Solved

Sql Login attemps

Posted on 2016-09-01
7
43 Views
Last Modified: 2016-09-02
Years ago we someone attempted to compromise our server. We changed ports of sql, change accounts, disable sa define swl accounts specific for each application by separate and so on. After that all was fine but wince that dates until today in sporadic random cases we receive this kind kind of events id 18456 trying to access the masterdb:

Login failed for user 'school'. Reason: Could not find a login matching the name provided. [CLIENT: 169.254.31.187]

this is the sql profile trace where we can see not so much just say IIS and :

      <Column id="64" name="SessionLoginName">school</Column>
      <Column id="1" name="TextData">Login failed for user 'race'. Reason: Could not find a login matching the name provided. [CLIENT: 169.254.31.187]</Column>
      <Column id="9" name="ClientProcessID">10844</Column>
      <Column id="49" name="RequestID">0</Column>
      <Column id="2" name="BinaryData">184800000E0000000C000000310034003900330033002D00370031003000370038000000070000006D00610073007400650072000000</Column>
Of course that use 'school' does not exist since years but existed years ago. We never found where is executed that attempt and sql profle like you say not say so much or what application inside the server is trying to access. How can we know form what app or how is trying to made that attempt?

Like a mentioned before that user "school" does not exist anymore since years but existed and whatever is trying to connect there thinks already exist. And this is a very random issue could happen in 2 days or 2 weeks or in a month. But like that user did not exist who knows what is this.
0
Comment
Question by:Alex E.
  • 3
  • 3
7 Comments
 
LVL 39

Assisted Solution

by:lcohan
lcohan earned 250 total points
Comment Utility
If you run a SQL profiler make sure the Application Name and "Host Name" columns are selected as that will show you from where that is made. You can also add a Audit trigger at server level and log into a table all these attempts  - let me find some code sample for you.

" And this is a very random issue could happen in 2 days or 2 weeks or in a month." - my guess this is some service or scheduled tasks that wakes up and runs something every now and then

So these are few quick examples about how you can add a DDL login audit trigger and log the info you need - you can/should filter its action for "school" login only

https://ermahblerg.com/2012/11/07/logon-auditing-in-sql-server/
somone posted identical here: http://www.sqlfingers.com/2016/07/using-sql-server-logon-trigger.html and if you look at comments you can see how to add a filter so only specific login is audited and logged
0
 

Author Comment

by:Alex E.
Comment Utility
Yes is a random but when happens there are hundred of attempts in that form.

Yes in SQL profiler I have enabled Application name it says there "Internet Information Services" and in HostName it says "learncomputer" the last one is the name of our server. Then the problem maybe is originated inside the same server for the HostName showing our name of our server?
0
 
LVL 39

Expert Comment

by:lcohan
Comment Utility
Indeed if IIS is running on the same box as SQL that's what you'll see and is likely to be some SQL injection from some page done by some (lo)user that had the login credentials at some point and now they may try to get back in.
Or..just to not be paranoic - but you can't skip the security aspect - maybe just some old page/iframe import/export, report etc module where this login was hard-coded.
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 

Author Comment

by:Alex E.
Comment Utility
is there a tool or a way to scan the complete machine everywhere and look for that old sql user name? We remember the old credentials however I ask because I think you are right and maybe is something inside the server that executes in that random ways. We looked the whole register for that user and nothing we looked the task scheduler and nothing but we don't know how to search more deep or where. I think detecting the app or service or whatever and deleting this will be done. And we changed the port of sql also during the time a lot of times and agter that the issue persists then I suppose is something that has the connection string or windows login because after change the port continues the issue then if there is someone trying to scan new port find so fast I doubt and i make note this user credentials was a very old user deleted totally and if someone left something to attack they are attacking a honey pot.
0
 
LVL 45

Accepted Solution

by:
Vitor Montalvão earned 250 total points
Comment Utility
You have the computer name and the application name and you even have the ClientProcessID.
When that happens check in the Task Manager with process has that ID.
My guess is that's something that you forgot to change years ago. Maybe an old website that still active?
0
 
LVL 39

Assisted Solution

by:lcohan
lcohan earned 250 total points
Comment Utility
Vitor is right on - Task manager should be able to help figure out the process but if thats just a w3sp shell for instance you're back to square one so I would try use Process Monitor from Microsoft to get more detail about it:

https://blogs.technet.microsoft.com/appv/2008/01/24/process-monitor-hands-on-labs-and-examples/

This is good tool to help debug this kind and other type of issues.
0
 

Author Closing Comment

by:Alex E.
Comment Utility
Thank you for all information. Going very deep we found an old installation of openmeetings that  left a configuration of the old user name. We found with the pid.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
Viewers will learn how to use the SELECT statement in SQL and will be exposed to the many uses the SELECT statement has.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now