?
Solved

login failure

Posted on 2013-06-19
3
Medium Priority
?
393 Views
Last Modified: 2013-06-20
I get a LOT of these errors on the SQL server audit log

Event Type:      Failure Audit
Event Source:      MSSQLSERVER
Event Category:      Logon
Event ID:      18456
Date:            6/16/2013
Time:            8:31:02 PM
User:            N/A
Computer:      2003SERVER
Description:
Login failed for user 'sa'. Reason: Password did not match that for the login provided. [CLIENT: 173.208.191.52]

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 18 48 00 00 0e 00 00 00   .H......
0008: 0b 00 00 00 32 00 30 00   ....2.0.
0010: 30 00 33 00 53 00 45 00   0.3.S.E.
0018: 52 00 56 00 45 00 52 00   R.V.E.R.
0020: 00 00 07 00 00 00 6d 00   ......m.
0028: 61 00 73 00 74 00 65 00   a.s.t.e.
0030: 72 00 00 00               r...    


Does this mean someone is trying to hack the server from the web?  How do I stop this?
0
Comment
Question by:al4629740
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 2

Expert Comment

by:hlaprade
ID: 39261076
Hi al4629740, that is a pretty straight forward message, if I were you I will look for a string connection that do have the wrong password of the SA, maybe there was a password changed no long ago? How did you setup your access to your DB engine, Windows Authentication Mode or Mixed mode.
The best thing you should do is have your SA password changed again, use a strong password, I know is a pain in the rear end but it is important for security. Do you have any more extrange messages? Post them.
Another approach is trying to identify patterns, date time etc. If you really think you have a attempt to break in, use a sniffer to identify the ip trying to access your database and cross reference it to your event error date/time.

Luke
0
 

Author Comment

by:al4629740
ID: 39261088
Can I set the number of unsuccessful attempts to the database server Limiting that to about five or 10 entries
0
 
LVL 2

Accepted Solution

by:
hlaprade earned 2000 total points
ID: 39261123
Not sure I am following your question, but using Windows Authentication Mode definitely you are able to endure you security applying specific policies to your cases and block a user after certain attempts, using Active Directory if you have one, but mostly I will focus on searching on your web server all SA users defined on string connections, because first, it is not a good practice to use SA to access your database from the your Web Server. Change your SA to a stronger pass, if you think that is really the case and then try to sniff your way to it, you can use wireshark but it is bit complex.
You can also use your command prompt at your db server and do

netstat -n -o >sniff.txt

That will create a text file on your local directory, that way you can see connections established to your DB server, you can do the same on your web server and again monitor and cross reference.

Luke
0

Featured Post

Survive A High-Traffic Event with Percona

Your application or website rely on your database to deliver information about products and services to your customers. You can’t afford to have your database lose performance, lose availability or become unresponsive – even for just a few minutes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article we will learn how to fix  “Cannot install SQL Server 2014 Service Pack 2: Unable to install windows installer msi file” error ?
An alternative to the "For XML" way of pivoting and concatenating result sets into strings, and an easy introduction to "common table expressions" (CTEs). Being someone who is always looking for alternatives to "work your data", I came across this …
Via a live example, show how to setup several different housekeeping processes for a SQL Server.
Viewers will learn how the fundamental information of how to create a table.

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question