October 31, 2005 at 11:10 am
One of my data servers is the object of continual hack attempts. The offender is using osql to continually attempt to login using the sa login. I noticed this a few weeks ago by auditing failed login attempts in SQL Profiler. We've since implemented a hardware firewall to block all unauthorized access, but I'm still seeing attempts on this server. While I'm waiting on network admin to find a resolution, is there a way to locate the source of these attempts in SQL 2000? Is there a way to see what passwords they are trying on each attempt? We've had over 20,000 attempts in the last three hours.
October 31, 2005 at 12:22 pm
As OSQL.exe passes the host name, use SQL Profiler to track the event "Security Audit" --> "Audit Login Failed". For the columns, be sure to include "host name".
Perhaps the attack is comming from inside ?
No
You might try posting in the SqlSecurity.com site or email Chip Andrews chip@sqlsecurity.com
SQL = Scarcely Qualifies as a Language
November 1, 2005 at 1:06 am
It's almost certainly an internal user/process.
The profiler trace should tell you where it comes from - but also check the firewall logs.
Could it be some automated process that is trying to connect and has the wrong 'sa' password?
November 1, 2005 at 6:07 am
The number of connection attempts could be amalicious attack. Or it could be something like an in-house monitoring tool trying to check SQL Server health.
The suggestion about using Profiler to find the host being used for the connection request is good. If there is a vaild reason for making these connections I suggest you get the thing configured so it does not need to use sa.
If you have a product like HPOV, Patrol, etc monitoring SQL it will attempt to connect many hundreds of times per day. We have our HPOV connecting using NT AUTHORITY\SYSTEM, otherwise it would need to use sa.
Original author: https://github.com/SQL-FineBuild/Common/wiki/ 1-click install and best practice configuration of SQL Server 2019, 2017 2016, 2014, 2012, 2008 R2, 2008 and 2005.
When I give food to the poor they call me a saint. When I ask why they are poor they call me a communist - Archbishop Hélder Câmara
November 1, 2005 at 8:19 am
A sniffer would help here, need the network guys to set it up and that would help you backtrack. We had to do that one time at JD Edwards and found some consultant's laptop was the culprit. We were not able to get the machine, but the consultant was escorted out the day we found him.
November 1, 2005 at 12:16 pm
No need to wait for the network team ... You could downlad and install Ethereal (free and works great) and probably figure it out after a 5 minute capture. Here's the link:
I've used it in the past to identify firewall issues quite successfully.
RegardsRudy KomacsarSenior Database Administrator"Ave Caesar! - Morituri te salutamus."
Viewing 6 posts - 1 through 5 (of 5 total)
You must be logged in to reply to this topic. Login to reply