FNDAdmin
asked on
SQL 'sa' logon attempts
Hello,
I have a Windows Server 2008 R2 box running IIS 7.0 and SQL 2008 R2. I have a Juniper firewall protecting my server but we do have port 80 open to the Internet because we require it. My IIS logs are pretty mild. I have a few script attempts here and there, but my SQL logs are flooded (1000+/day) with 'sa' logon attempts.
How is my SQL server getting hit without my IIS Server logging it?
I have a Windows Server 2008 R2 box running IIS 7.0 and SQL 2008 R2. I have a Juniper firewall protecting my server but we do have port 80 open to the Internet because we require it. My IIS logs are pretty mild. I have a few script attempts here and there, but my SQL logs are flooded (1000+/day) with 'sa' logon attempts.
How is my SQL server getting hit without my IIS Server logging it?
That might suggest that the attempts are coming from somewhere other than through the web server. Does the SQL log show the attempt as coming from your IIS server?
ASKER
Date 12/4/2013 3:28:02 PM
Log SQL Server (Current - 12/3/2013 4:25:00 PM)
Source Logon
Message
Login failed for user 'sa'. Reason: Password did not match that for the login provided. [CLIENT: 116.255.197.205]
SQL Logs do not indicate _where_ the attempts are coming through.
Log SQL Server (Current - 12/3/2013 4:25:00 PM)
Source Logon
Message
Login failed for user 'sa'. Reason: Password did not match that for the login provided. [CLIENT: 116.255.197.205]
SQL Logs do not indicate _where_ the attempts are coming through.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
116.255.197.205 is coming from ZhengZhou GIANT Computer Network Technology Co., Ltd in China.
http://whois.net/ip-address-lookup/
shows that address is:
ZhengZhou GIANT Computer Network Technology Co., Ltd
descr: Room 701, Information Building NO.144 Garden Road,
descr: Zhenzhou, Henan, P.R.China
shows that address is:
ZhengZhou GIANT Computer Network Technology Co., Ltd
descr: Room 701, Information Building NO.144 Garden Road,
descr: Zhenzhou, Henan, P.R.China
ASKER
Correct. the only reason I pasted a valid IP address into this forum is because it is NOT mine. It is the script kiddie hitting my box.
Thank you to those that did a WHOIS look up on it.
Carl, as soon as I posted that questions I started a trace. I modified it to include the columns there were not by default selected. I'll let it run through the night and see what it comes up with in the morning.
I have since put in a request to my firewall guy to change the port 80 scope to allow USA based IP Address ranges only.
I'll provide an update tomorrow
Thank you to those that did a WHOIS look up on it.
Carl, as soon as I posted that questions I started a trace. I modified it to include the columns there were not by default selected. I'll let it run through the night and see what it comes up with in the morning.
I have since put in a request to my firewall guy to change the port 80 scope to allow USA based IP Address ranges only.
I'll provide an update tomorrow
I think your original question about why it did not show up in your web server logs is key. I'd be concerned that they have already compromised your web server and are deleting the log entries or otherwise preventing them from showing up.
I think it is good to limit to US addresses but that won't stop them. For example, they could use a VPN service to make it look like they are in the US, and I'm sure they know other ways to get around it as well.
I think it is good to limit to US addresses but that won't stop them. For example, they could use a VPN service to make it look like they are in the US, and I'm sure they know other ways to get around it as well.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If Dave is right and someone is able to issue requests directly from the internet to your SQL server that seems like a huge problem to me. Maybe you can configure a whitelist on your sql server so that it only accepts traffic from localhost or other known authorized servers?
ASKER
SQL, TCP1033, is not accessible from the Internet. Only port 80 is 'open'.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I am sorry, I mis-typed, Our SQL Server is configured to used the standard/default port, of 1433 for communications.
I receive information from our firewall people that SQL 1433 _WAS_ open to the Internet. I cannot believe they let that one slip by them. It has since been closed and the event logs are back to normal.
Thank you all for your help.
I receive information from our firewall people that SQL 1433 _WAS_ open to the Internet. I cannot believe they let that one slip by them. It has since been closed and the event logs are back to normal.
Thank you all for your help.
You're welcome, glad to help. Thanks for the points.
We are facing the same problem (SQL 'sa' logon attempts) but it is comming from our Web Server. I am a System Admin. Kindly let me know how to resolve the problem.