Tracing IP address of external attack on Windows Server

Say, using software, I am able to ascertain which process and which Port is being utilized in attacking the SQL Browser. I am unable to see the IP address of the attack. What software can I use or logs can I expect or other method, can I use to track down the offending IPs and then block them in the Firewall. I need to keep the Port open for the other software applications that need to access this. Thanks, Shaun
shaunwinginAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Felix LevenSenior System and DatabaseadministratorCommented:
I recommend http://cyberarms.net/, because it will also expand the logging of IP's in the eventlog for further Investigation.

Why this needs 3rd Party ? Shame on M$ !

Nice Demo from ELI here:
https://www.youtube.com/watch?v=uHOj2Nldox8
0
shaunwinginAuthor Commented:
Say, the password has been hacked - I'm now trying to see ip of the offender ... how pls?
0
Felix LevenSenior System and DatabaseadministratorCommented:
check the Windows eventlog \ security and look for suspicious entrys (lots of denied Login attemps for example)-> if active

and

"Firewall.log" check the correct Name in your Windows firwall Settings and look for suspicious entrys (lots of Connections from one IP for example)-> if active in your Firewall settings
0
Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage

shaunwinginAuthor Commented:
No Firewall Log. only appliucation, seccurity etc.
Its currently connected - where can I see in SQL who's connected?
0
Felix LevenSenior System and DatabaseadministratorCommented:
You can use sp_who stored procedure.

SQL Management Studio -> new query

sp_who

and run it.
0
shaunwinginAuthor Commented:
Still doesn't show their ip only a hostname...
0
shaunwinginAuthor Commented:
The program sqlbrowser.exe had the usage against it.
0
JohnBusiness Consultant (Owner)Commented:
What about Comm View (tamos.net). I use this. It shows incoming IP address and Name as well. I also have Smart Whois (also by tamos). Click on an IP in Comm View and you can bring up who it belongs to.

Wire Shark comes close and is free.
0
btanExec ConsultantCommented:
IP should be available from SQL server traces though SQL Profiler but this is assuming the attack is coming into the SQL server.
http://blogs.technet.com/b/nettracer/archive/2010/10/05/sql-browser-may-not-be-reachable-through-firewalls-when-it-runs-on-a-cluster.aspx

another as mentioned is wireshark (tracking udp port 1434) as stated below.
http://internationaldatascience.com/using-wireshark-to-viewtrack-sql-server-browser-traffic/

If it is at the web apps talking to SQL server then it is the HTTP packet that may be more useful and HTTP header fields like X-Forwarded-For is used to see client ip (assuming the FW or intermediate proxy insert and other connecting proxy does not remove that)
0
shaunwinginAuthor Commented:
tx. Ive killed sqlbrowser.exe
and attack traffic has ceased.
What is the program - seems non essential - my clients still working ok on SQL.
0
Dave BaldwinFixer of ProblemsCommented:
'sqlbrowser.exe' is used to connect clients to SQL "named instances" instead of IP addresses.
0
btanExec ConsultantCommented:
as practice, either hide SQL Server instances or disable the SQL Server Browser service. You can catch the lockdown practices in http://www.mssqltips.com/sqlservertip/1946/overview-of-the-sql-server-browser-service/
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.