Years ago we someone attempted to compromise our server. We changed ports of sql, change accounts, disable sa define swl accounts specific for each application by separate and so on. After that all was fine but wince that dates until today in sporadic random cases we receive this kind kind of events id 18456 trying to access the masterdb:
Login failed for user 'school'. Reason: Could not find a login matching the name provided. [CLIENT: 169.254.31.187]
this is the sql profile trace where we can see not so much just say IIS and :
<Column id="64" name="SessionLoginName">school</Column>
<Column id="1" name="TextData">Login failed for user 'race'. Reason: Could not find a login matching the name provided. [CLIENT: 169.254.31.187]</Column>
<Column id="9" name="ClientProcessID">10844</Column>
<Column id="49" name="RequestID">0</Column>
<Column id="2" name="BinaryData">184800000E0000000C000000310034003900330033002D00370031003000370038000000070000006D00610073007400650072000000</Column>
Of course that use 'school' does not exist since years but existed years ago. We never found where is executed that attempt and sql profle like you say not say so much or what application inside the server is trying to access. How can we know form what app or how is trying to made that attempt?
Like a mentioned before that user "school" does not exist anymore since years but existed and whatever is trying to connect there thinks already exist. And this is a very random issue could happen in 2 days or 2 weeks or in a month. But like that user did not exist who knows what is this.