Solved

login failure

Posted on 2013-06-19
3
388 Views
Last Modified: 2013-06-20
I get a LOT of these errors on the SQL server audit log

Event Type:      Failure Audit
Event Source:      MSSQLSERVER
Event Category:      Logon
Event ID:      18456
Date:            6/16/2013
Time:            8:31:02 PM
User:            N/A
Computer:      2003SERVER
Description:
Login failed for user 'sa'. Reason: Password did not match that for the login provided. [CLIENT: 173.208.191.52]

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 18 48 00 00 0e 00 00 00   .H......
0008: 0b 00 00 00 32 00 30 00   ....2.0.
0010: 30 00 33 00 53 00 45 00   0.3.S.E.
0018: 52 00 56 00 45 00 52 00   R.V.E.R.
0020: 00 00 07 00 00 00 6d 00   ......m.
0028: 61 00 73 00 74 00 65 00   a.s.t.e.
0030: 72 00 00 00               r...    


Does this mean someone is trying to hack the server from the web?  How do I stop this?
0
Comment
Question by:al4629740
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 2

Expert Comment

by:hlaprade
ID: 39261076
Hi al4629740, that is a pretty straight forward message, if I were you I will look for a string connection that do have the wrong password of the SA, maybe there was a password changed no long ago? How did you setup your access to your DB engine, Windows Authentication Mode or Mixed mode.
The best thing you should do is have your SA password changed again, use a strong password, I know is a pain in the rear end but it is important for security. Do you have any more extrange messages? Post them.
Another approach is trying to identify patterns, date time etc. If you really think you have a attempt to break in, use a sniffer to identify the ip trying to access your database and cross reference it to your event error date/time.

Luke
0
 

Author Comment

by:al4629740
ID: 39261088
Can I set the number of unsuccessful attempts to the database server Limiting that to about five or 10 entries
0
 
LVL 2

Accepted Solution

by:
hlaprade earned 500 total points
ID: 39261123
Not sure I am following your question, but using Windows Authentication Mode definitely you are able to endure you security applying specific policies to your cases and block a user after certain attempts, using Active Directory if you have one, but mostly I will focus on searching on your web server all SA users defined on string connections, because first, it is not a good practice to use SA to access your database from the your Web Server. Change your SA to a stronger pass, if you think that is really the case and then try to sniff your way to it, you can use wireshark but it is bit complex.
You can also use your command prompt at your db server and do

netstat -n -o >sniff.txt

That will create a text file on your local directory, that way you can see connections established to your DB server, you can do the same on your web server and again monitor and cross reference.

Luke
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In this article we will get to know that how can we recover deleted data if it happens accidently. We really can recover deleted rows if we know the time when data is deleted by using the transaction log.
Slowly Changing Dimension Transformation component in data task flow is very useful for us to manage and control how data changes in SSIS.
Familiarize people with the process of utilizing SQL Server functions from within Microsoft Access. Microsoft Access is a very powerful client/server development tool. One of the SQL Server objects that you can interact with from within Microsoft Ac…
Via a live example, show how to extract insert data into a SQL Server database table using the Import/Export option and Bulk Insert.

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question