April 8, 2009 at 6:50 am
Hi guys,
I think we just had a Denial of Service attack.
All our logins were disbaled for no apparent reason. The crisis has been averted, but I'd like to ask a few questions:
- Where can I see what/who did this? I've gone through Windows & SQL logs without any success. Is it maybe some sort of logging that has to be turned on?
- Will setting up alerts for logins/sec or failed logins/sec help catch this earlier?
- Any other ideas that might help prevent this?
Thanks a mil!
April 8, 2009 at 7:49 am
Was it you AD logins that were locked or your SQL logins?
IF it was AD, that is one of the symptoms of one of the conficker variants... It tries to brute force passwords and will lock out your AD accounts as it does it. I think that one was variant b but I don't recall exactly.
-Luke.
April 8, 2009 at 8:48 am
Nope - We just use SQL Logins
April 8, 2009 at 9:29 am
If you are auditing failed logins (which is the default) then you probably have errors in your SQL logs. You can also look at the default trace output in c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\*.trc (location may change depending on instance).
SQL logins should be locked based on invalid login attempts or direct admin action, although I did encounter a bug recently which occurred due to use of the password policy feature. The fix was to disable password policy, save, then re-enable. Check the logs/traces first though.
Viewing 4 posts - 1 through 3 (of 3 total)
You must be logged in to reply to this topic. Login to reply