Solved

login failure

Posted on 2013-06-19
3
385 Views
Last Modified: 2013-06-20
I get a LOT of these errors on the SQL server audit log

Event Type:      Failure Audit
Event Source:      MSSQLSERVER
Event Category:      Logon
Event ID:      18456
Date:            6/16/2013
Time:            8:31:02 PM
User:            N/A
Computer:      2003SERVER
Description:
Login failed for user 'sa'. Reason: Password did not match that for the login provided. [CLIENT: 173.208.191.52]

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 18 48 00 00 0e 00 00 00   .H......
0008: 0b 00 00 00 32 00 30 00   ....2.0.
0010: 30 00 33 00 53 00 45 00   0.3.S.E.
0018: 52 00 56 00 45 00 52 00   R.V.E.R.
0020: 00 00 07 00 00 00 6d 00   ......m.
0028: 61 00 73 00 74 00 65 00   a.s.t.e.
0030: 72 00 00 00               r...    


Does this mean someone is trying to hack the server from the web?  How do I stop this?
0
Comment
Question by:al4629740
  • 2
3 Comments
 
LVL 2

Expert Comment

by:hlaprade
ID: 39261076
Hi al4629740, that is a pretty straight forward message, if I were you I will look for a string connection that do have the wrong password of the SA, maybe there was a password changed no long ago? How did you setup your access to your DB engine, Windows Authentication Mode or Mixed mode.
The best thing you should do is have your SA password changed again, use a strong password, I know is a pain in the rear end but it is important for security. Do you have any more extrange messages? Post them.
Another approach is trying to identify patterns, date time etc. If you really think you have a attempt to break in, use a sniffer to identify the ip trying to access your database and cross reference it to your event error date/time.

Luke
0
 

Author Comment

by:al4629740
ID: 39261088
Can I set the number of unsuccessful attempts to the database server Limiting that to about five or 10 entries
0
 
LVL 2

Accepted Solution

by:
hlaprade earned 500 total points
ID: 39261123
Not sure I am following your question, but using Windows Authentication Mode definitely you are able to endure you security applying specific policies to your cases and block a user after certain attempts, using Active Directory if you have one, but mostly I will focus on searching on your web server all SA users defined on string connections, because first, it is not a good practice to use SA to access your database from the your Web Server. Change your SA to a stronger pass, if you think that is really the case and then try to sniff your way to it, you can use wireshark but it is bit complex.
You can also use your command prompt at your db server and do

netstat -n -o >sniff.txt

That will create a text file on your local directory, that way you can see connections established to your DB server, you can do the same on your web server and again monitor and cross reference.

Luke
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Occasionally there is a need to clean table columns, especially if you have inherited legacy data. There are obviously many ways to accomplish that, including elaborate UPDATE queries with anywhere from one to numerous REPLACE functions (even within…
This article shows gives you an overview on SQL Server 2016 row level security. You will also get to know the usages of row-level-security and how it works
Using examples as well as descriptions, and references to Books Online, show the documentation available for date manipulation functions and by using a select few of these functions, show how date based data can be manipulated with these functions.
Viewers will learn how to use the SELECT statement in SQL to return specific rows and columns, with various degrees of sorting and limits in place.

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now