weird login failure user name

  • We recently had a couple login failed messages in SQL Server 2008R2. They occurred around the time that the transaction log backup started. They are for a weird user name:

    Login failed for user 'pDfmqf2QeGLorbWLKor1mw=='. Reason : Could not find a login matching the name provided. [CLIENT: <local machine>] Error: 18456, Severity: 14, State: 5

    Any ideas what this is from?

    Thanks.

  • that string is the base64 conversion of some string or value; i recongnize the format and the double equal signs at the end.

    i tried running it through an online decoder like this site:

    http://www.string-functions.com/base64decode.aspx but it didn't convert prettily, but i'm pretty sure that what you ar eseeing; maybe a website is mashing the string up, or it's obfuscated in a config file and was not de-obfuscated when it was used to build a connection string?

    Lowell


    --help us help you! If you post a question, make sure you include a CREATE TABLE... statement and INSERT INTO... statement into that table to give the volunteers here representative data. with your description of the problem, we can provide a tested, verifiable solution to your question! asking the question the right way gets you a tested answer the fastest way possible!

  • Can you explain the obsfuscated de-obfuscated a little more? How can I tell where this login attempt is coming from? The last 3 days the timing of it has changed. It was happening at 2pm and 3am. Now on Sat,Sun and Mon it happened at 5am.

    Thanks again for any ideas.

  • well, a web.config file or application.config, if it was using a SQL login, might have something like this in it:

    <connectionStrings>

    <add name="generateInterfaceFile.Properties.Settings.GlobalNetV1ConnectionString"

    connectionString="Data Source=gdc-sql-d01;Initial Catalog=T_ScanNet;User ID=myapplicationuser;Password=NotTheRealPassword"

    providerName="System.Data.SqlClient" />

    </connectionStrings>

    a developer who doesn't like plain text strings in the ini/config files might change the plaintext password "NotTheRealPassword" to be a base64 string that has to be un-base64'd to use it.

    <connectionStrings>

    <add name="generateInterfaceFile.Properties.Settings.GlobalNetV1ConnectionString"

    connectionString="Data Source=gdc-sql-d01;Initial Catalog=T_ScanNet;User ID=pDfmqf2QeGLorbWLKor1mw==;Password=pDfmqf2QeGLorbWLKor1mw=="

    providerName="System.Data.SqlClient" />

    </connectionStrings>

    if that were true, it would be probably that a code change is forgetting to un-base64 the value,a dn so you see the base64 string instead.

    since this error started, did anyone deploy an application or change an application that connects to the db? is anyone complaining that their new app isn't working,and it's the DBA's fault?(my favorite)

    since the error says [CLIENT: <local machine>] Error: 18456, Severity: 14, State: 5, it's either a scheduled task, ssis job step, or a web site that exists ON the sql server that is raising the error.

    Lowell


    --help us help you! If you post a question, make sure you include a CREATE TABLE... statement and INSERT INTO... statement into that table to give the volunteers here representative data. with your description of the problem, we can provide a tested, verifiable solution to your question! asking the question the right way gets you a tested answer the fastest way possible!

  • THere are no scheduled tasks on the server at the times we receive the login failure. No SSIS packages, no SQL Agent jobs at these times either. I don't think there are any Web apps on this server either. This is quite the mystery. It certainly seems like a schedlied event, but I don't know where else to look. I'm not a server administrator but have asked our srever admins to check and they don't see anything.

    Thanks for your help. If anything else occurs to you please share!

Viewing 5 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic. Login to reply