Excessive Login Failures
-
Anyone with Idea's as to what hacktool is used to accomplish that attempts to remotely discover the user names and passwords of an SQL server other than SQLck.exe would assist me greatly in working with my client to remedy this issue.
Background: One DB server today recieved 6000 Failed Login Attempts in 150 minutes. The pattern is the SQL Authenticated Logins that fail are always one of the following
1. SA or sa
2. User
3. Admin or Administrator
4. User
5. Root
Created a SQL profiler that audited Failed Logins and gained information on the HOSTNAME however... I checked the device for the SQLck.exe file and it was not found nor did Norton AV show a HACKTOOL.SQLCK file...again any assistance or direction in finding additional file names that may spawn a simular process would assist in tracking the file(s) down to be removed...
Thanks for any comments!
Jbabington
Jbabington@hotmail.com -
Did you track the application name? Also, did you look at the ClientProcessID and see if there was a pattern there.
Derrick Leggett
Mean Old DBA
When life gives you a lemon, fire the DBA. -
Yes, I set all the datacolumns to grab all related information which include application name and ClientProcessID which shows no pertenent data. However to verify (test scenario) I did run a few test login failures of my own first... My interest is if anyone is familiar with any newer iterations of the SQLCK.EXE or HACKTOOL.SQLCK that is not being pickedup with Norton AV...and if they had a file name(s) I could do a File search with N-AV.
Thanks!
Jbabington
Jbabington@hotmail.com -
As if you already didn't have this one bookmarked
/rockmoose
You must unlearn what You have learnt
Viewing 4 posts - 1 through 3 (of 3 total)
You must be logged in to reply to this topic. Login to reply