Alex E.
asked on
Sql Login attemps
Years ago we someone attempted to compromise our server. We changed ports of sql, change accounts, disable sa define swl accounts specific for each application by separate and so on. After that all was fine but wince that dates until today in sporadic random cases we receive this kind kind of events id 18456 trying to access the masterdb:
Login failed for user 'school'. Reason: Could not find a login matching the name provided. [CLIENT: 169.254.31.187]
this is the sql profile trace where we can see not so much just say IIS and :
<Column id="64" name="SessionLoginName">sc
<Column id="1" name="TextData">Login failed for user 'race'. Reason: Could not find a login matching the name provided. [CLIENT: 169.254.31.187]</Column>
<Column id="9" name="ClientProcessID">108
<Column id="49" name="RequestID">0</Column
<Column id="2" name="BinaryData">18480000
Of course that use 'school' does not exist since years but existed years ago. We never found where is executed that attempt and sql profle like you say not say so much or what application inside the server is trying to access. How can we know form what app or how is trying to made that attempt?
Like a mentioned before that user "school" does not exist anymore since years but existed and whatever is trying to connect there thinks already exist. And this is a very random issue could happen in 2 days or 2 weeks or in a month. But like that user did not exist who knows what is this.
Login failed for user 'school'. Reason: Could not find a login matching the name provided. [CLIENT: 169.254.31.187]
this is the sql profile trace where we can see not so much just say IIS and :
<Column id="64" name="SessionLoginName">sc
<Column id="1" name="TextData">Login failed for user 'race'. Reason: Could not find a login matching the name provided. [CLIENT: 169.254.31.187]</Column>
<Column id="9" name="ClientProcessID">108
<Column id="49" name="RequestID">0</Column
<Column id="2" name="BinaryData">18480000
Of course that use 'school' does not exist since years but existed years ago. We never found where is executed that attempt and sql profle like you say not say so much or what application inside the server is trying to access. How can we know form what app or how is trying to made that attempt?
Like a mentioned before that user "school" does not exist anymore since years but existed and whatever is trying to connect there thinks already exist. And this is a very random issue could happen in 2 days or 2 weeks or in a month. But like that user did not exist who knows what is this.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Indeed if IIS is running on the same box as SQL that's what you'll see and is likely to be some SQL injection from some page done by some (lo)user that had the login credentials at some point and now they may try to get back in.
Or..just to not be paranoic - but you can't skip the security aspect - maybe just some old page/iframe import/export, report etc module where this login was hard-coded.
Or..just to not be paranoic - but you can't skip the security aspect - maybe just some old page/iframe import/export, report etc module where this login was hard-coded.
ASKER
is there a tool or a way to scan the complete machine everywhere and look for that old sql user name? We remember the old credentials however I ask because I think you are right and maybe is something inside the server that executes in that random ways. We looked the whole register for that user and nothing we looked the task scheduler and nothing but we don't know how to search more deep or where. I think detecting the app or service or whatever and deleting this will be done. And we changed the port of sql also during the time a lot of times and agter that the issue persists then I suppose is something that has the connection string or windows login because after change the port continues the issue then if there is someone trying to scan new port find so fast I doubt and i make note this user credentials was a very old user deleted totally and if someone left something to attack they are attacking a honey pot.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you for all information. Going very deep we found an old installation of openmeetings that left a configuration of the old user name. We found with the pid.
ASKER
Yes in SQL profiler I have enabled Application name it says there "Internet Information Services" and in HostName it says "learncomputer" the last one is the name of our server. Then the problem maybe is originated inside the same server for the HostName showing our name of our server?