Page 1 of 2 12 LastLast
Results 1 to 15 of 16

Thread: lot of login failed for user 'sa'(root,admin...)

  1. #1
    Join Date
    Mar 2004
    Posts
    9

    lot of login failed for user 'sa'(root,admin...)

    I have recently noticed in our sql profiler,that there is lot of login failed for user'sa'(as well as for admin,root,sql,database' etc) ,Don't know why it happening ? I would like to know how to prevent this type of attack and any solution to slove this..

  2. #2
    Join Date
    Sep 2002
    Posts
    5,938
    You can enable sql auditing to trace where those connections came from.

  3. #3
    Join Date
    Sep 2002
    Location
    Fantasy
    Posts
    4,254
    Preventing: Change SQL Password with a complex combination of numbers every month.

    like this

    CA8BF97A43E2

    run security audit from profiler and capture the hostname. Then take necessary action.

  4. #4
    Join Date
    Mar 2004
    Posts
    9
    Thanks ya,
    I set the aduiting level to "all",need to know how to trace the audit event/

    and also from the profiler the application name seems to be from OSQL

  5. #5
    Join Date
    Sep 2002
    Location
    Fantasy
    Posts
    4,254
    Open profiler- New trace - select server- Click on "Events" tab. select only Security- Click on "data columns" tab and select "databasename", "hostname","databaseusername" and all relevant columns.
    and click "RUN"

  6. #6
    Join Date
    Mar 2004
    Posts
    9
    adding to this,
    Running sqlserver7.0 Not sure how to get the hostname,
    also it seems to be the login failed attempt stopped after running for 24 hours, don't know why and how?

  7. #7
    Join Date
    Sep 2002
    Posts
    5,938
    Sql auditing logs events in windows app event log.

  8. #8
    Join Date
    Mar 2004
    Posts
    9
    Thanks again,

    AGAIN IT LOGIN FAILED ATTEMPT STARTED,THIS TIME I USED 2000 PROFILER TO TRACE THE HOSTNAME
    FINALLY I GOT THE HOSTNAME ,BUT THEN HOW TO FIND THE IPADDRESS OF THE HOSTNAME WHICH DOESN'T HAVE ANY EXTENSION LIKE .COM..NET....ANY IDEAS

  9. #9
    Join Date
    Sep 2002
    Posts
    5,938
    Run 'ping host_name' in dos prompt.

  10. #10
    Join Date
    Mar 2004
    Posts
    9
    I tried to ping with the hostname ,but no result...I think it needs some extensionlike .net ,.com etc...

    Is it possible to get ipaddress using profiler trace???

  11. #11
    Join Date
    Sep 2002
    Posts
    5,938
    Don't think you can trace ip address. Is your sql server on internet? Does host name have same naming convention as on your network.

  12. #12
    Join Date
    Mar 2004
    Posts
    9
    Yes,It is on internet and having same name

  13. #13
    Join Date
    Sep 2002
    Posts
    5,938
    May find related info in firewall log, or setup network trace to get it.

  14. #14
    Join Date
    Mar 2003
    Location
    Woking, UK
    Posts
    152
    maybe the hostname really doesn't exit.
    look at this example how can be the hostname changed when you are connecting

    c:\>osql -SSQLServer -Hfind_me -Usa -P"i try this pwd"

    in profiler you get only this...
    HostName - find_me
    TextData - Login failed for user 'sa'.
    You Have To Be Happy With What You Have To Be Happy With (KC)

  15. #15
    Join Date
    Mar 2004
    Posts
    9
    Then what is the real way to avoid people using query from osql trying to login to the sqlserver(other than tcp 1433 port)even if the password is secured)..
    and also is there any way to block if they try to connect through osql

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •