Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Sql Login attemps

Posted on 2016-09-01
7
Medium Priority
?
96 Views
Last Modified: 2016-09-02
Years ago we someone attempted to compromise our server. We changed ports of sql, change accounts, disable sa define swl accounts specific for each application by separate and so on. After that all was fine but wince that dates until today in sporadic random cases we receive this kind kind of events id 18456 trying to access the masterdb:

Login failed for user 'school'. Reason: Could not find a login matching the name provided. [CLIENT: 169.254.31.187]

this is the sql profile trace where we can see not so much just say IIS and :

      <Column id="64" name="SessionLoginName">school</Column>
      <Column id="1" name="TextData">Login failed for user 'race'. Reason: Could not find a login matching the name provided. [CLIENT: 169.254.31.187]</Column>
      <Column id="9" name="ClientProcessID">10844</Column>
      <Column id="49" name="RequestID">0</Column>
      <Column id="2" name="BinaryData">184800000E0000000C000000310034003900330033002D00370031003000370038000000070000006D00610073007400650072000000</Column>
Of course that use 'school' does not exist since years but existed years ago. We never found where is executed that attempt and sql profle like you say not say so much or what application inside the server is trying to access. How can we know form what app or how is trying to made that attempt?

Like a mentioned before that user "school" does not exist anymore since years but existed and whatever is trying to connect there thinks already exist. And this is a very random issue could happen in 2 days or 2 weeks or in a month. But like that user did not exist who knows what is this.
0
Comment
Question by:Alex E.
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 40

Assisted Solution

by:lcohan
lcohan earned 1000 total points
ID: 41780559
If you run a SQL profiler make sure the Application Name and "Host Name" columns are selected as that will show you from where that is made. You can also add a Audit trigger at server level and log into a table all these attempts  - let me find some code sample for you.

" And this is a very random issue could happen in 2 days or 2 weeks or in a month." - my guess this is some service or scheduled tasks that wakes up and runs something every now and then

So these are few quick examples about how you can add a DDL login audit trigger and log the info you need - you can/should filter its action for "school" login only

https://ermahblerg.com/2012/11/07/logon-auditing-in-sql-server/
somone posted identical here: http://www.sqlfingers.com/2016/07/using-sql-server-logon-trigger.html and if you look at comments you can see how to add a filter so only specific login is audited and logged
0
 

Author Comment

by:Alex E.
ID: 41780606
Yes is a random but when happens there are hundred of attempts in that form.

Yes in SQL profiler I have enabled Application name it says there "Internet Information Services" and in HostName it says "learncomputer" the last one is the name of our server. Then the problem maybe is originated inside the same server for the HostName showing our name of our server?
0
 
LVL 40

Expert Comment

by:lcohan
ID: 41780634
Indeed if IIS is running on the same box as SQL that's what you'll see and is likely to be some SQL injection from some page done by some (lo)user that had the login credentials at some point and now they may try to get back in.
Or..just to not be paranoic - but you can't skip the security aspect - maybe just some old page/iframe import/export, report etc module where this login was hard-coded.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 

Author Comment

by:Alex E.
ID: 41780684
is there a tool or a way to scan the complete machine everywhere and look for that old sql user name? We remember the old credentials however I ask because I think you are right and maybe is something inside the server that executes in that random ways. We looked the whole register for that user and nothing we looked the task scheduler and nothing but we don't know how to search more deep or where. I think detecting the app or service or whatever and deleting this will be done. And we changed the port of sql also during the time a lot of times and agter that the issue persists then I suppose is something that has the connection string or windows login because after change the port continues the issue then if there is someone trying to scan new port find so fast I doubt and i make note this user credentials was a very old user deleted totally and if someone left something to attack they are attacking a honey pot.
0
 
LVL 52

Accepted Solution

by:
Vitor Montalvão earned 1000 total points
ID: 41781090
You have the computer name and the application name and you even have the ClientProcessID.
When that happens check in the Task Manager with process has that ID.
My guess is that's something that you forgot to change years ago. Maybe an old website that still active?
0
 
LVL 40

Assisted Solution

by:lcohan
lcohan earned 1000 total points
ID: 41781581
Vitor is right on - Task manager should be able to help figure out the process but if thats just a w3sp shell for instance you're back to square one so I would try use Process Monitor from Microsoft to get more detail about it:

https://blogs.technet.microsoft.com/appv/2008/01/24/process-monitor-hands-on-labs-and-examples/

This is good tool to help debug this kind and other type of issues.
0
 

Author Closing Comment

by:Alex E.
ID: 41782212
Thank you for all information. Going very deep we found an old installation of openmeetings that  left a configuration of the old user name. We found with the pid.
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A Stored Procedure in Microsoft SQL Server is a powerful feature that it can be used to execute the Data Manipulation Language (DML) or Data Definition Language (DDL). Depending on business requirements, a single Stored Procedure can return differe…
Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Viewers will learn how to use the SELECT statement in SQL and will be exposed to the many uses the SELECT statement has.

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question