL 60

Expert Comment

by:Kevin Cross
ID: 22855744
Sounds like they are attempting to.  If you are running web portals, the web server should be talking to the SQL server to get data and so you should not have 1433 unless these web servers are remote to your location.

Even if you web servers are in DMZ, only those systems should be able to communicate through 1433 from your DMZ subnet to LAN subnet.  You don't want a rule going from WAN to LAN for 1433 unless absolutely needed as it is common practice for hackers to scan for SQL instances and try to find holes like blank or weak sa passwords.

Regards,
Kevin
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 
LVL 60

Expert Comment

by:Kevin Cross
ID: 22855750
The EventID is loggin failed attempts, so that would indicate that the login attempts are failing, but wouldn't tempt faith since you know this may be going on I would correct the issue by closing unnecessary firewall ports OR at least ensure you are keeping up to date with all microsoft security updates for OS and SQL server as well as following the best practices layed out by tools like Microsoft Baseline Security Analyzer.

Kev
0
 

Author Comment

by:amoos
ID: 22855757
awesome posts.  thank you.  is there anything on the sql side that i need to check or do??  what can i look for??
0
 
LVL 60

Accepted Solution

by:
Kevin Cross earned 500 total points
ID: 22855777
If you have success audits in event log, you can look for any successful connections at odd times for sa.

You can check health of server using tools like the MBSA tool from Microsoft.  Look for any strange changes in your server like higher CPU usage from your normal.

Other than that, you could look for odd data in tables as attacks of this nature are probably more towards tampering with or getting your data.

Just good to check all bases.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Delta outage: 650 cancelled flights, more than 1200 delayed flights, thousands of frustrated customers, tens of millions of dollars in damages – plus untold reputational damage to one of the world’s most trusted airlines. All due to a catastroph…
What if you have to shut down the entire Citrix infrastructure for hardware maintenance, software upgrades or "the unknown"? I developed this plan for "the unknown" and hope that it helps you as well. This article explains how to properly shut down …
Viewers will learn how the fundamental information of how to create a table.
Viewers will learn how to use the SELECT statement in SQL to return specific rows and columns, with various degrees of sorting and limits in place.

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question