?
Solved

SQL 'sa' logon attempts

Posted on 2013-12-04
14
Medium Priority
?
404 Views
Last Modified: 2016-09-22
Hello,

    I have a Windows Server 2008 R2 box running IIS 7.0 and SQL 2008 R2. I have a Juniper firewall protecting my server but we do have port 80 open to the Internet because we require it. My IIS logs are pretty mild. I have a few script attempts here and there, but my SQL logs are flooded (1000+/day) with 'sa' logon attempts.

     How is my SQL server getting hit without my IIS Server logging it?
0
Comment
Question by:FNDAdmin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 3
  • +2
14 Comments
 
LVL 52

Expert Comment

by:Carl Tawn
ID: 39696648
That might suggest that the attempts are coming from somewhere other than through the web server. Does the SQL log show the attempt as coming from your IIS server?
0
 

Author Comment

by:FNDAdmin
ID: 39696659
Date            12/4/2013 3:28:02 PM
Log            SQL Server (Current - 12/3/2013 4:25:00 PM)
Source            Logon
Message
Login failed for user 'sa'. Reason: Password did not match that for the login provided. [CLIENT: 116.255.197.205]

SQL Logs do not indicate _where_ the attempts are coming through.
0
 
LVL 52

Accepted Solution

by:
Carl Tawn earned 668 total points
ID: 39696669
The IP in the message is the source of the attempt - is that the IP of the SQL server, or the web server (or are they both on the same box)?

I'd suggest running a trace for the "Audit Login" and "Audit Login Failed" event classes, and make sure to include both the DatabaseID and the Application Name fields.
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 39696683
116.255.197.205 is coming from ZhengZhou GIANT Computer Network Technology Co., Ltd in China.
0
 
LVL 11

Expert Comment

by:MajorBigDeal
ID: 39696691
http://whois.net/ip-address-lookup/

shows that address is:

ZhengZhou GIANT Computer Network Technology Co., Ltd
descr:          Room 701, Information Building NO.144 Garden Road,
descr:          Zhenzhou, Henan, P.R.China
0
 

Author Comment

by:FNDAdmin
ID: 39696714
Correct. the only reason I pasted a valid IP address into this forum is because it is NOT mine. It is the script kiddie hitting my box.

Thank you to those that did a WHOIS look up on it.

Carl, as soon as I posted that questions I started a trace. I modified it to include the columns there were not by default selected. I'll let it run through the night and see what it comes up with in the morning.

I have since put in a request to my firewall guy to change the port 80 scope to allow USA based IP Address ranges only.
I'll provide an update tomorrow
0
 
LVL 11

Expert Comment

by:MajorBigDeal
ID: 39696773
I think your original question about why it did not show up in your web server logs is key.  I'd be concerned that they have already compromised your web server and are deleting the log entries or otherwise preventing them from showing up.  

I think it is good to limit to US addresses but that won't stop them.  For example, they could use a VPN service to make it look like they are in the US, and I'm sure they know other ways to get around it as well.
0
 
LVL 84

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 1332 total points
ID: 39696813
I think they are going directly to your SQL Server which is on a different port than the web server.  Which is why it does not show in the web server logs.
0
 
LVL 11

Expert Comment

by:MajorBigDeal
ID: 39696856
If Dave is right and someone is able to issue requests directly from the internet to your SQL server that seems like a huge problem to me.   Maybe you can configure a whitelist on your sql server so that it only accepts traffic from localhost or other known authorized servers?
0
 

Author Comment

by:FNDAdmin
ID: 39697288
SQL, TCP1033, is not accessible from the Internet. Only port 80 is 'open'.
0
 
LVL 84

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 1332 total points
ID: 39697328
You might want to double check that.  SQL Server can use multiple ports and 1433 is the 'standard' port.  1434 is used by the SQL Browser service if you have that enabled.

And the fact that the failed connection is from an IP address from China means that it is Not coming from your web server which would be on your IP address.
0
 

Author Comment

by:FNDAdmin
ID: 39698294
I am sorry, I mis-typed, Our SQL Server is configured to used the standard/default port, of 1433 for communications.

     I receive information from our firewall people that SQL 1433 _WAS_ open to the Internet. I cannot believe they let that one slip by them. It has since been closed and the event logs are back to normal.

    Thank you all for your help.
0
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 39698898
You're welcome, glad to help.  Thanks for the points.
0
 

Expert Comment

by:Animesh Kumar
ID: 41811990
We are facing the same problem (SQL 'sa' logon attempts) but it is comming from our Web Server. I am a System Admin. Kindly let me know how to resolve the problem.
0

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
What if you have to shut down the entire Citrix infrastructure for hardware maintenance, software upgrades or "the unknown"? I developed this plan for "the unknown" and hope that it helps you as well. This article explains how to properly shut down …
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question