August 26, 2010 at 8:48 am
The failed audit log on an sql 2005 server has recently started showing a continuous series of failed login attempts (error 18456) to the server from a client machine. The logins to the server (master db) start as soon as the client machine is powered up and continue every 121 seconds indefinitely.
The security log and trace info show that the machine is attempting to login to the server with the domain machine name as the login.
So far we have been unable to find what service/process on the client machine is trying to connect to the sql server. We have tried disableing services selectively and even terminating active processes to try to find the source. Task scheduler has also been checked.
The client machine has sql 2005 client tools installed, but does not have the db engine installed so there are no agent jobs running.
Any advice on how to find the process that is attempting this connection would be appreciated. Is there a way to trace from the client side what process is attempting to connect to sql server?
Thanks
Tim Harding
DBA
Tim
August 30, 2010 at 9:42 am
Try running the profiler and check for Audit failed. Maybe it could throw more light on your scenario. I hope you do not have any Shell command running from that client.
-Roy
August 31, 2010 at 7:37 am
Can you identify when the logins first started, and then tie that back to some event on the client (e.g. software install, configuratin change, etc)? If you can identify both those, you should have a handle on what process is trying to login.
August 31, 2010 at 10:11 am
Hi,
Is SSMS running on the PC (say under an account which does not have permissions on that particualr SQL Server)? I had a lot of login messages logged on the instances I had set up as targets while using SSMS 2005. (Doesn't seem to happen with 2008 though.) I found an MS kb article once about how to alter the polling behaviour, but have not been able to find it again.
HTH
August 31, 2010 at 11:35 am
Thanks tp all for your suggestions.
We eventually found a service running in the background for an old data warehouse product (Wherescape Red) that had started up and was trying to connect to the server. We're not sure how this service got started up again since the product was uninstalled, but at least we were able to find and stop the login attempts.
The service was cryptically named so I ended up just shutting down services one at a time until the login attempts stopped.
Thanks
Tim
Viewing 5 posts - 1 through 4 (of 4 total)
You must be logged in to reply to this topic. Login to reply