SQL 2005 Login failed for user 'sa' & constant Info errors

Posted on 2009-02-19
Last Modified: 2012-05-06
Hello Experts

I have a problem with one of our SQL 2005 SP2 servers.

From time to time the performance decreases gradually until and all queries from client software halt in time out.
In the SQL log file shows something strange:
"Error 18456, Severity: 14, State:16
Login failed for user 'sa'.[Client:] - most of the times is the IP of the server itself"
I must add that clients software authenticates with 'sa' user from the software itself so is not the case of misspelling the password.
I have used "perfmon - SQLServer:SQL Errors[Info Errors]\Errors/Sec" and I've found constant info errors even if no transactions are tacking place.

The server is a central cashier server. The client software authenticates through user 'sa' and the sql service is running under an domain account. The server uses bulk import&bulk export for some clients who run SQL Express and tcp with others.

The client and the server are in the same location so network connectivity is ruled out. The load on the server is minimal.

Please help

Question by:bricoexpert
    LVL 142

    Expert Comment

    by:Guy Hengel [angelIII / a3]
    that sounds like someone tries to hack into your server, from the server itself eventually.
    you must run some health/antivirus/... checks on the server.
    also, try to identify and scheduled activities, or maintenance plans, that run at the times you get the error message.

    >I must add that clients software authenticates with 'sa' user from the software itself so is not the case of misspelling the password.

    VERY bad idea. you really should change that!!!

    once done, change the sa password, and see what happens
    LVL 38

    Accepted Solution

    We have a similar problem from an application from a vendor. We don't get the lockups very much, but they are annoying in the log.
    Message : Login failed for user 'getpwd'. [CLIENT:]
    The getpwd is the get present working directory. It's because the apps service(s) is using the function to parse out the windows user name.

    I'm guessing some service is trying the SA with a blank password -- when it fails it goes on to windows authentication or some such.

    We tried arguing with our vendor, but they "couldn't figure out a better way" to do it. You might want to track login attempts and maybe use the filemon/procmon/regmon from sysinternals to look at processes, and what they are doing.

    LVL 38

    Expert Comment

    by:Jim P.
    Glad to be of assistance. May all your days get brighter and brighter.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Top 6 Sources for Identifying Threat Actor TTPs

    Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

    So every once in a while at work I am asked to export data from one table and insert it into another on a different server.  I hate doing this.  There's so many different tables and data types.  Some column data needs quoted and some doesn't.  What …
    INTRODUCTION: While tying your database objects into builds and your enterprise source control system takes a third-party product (like Visual Studio Database Edition or Red-Gate's SQL Source Control), you can achieve some protection using a sing…
    It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now