Solved

Sql Login attemps

Posted on 2016-09-01
7
61 Views
Last Modified: 2016-09-02
Years ago we someone attempted to compromise our server. We changed ports of sql, change accounts, disable sa define swl accounts specific for each application by separate and so on. After that all was fine but wince that dates until today in sporadic random cases we receive this kind kind of events id 18456 trying to access the masterdb:

Login failed for user 'school'. Reason: Could not find a login matching the name provided. [CLIENT: 169.254.31.187]

this is the sql profile trace where we can see not so much just say IIS and :

      <Column id="64" name="SessionLoginName">school</Column>
      <Column id="1" name="TextData">Login failed for user 'race'. Reason: Could not find a login matching the name provided. [CLIENT: 169.254.31.187]</Column>
      <Column id="9" name="ClientProcessID">10844</Column>
      <Column id="49" name="RequestID">0</Column>
      <Column id="2" name="BinaryData">184800000E0000000C000000310034003900330033002D00370031003000370038000000070000006D00610073007400650072000000</Column>
Of course that use 'school' does not exist since years but existed years ago. We never found where is executed that attempt and sql profle like you say not say so much or what application inside the server is trying to access. How can we know form what app or how is trying to made that attempt?

Like a mentioned before that user "school" does not exist anymore since years but existed and whatever is trying to connect there thinks already exist. And this is a very random issue could happen in 2 days or 2 weeks or in a month. But like that user did not exist who knows what is this.
0
Comment
Question by:Alex E.
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 40

Assisted Solution

by:lcohan
lcohan earned 250 total points
ID: 41780559
If you run a SQL profiler make sure the Application Name and "Host Name" columns are selected as that will show you from where that is made. You can also add a Audit trigger at server level and log into a table all these attempts  - let me find some code sample for you.

" And this is a very random issue could happen in 2 days or 2 weeks or in a month." - my guess this is some service or scheduled tasks that wakes up and runs something every now and then

So these are few quick examples about how you can add a DDL login audit trigger and log the info you need - you can/should filter its action for "school" login only

https://ermahblerg.com/2012/11/07/logon-auditing-in-sql-server/
somone posted identical here: http://www.sqlfingers.com/2016/07/using-sql-server-logon-trigger.html and if you look at comments you can see how to add a filter so only specific login is audited and logged
0
 

Author Comment

by:Alex E.
ID: 41780606
Yes is a random but when happens there are hundred of attempts in that form.

Yes in SQL profiler I have enabled Application name it says there "Internet Information Services" and in HostName it says "learncomputer" the last one is the name of our server. Then the problem maybe is originated inside the same server for the HostName showing our name of our server?
0
 
LVL 40

Expert Comment

by:lcohan
ID: 41780634
Indeed if IIS is running on the same box as SQL that's what you'll see and is likely to be some SQL injection from some page done by some (lo)user that had the login credentials at some point and now they may try to get back in.
Or..just to not be paranoic - but you can't skip the security aspect - maybe just some old page/iframe import/export, report etc module where this login was hard-coded.
0
Webinar: Aligning, Automating, Winning

Join Dan Russo, Senior Manager of Operations Intelligence, for an in-depth discussion on how Dealertrack, leading provider of integrated digital solutions for the automotive industry, transformed their DevOps processes to increase collaboration and move with greater velocity.

 

Author Comment

by:Alex E.
ID: 41780684
is there a tool or a way to scan the complete machine everywhere and look for that old sql user name? We remember the old credentials however I ask because I think you are right and maybe is something inside the server that executes in that random ways. We looked the whole register for that user and nothing we looked the task scheduler and nothing but we don't know how to search more deep or where. I think detecting the app or service or whatever and deleting this will be done. And we changed the port of sql also during the time a lot of times and agter that the issue persists then I suppose is something that has the connection string or windows login because after change the port continues the issue then if there is someone trying to scan new port find so fast I doubt and i make note this user credentials was a very old user deleted totally and if someone left something to attack they are attacking a honey pot.
0
 
LVL 50

Accepted Solution

by:
Vitor Montalvão earned 250 total points
ID: 41781090
You have the computer name and the application name and you even have the ClientProcessID.
When that happens check in the Task Manager with process has that ID.
My guess is that's something that you forgot to change years ago. Maybe an old website that still active?
0
 
LVL 40

Assisted Solution

by:lcohan
lcohan earned 250 total points
ID: 41781581
Vitor is right on - Task manager should be able to help figure out the process but if thats just a w3sp shell for instance you're back to square one so I would try use Process Monitor from Microsoft to get more detail about it:

https://blogs.technet.microsoft.com/appv/2008/01/24/process-monitor-hands-on-labs-and-examples/

This is good tool to help debug this kind and other type of issues.
0
 

Author Closing Comment

by:Alex E.
ID: 41782212
Thank you for all information. Going very deep we found an old installation of openmeetings that  left a configuration of the old user name. We found with the pid.
0

Featured Post

Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Why is this different from all of the other step by step guides?  Because I make a living as a DBA and not as a writer and I lived through this experience. Defining the name: When I talk to people they say different names on this subject stuff l…
I have a large data set and a SSIS package. How can I load this file in multi threading?
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question