Solved

Tracing IP address of external attack on Windows Server

Posted on 2014-11-11
13
311 Views
Last Modified: 2014-11-20
Say, using software, I am able to ascertain which process and which Port is being utilized in attacking the SQL Browser. I am unable to see the IP address of the attack. What software can I use or logs can I expect or other method, can I use to track down the offending IPs and then block them in the Firewall. I need to keep the Port open for the other software applications that need to access this. Thanks, Shaun
0
Comment
Question by:shaunwingin
  • 5
  • 3
  • 2
  • +2
13 Comments
 
LVL 13

Expert Comment

by:Felix Leven
ID: 40434697
I recommend http://cyberarms.net/, because it will also expand the logging of IP's in the eventlog for further Investigation.

Why this needs 3rd Party ? Shame on M$ !

Nice Demo from ELI here:
https://www.youtube.com/watch?v=uHOj2Nldox8
0
 

Author Comment

by:shaunwingin
ID: 40434834
Say, the password has been hacked - I'm now trying to see ip of the offender ... how pls?
0
 
LVL 13

Assisted Solution

by:Felix Leven
Felix Leven earned 200 total points
ID: 40434848
check the Windows eventlog \ security and look for suspicious entrys (lots of denied Login attemps for example)-> if active

and

"Firewall.log" check the correct Name in your Windows firwall Settings and look for suspicious entrys (lots of Connections from one IP for example)-> if active in your Firewall settings
0
 

Author Comment

by:shaunwingin
ID: 40434875
No Firewall Log. only appliucation, seccurity etc.
Its currently connected - where can I see in SQL who's connected?
0
 
LVL 13

Assisted Solution

by:Felix Leven
Felix Leven earned 200 total points
ID: 40434918
You can use sp_who stored procedure.

SQL Management Studio -> new query

sp_who

and run it.
0
 

Author Comment

by:shaunwingin
ID: 40434965
Still doesn't show their ip only a hostname...
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 

Author Comment

by:shaunwingin
ID: 40434966
The program sqlbrowser.exe had the usage against it.
0
 
LVL 92

Assisted Solution

by:John Hurst
John Hurst earned 100 total points
ID: 40436443
What about Comm View (tamos.net). I use this. It shows incoming IP address and Name as well. I also have Smart Whois (also by tamos). Click on an IP in Comm View and you can bring up who it belongs to.

Wire Shark comes close and is free.
0
 
LVL 62

Assisted Solution

by:btan
btan earned 200 total points
ID: 40436697
IP should be available from SQL server traces though SQL Profiler but this is assuming the attack is coming into the SQL server.
http://blogs.technet.com/b/nettracer/archive/2010/10/05/sql-browser-may-not-be-reachable-through-firewalls-when-it-runs-on-a-cluster.aspx

another as mentioned is wireshark (tracking udp port 1434) as stated below.
http://internationaldatascience.com/using-wireshark-to-viewtrack-sql-server-browser-traffic/

If it is at the web apps talking to SQL server then it is the HTTP packet that may be more useful and HTTP header fields like X-Forwarded-For is used to see client ip (assuming the FW or intermediate proxy insert and other connecting proxy does not remove that)
0
 

Author Comment

by:shaunwingin
ID: 40439316
tx. Ive killed sqlbrowser.exe
and attack traffic has ceased.
What is the program - seems non essential - my clients still working ok on SQL.
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 40439323
'sqlbrowser.exe' is used to connect clients to SQL "named instances" instead of IP addresses.
0
 
LVL 62

Accepted Solution

by:
btan earned 200 total points
ID: 40439691
as practice, either hide SQL Server instances or disable the SQL Server Browser service. You can catch the lockdown practices in http://www.mssqltips.com/sqlservertip/1946/overview-of-the-sql-server-browser-service/
0

Featured Post

NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Why is this different from all of the other step by step guides?  Because I make a living as a DBA and not as a writer and I lived through this experience. Defining the name: When I talk to people they say different names on this subject stuff l…
For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
Using examples as well as descriptions, and references to Books Online, show the documentation available for datatypes, explain the available data types and show how data can be passed into and out of variables.
Viewers will learn how to use the UPDATE and DELETE statements to change or remove existing data from their tables. Make a table: Update a specific column given a specific row using the UPDATE statement: Remove a set of values using the DELETE s…

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

25 Experts available now in Live!

Get 1:1 Help Now