Solved

Tracing IP address of external attack on Windows Server

Posted on 2014-11-11
13
330 Views
Last Modified: 2014-11-20
Say, using software, I am able to ascertain which process and which Port is being utilized in attacking the SQL Browser. I am unable to see the IP address of the attack. What software can I use or logs can I expect or other method, can I use to track down the offending IPs and then block them in the Firewall. I need to keep the Port open for the other software applications that need to access this. Thanks, Shaun
0
Comment
Question by:shaunwingin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
  • +2
13 Comments
 
LVL 13

Expert Comment

by:Felix Leven
ID: 40434697
I recommend http://cyberarms.net/, because it will also expand the logging of IP's in the eventlog for further Investigation.

Why this needs 3rd Party ? Shame on M$ !

Nice Demo from ELI here:
https://www.youtube.com/watch?v=uHOj2Nldox8
0
 

Author Comment

by:shaunwingin
ID: 40434834
Say, the password has been hacked - I'm now trying to see ip of the offender ... how pls?
0
 
LVL 13

Assisted Solution

by:Felix Leven
Felix Leven earned 200 total points
ID: 40434848
check the Windows eventlog \ security and look for suspicious entrys (lots of denied Login attemps for example)-> if active

and

"Firewall.log" check the correct Name in your Windows firwall Settings and look for suspicious entrys (lots of Connections from one IP for example)-> if active in your Firewall settings
0
Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

 

Author Comment

by:shaunwingin
ID: 40434875
No Firewall Log. only appliucation, seccurity etc.
Its currently connected - where can I see in SQL who's connected?
0
 
LVL 13

Assisted Solution

by:Felix Leven
Felix Leven earned 200 total points
ID: 40434918
You can use sp_who stored procedure.

SQL Management Studio -> new query

sp_who

and run it.
0
 

Author Comment

by:shaunwingin
ID: 40434965
Still doesn't show their ip only a hostname...
0
 

Author Comment

by:shaunwingin
ID: 40434966
The program sqlbrowser.exe had the usage against it.
0
 
LVL 95

Assisted Solution

by:John Hurst
John Hurst earned 100 total points
ID: 40436443
What about Comm View (tamos.net). I use this. It shows incoming IP address and Name as well. I also have Smart Whois (also by tamos). Click on an IP in Comm View and you can bring up who it belongs to.

Wire Shark comes close and is free.
0
 
LVL 64

Assisted Solution

by:btan
btan earned 200 total points
ID: 40436697
IP should be available from SQL server traces though SQL Profiler but this is assuming the attack is coming into the SQL server.
http://blogs.technet.com/b/nettracer/archive/2010/10/05/sql-browser-may-not-be-reachable-through-firewalls-when-it-runs-on-a-cluster.aspx

another as mentioned is wireshark (tracking udp port 1434) as stated below.
http://internationaldatascience.com/using-wireshark-to-viewtrack-sql-server-browser-traffic/

If it is at the web apps talking to SQL server then it is the HTTP packet that may be more useful and HTTP header fields like X-Forwarded-For is used to see client ip (assuming the FW or intermediate proxy insert and other connecting proxy does not remove that)
0
 

Author Comment

by:shaunwingin
ID: 40439316
tx. Ive killed sqlbrowser.exe
and attack traffic has ceased.
What is the program - seems non essential - my clients still working ok on SQL.
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 40439323
'sqlbrowser.exe' is used to connect clients to SQL "named instances" instead of IP addresses.
0
 
LVL 64

Accepted Solution

by:
btan earned 200 total points
ID: 40439691
as practice, either hide SQL Server instances or disable the SQL Server Browser service. You can catch the lockdown practices in http://www.mssqltips.com/sqlservertip/1946/overview-of-the-sql-server-browser-service/
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A Stored Procedure in Microsoft SQL Server is a powerful feature that it can be used to execute the Data Manipulation Language (DML) or Data Definition Language (DDL). Depending on business requirements, a single Stored Procedure can return differe…
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
Viewers will learn how to use the SELECT statement in SQL and will be exposed to the many uses the SELECT statement has.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

687 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question