Login failed for user

  • I've recently turned on auditing on one of my SQL 2000 servers for failed logins. I tested it and it seemed fine.

    When I checked the error logs a couple of hours later I noticed that all 4 of my sql logins notched up 15-20 failed logins each all within a couple of seconds. No other events are logged and I'm pretty sure no-one is trying to hack the server.

    Any ideas where they could have come from?

    Thanks

  • Are you using SQL or Windows Authentication?

  • It's SQL

  • Were they valid login names on your server? ie. I seen servers open to the Internet that regularly experience similar hack attempts on login ids such as SA, SQL, ADMIN and ROOT (SA is understandable, but ROOT is a real shot in the dark).

    A bummer with these audit messages is that they give you no other information.

    An option is to run a profiler trace continually, and select all columns. _Sometimes_ a value is returned in the hostname column.


    Cheers,
    - Mark

  • They were all valid logins and not names you would normally guess. In saying that there's been 2 attempts to login with 'Admin' that have also failed. May have to do some profiling......

  • The 'Admin' login may be from an Access database with linked tables, since the default Access "account" is Admin with no password. I've noticed this same log in failure on my servers, and we've tried resetting up those users DSN's (once we could identify who they were), it seemed to clear it up. Also, some security programs (Microsoft Baseline Security Analyzer, others I'm sure), will enumerate through your SQL accounts and try to log in to them, to test for weak passwords, something to keep in mind.

    Joseph

  • Profiler has traced the Admin account back to an Access application - thanks for that. Still looking for the others..........

Viewing 7 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic. Login to reply