December 10, 2004 at 9:06 am
Hello all,
In the course of perusing our SQL logs for an unrelated issue, I came across a series of messages along the lines of "login failed for user <username>", where username is one of sa, database, god, guest, sql, boss, user, root, administrator, manager, master, admin, server, etc.
For various historical reasons, none of which are currently defensible and something that is actually being rectified right now (sad how something like this has to be the prime motivator), our SQL server has been on the outside network. All user and admin passwords are strong and the losebag who's doing this has not had any success yet.
All our machines have been scanned for viruses & adware, we've changed our passwords, and reviewed our security procedures at large. I've got a SQL trace going now to hopefully capture the hostname of the failed login attempts, hoping we can at least identify the machine doing the attack (if it's an internal infected machine).
Has anyone out there seen a similar kind of attack, based on the list of username's above? We have not had any success finding any info on this thus far.
Also, in the course of doing all this, we've seen Microsoft Office logging in to our server as sa every 5 minutes. Still can't figure out what's doing this or whether it's normal. Doesn't seem to be doing anything as far as we can see, just seems kind of weird.
Any thoughts would be appreciated.
Vik
December 13, 2004 at 8:00 am
This was removed by the editor as SPAM
December 13, 2004 at 10:38 am
I've seen it before, but only for SA. We've used the IDS and firewall to block them and trace back, but it usually goes nowhere.
December 13, 2004 at 10:46 am
Thanks for the reply, Steve.
As a general FYI, we're moving our SQL server inside this week. The Microsoft Office login was a Server Office Extensions Timer service installed as part of Sharepoint Team Services. We had to install Office on our SQL (7) box for something related to DTS exports for Excel or some such nonsense a while ago. Disabling the service took care of that.
Vik
Viewing 4 posts - 1 through 3 (of 3 total)
You must be logged in to reply to this topic. Login to reply