SQL 2005 Login failed for user 'sa' & constant Info errors

Hello Experts

I have a problem with one of our SQL 2005 SP2 servers.

From time to time the performance decreases gradually until and all queries from client software halt in time out.
In the SQL log file shows something strange:
"Error 18456, Severity: 14, State:16
Login failed for user 'sa'.[Client: xxx.xxx.xxx.xxx] - most of the times is the IP of the server itself"
I must add that clients software authenticates with 'sa' user from the software itself so is not the case of misspelling the password.
I have used "perfmon - SQLServer:SQL Errors[Info Errors]\Errors/Sec" and I've found constant info errors even if no transactions are tacking place.

The server is a central cashier server. The client software authenticates through user 'sa' and the sql service is running under an domain account. The server uses bulk import&bulk export for some clients who run SQL Express and tcp with others.

The client and the server are in the same location so network connectivity is ruled out. The load on the server is minimal.

Please help

Who is Participating?
Jim P.Commented:
We have a similar problem from an application from a vendor. We don't get the lockups very much, but they are annoying in the log.
Message : Login failed for user 'getpwd'. [CLIENT: xx.xx.x.xxx]
The getpwd is the get present working directory. It's because the apps service(s) is using the function to parse out the windows user name.

I'm guessing some service is trying the SA with a blank password -- when it fails it goes on to windows authentication or some such.

We tried arguing with our vendor, but they "couldn't figure out a better way" to do it. You might want to track login attempts and maybe use the filemon/procmon/regmon from sysinternals to look at processes, and what they are doing.

Guy Hengel [angelIII / a3]Billing EngineerCommented:
that sounds like someone tries to hack into your server, from the server itself eventually.
you must run some health/antivirus/... checks on the server.
also, try to identify and scheduled activities, or maintenance plans, that run at the times you get the error message.

>I must add that clients software authenticates with 'sa' user from the software itself so is not the case of misspelling the password.

VERY bad idea. you really should change that!!!

once done, change the sa password, and see what happens
Jim P.Commented:
Glad to be of assistance. May all your days get brighter and brighter.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.