Solved

Tracing IP address of external attack on Windows Server

Posted on 2014-11-11
13
320 Views
Last Modified: 2014-11-20
Say, using software, I am able to ascertain which process and which Port is being utilized in attacking the SQL Browser. I am unable to see the IP address of the attack. What software can I use or logs can I expect or other method, can I use to track down the offending IPs and then block them in the Firewall. I need to keep the Port open for the other software applications that need to access this. Thanks, Shaun
0
Comment
Question by:shaunwingin
  • 5
  • 3
  • 2
  • +2
13 Comments
 
LVL 13

Expert Comment

by:Felix Leven
ID: 40434697
I recommend http://cyberarms.net/, because it will also expand the logging of IP's in the eventlog for further Investigation.

Why this needs 3rd Party ? Shame on M$ !

Nice Demo from ELI here:
https://www.youtube.com/watch?v=uHOj2Nldox8
0
 

Author Comment

by:shaunwingin
ID: 40434834
Say, the password has been hacked - I'm now trying to see ip of the offender ... how pls?
0
 
LVL 13

Assisted Solution

by:Felix Leven
Felix Leven earned 200 total points
ID: 40434848
check the Windows eventlog \ security and look for suspicious entrys (lots of denied Login attemps for example)-> if active

and

"Firewall.log" check the correct Name in your Windows firwall Settings and look for suspicious entrys (lots of Connections from one IP for example)-> if active in your Firewall settings
0
Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

 

Author Comment

by:shaunwingin
ID: 40434875
No Firewall Log. only appliucation, seccurity etc.
Its currently connected - where can I see in SQL who's connected?
0
 
LVL 13

Assisted Solution

by:Felix Leven
Felix Leven earned 200 total points
ID: 40434918
You can use sp_who stored procedure.

SQL Management Studio -> new query

sp_who

and run it.
0
 

Author Comment

by:shaunwingin
ID: 40434965
Still doesn't show their ip only a hostname...
0
 

Author Comment

by:shaunwingin
ID: 40434966
The program sqlbrowser.exe had the usage against it.
0
 
LVL 94

Assisted Solution

by:John Hurst
John Hurst earned 100 total points
ID: 40436443
What about Comm View (tamos.net). I use this. It shows incoming IP address and Name as well. I also have Smart Whois (also by tamos). Click on an IP in Comm View and you can bring up who it belongs to.

Wire Shark comes close and is free.
0
 
LVL 63

Assisted Solution

by:btan
btan earned 200 total points
ID: 40436697
IP should be available from SQL server traces though SQL Profiler but this is assuming the attack is coming into the SQL server.
http://blogs.technet.com/b/nettracer/archive/2010/10/05/sql-browser-may-not-be-reachable-through-firewalls-when-it-runs-on-a-cluster.aspx

another as mentioned is wireshark (tracking udp port 1434) as stated below.
http://internationaldatascience.com/using-wireshark-to-viewtrack-sql-server-browser-traffic/

If it is at the web apps talking to SQL server then it is the HTTP packet that may be more useful and HTTP header fields like X-Forwarded-For is used to see client ip (assuming the FW or intermediate proxy insert and other connecting proxy does not remove that)
0
 

Author Comment

by:shaunwingin
ID: 40439316
tx. Ive killed sqlbrowser.exe
and attack traffic has ceased.
What is the program - seems non essential - my clients still working ok on SQL.
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 40439323
'sqlbrowser.exe' is used to connect clients to SQL "named instances" instead of IP addresses.
0
 
LVL 63

Accepted Solution

by:
btan earned 200 total points
ID: 40439691
as practice, either hide SQL Server instances or disable the SQL Server Browser service. You can catch the lockdown practices in http://www.mssqltips.com/sqlservertip/1946/overview-of-the-sql-server-browser-service/
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Viewers will learn how to use the SELECT statement in SQL and will be exposed to the many uses the SELECT statement has.

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question