Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

login failure

Posted on 2013-06-19
3
Medium Priority
?
395 Views
Last Modified: 2013-06-20
I get a LOT of these errors on the SQL server audit log

Event Type:      Failure Audit
Event Source:      MSSQLSERVER
Event Category:      Logon
Event ID:      18456
Date:            6/16/2013
Time:            8:31:02 PM
User:            N/A
Computer:      2003SERVER
Description:
Login failed for user 'sa'. Reason: Password did not match that for the login provided. [CLIENT: 173.208.191.52]

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 18 48 00 00 0e 00 00 00   .H......
0008: 0b 00 00 00 32 00 30 00   ....2.0.
0010: 30 00 33 00 53 00 45 00   0.3.S.E.
0018: 52 00 56 00 45 00 52 00   R.V.E.R.
0020: 00 00 07 00 00 00 6d 00   ......m.
0028: 61 00 73 00 74 00 65 00   a.s.t.e.
0030: 72 00 00 00               r...    


Does this mean someone is trying to hack the server from the web?  How do I stop this?
0
Comment
Question by:al4629740
  • 2
3 Comments
 
LVL 2

Expert Comment

by:hlaprade
ID: 39261076
Hi al4629740, that is a pretty straight forward message, if I were you I will look for a string connection that do have the wrong password of the SA, maybe there was a password changed no long ago? How did you setup your access to your DB engine, Windows Authentication Mode or Mixed mode.
The best thing you should do is have your SA password changed again, use a strong password, I know is a pain in the rear end but it is important for security. Do you have any more extrange messages? Post them.
Another approach is trying to identify patterns, date time etc. If you really think you have a attempt to break in, use a sniffer to identify the ip trying to access your database and cross reference it to your event error date/time.

Luke
0
 

Author Comment

by:al4629740
ID: 39261088
Can I set the number of unsuccessful attempts to the database server Limiting that to about five or 10 entries
0
 
LVL 2

Accepted Solution

by:
hlaprade earned 2000 total points
ID: 39261123
Not sure I am following your question, but using Windows Authentication Mode definitely you are able to endure you security applying specific policies to your cases and block a user after certain attempts, using Active Directory if you have one, but mostly I will focus on searching on your web server all SA users defined on string connections, because first, it is not a good practice to use SA to access your database from the your Web Server. Change your SA to a stronger pass, if you think that is really the case and then try to sniff your way to it, you can use wireshark but it is bit complex.
You can also use your command prompt at your db server and do

netstat -n -o >sniff.txt

That will create a text file on your local directory, that way you can see connections established to your DB server, you can do the same on your web server and again monitor and cross reference.

Luke
0

Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the first part of this tutorial we will cover the prerequisites for installing SQL Server vNext on Linux.
An alternative to the "For XML" way of pivoting and concatenating result sets into strings, and an easy introduction to "common table expressions" (CTEs). Being someone who is always looking for alternatives to "work your data", I came across this …
Familiarize people with the process of utilizing SQL Server functions from within Microsoft Access. Microsoft Access is a very powerful client/server development tool. One of the SQL Server objects that you can interact with from within Microsoft Ac…
This video shows, step by step, how to configure Oracle Heterogeneous Services via the Generic Gateway Agent in order to make a connection from an Oracle session and access a remote SQL Server database table.

971 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question