Solved

Tracing IP address of external attack on Windows Server

Posted on 2014-11-11
13
326 Views
Last Modified: 2014-11-20
Say, using software, I am able to ascertain which process and which Port is being utilized in attacking the SQL Browser. I am unable to see the IP address of the attack. What software can I use or logs can I expect or other method, can I use to track down the offending IPs and then block them in the Firewall. I need to keep the Port open for the other software applications that need to access this. Thanks, Shaun
0
Comment
Question by:shaunwingin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
  • +2
13 Comments
 
LVL 13

Expert Comment

by:Felix Leven
ID: 40434697
I recommend http://cyberarms.net/, because it will also expand the logging of IP's in the eventlog for further Investigation.

Why this needs 3rd Party ? Shame on M$ !

Nice Demo from ELI here:
https://www.youtube.com/watch?v=uHOj2Nldox8
0
 

Author Comment

by:shaunwingin
ID: 40434834
Say, the password has been hacked - I'm now trying to see ip of the offender ... how pls?
0
 
LVL 13

Assisted Solution

by:Felix Leven
Felix Leven earned 200 total points
ID: 40434848
check the Windows eventlog \ security and look for suspicious entrys (lots of denied Login attemps for example)-> if active

and

"Firewall.log" check the correct Name in your Windows firwall Settings and look for suspicious entrys (lots of Connections from one IP for example)-> if active in your Firewall settings
0
Are You Ransomware's Next Victim?

Worried about ransomware attacks hitting your organization?  The good news is that these attacks are predicable and therefore preventable. Learn more about how you can  stop a ransomware attacks before encryption takes place with WatchGuard Total Security!

 

Author Comment

by:shaunwingin
ID: 40434875
No Firewall Log. only appliucation, seccurity etc.
Its currently connected - where can I see in SQL who's connected?
0
 
LVL 13

Assisted Solution

by:Felix Leven
Felix Leven earned 200 total points
ID: 40434918
You can use sp_who stored procedure.

SQL Management Studio -> new query

sp_who

and run it.
0
 

Author Comment

by:shaunwingin
ID: 40434965
Still doesn't show their ip only a hostname...
0
 

Author Comment

by:shaunwingin
ID: 40434966
The program sqlbrowser.exe had the usage against it.
0
 
LVL 95

Assisted Solution

by:John Hurst
John Hurst earned 100 total points
ID: 40436443
What about Comm View (tamos.net). I use this. It shows incoming IP address and Name as well. I also have Smart Whois (also by tamos). Click on an IP in Comm View and you can bring up who it belongs to.

Wire Shark comes close and is free.
0
 
LVL 63

Assisted Solution

by:btan
btan earned 200 total points
ID: 40436697
IP should be available from SQL server traces though SQL Profiler but this is assuming the attack is coming into the SQL server.
http://blogs.technet.com/b/nettracer/archive/2010/10/05/sql-browser-may-not-be-reachable-through-firewalls-when-it-runs-on-a-cluster.aspx

another as mentioned is wireshark (tracking udp port 1434) as stated below.
http://internationaldatascience.com/using-wireshark-to-viewtrack-sql-server-browser-traffic/

If it is at the web apps talking to SQL server then it is the HTTP packet that may be more useful and HTTP header fields like X-Forwarded-For is used to see client ip (assuming the FW or intermediate proxy insert and other connecting proxy does not remove that)
0
 

Author Comment

by:shaunwingin
ID: 40439316
tx. Ive killed sqlbrowser.exe
and attack traffic has ceased.
What is the program - seems non essential - my clients still working ok on SQL.
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 40439323
'sqlbrowser.exe' is used to connect clients to SQL "named instances" instead of IP addresses.
0
 
LVL 63

Accepted Solution

by:
btan earned 200 total points
ID: 40439691
as practice, either hide SQL Server instances or disable the SQL Server Browser service. You can catch the lockdown practices in http://www.mssqltips.com/sqlservertip/1946/overview-of-the-sql-server-browser-service/
0

Featured Post

Defend Your Organization from The Greatest Threats

Looking to fill the gaps in your security? Bring together information from the network, endpoint and threat intelligence feeds to really see what's happening in your organization. Join the WatchGuardians in their adventures fighting cyber crime!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
CCNP Exam question 6 35
mssql 7 32
Active directory DNS integrated question? 7 41
T-SQL: need to reset a declared variable 4 29
I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
This article shows gives you an overview on SQL Server 2016 row level security. You will also get to know the usages of row-level-security and how it works
Via a live example, show how to extract insert data into a SQL Server database table using the Import/Export option and Bulk Insert.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question