Login failed for user 'sa' - Coud be a virus?

  • Hi folks,

    I used to use MS SQL Server 2000 with no password for 'sa' user.

    Recently, we changed the server and moved to MS SQL Server 2005 and we assigned a password for 'sa' user

    Right now we have:

    Windows Server 2003 - SP2

    MS SQL Server 2005 - SP3 Version: 9.00.4035.00 - Intel X86

    After that we got the error (A lot of them):

    Error: 18456, Severity: 14, State: 8.

    Login failed for user 'sa'. [CLIENT: 211.154.142.231]

    In other SQL Error Log, the IP changed. Examples:

    117.41.228.192

    113.105.145.71

    122.225.106.50

    It seems to be a virus.

    So, folks, I need some help.

    Thanks in advance

    Ailton

  • Are they from an internal network or from the internet.

    Please tell me that you havent been running with a blank sa password open to the internet.

    If internal , get your IT people to do a full network sweep for viruses.

    It could of course be an app which you have no knowledge of. Are some users complaining that they can now not access the database ?



    Clear Sky SQL
    My Blog[/url]

  • Using the IP address, the source domain can be determined from the 'American Registry from Internet Numbers" at URL https://ws.arin.net/whois/ or http://wq.apnic.net/apnic-bin/whois.pl

    The four IP addresses are all originating from service providers in China. This means that your server is under attack and your network personnel need to be involved including getting SQL Server behind firewalls so that internet access is not possible.

    SQL = Scarcely Qualifies as a Language

  • ailton (7/16/2010)


    After that we got the error (A lot of them):

    Error: 18456, Severity: 14, State: 8.

    Login failed for user 'sa'. [CLIENT: 211.154.142.231]

    May I try a more simple explanation?

    How about a couple of users that used to connect as "sa" with no password or some scheduled jobs that used to connect as "sa" with no password still trying to do it?

    On the other hand you an always do a tracert 211.154.142.231 and figure it out from where that connection is originated - from my locatin it goes 27 hops just to the origin 😉

    _____________________________________
    Pablo (Paul) Berzukov

    Author of Understanding Database Administration available at Amazon and other bookstores.

    Disclaimer: Advice is provided to the best of my knowledge but no implicit or explicit warranties are provided. Since the advisor explicitly encourages testing any and all suggestions on a test non-production environment advisor should not held liable or responsible for any actions taken based on the given advice.
  • Hopefully you at least have a strong password for sa.

    But it does sound like you are exposed to the internet.

    Most internal networks use 192.xxx or 10.xxx addresses.

    This can put more than just your server and application at risk.

    Greg E

  • sa is the devil

    after you resolve your initial issue, start a mini-project of going through all your apps and maintenance tasks and change the sa user to another user

    when you're done, disable sa

    --------------------------

    I long for a job where my databases dont have any pesky users accessing them 🙂

  • Like others have said - get your server firewalled. I would recommend that you also change your TCP port for SQL server to something other than 1433.

    I would also examine your data in the database and make sure that the data is yours and that none of it is missing or try to evaluate if any of it has been copied out. Sensitive data being copied out such as person information could get you in a heap of trouble.

    Jason...AKA CirqueDeSQLeil
    _______________________________________________
    I have given a name to my pain...MCM SQL Server, MVP
    SQL RNNR
    Posting Performance Based Questions - Gail Shaw[/url]
    Learn Extended Events

  • Yes,

    Unfortunately, we had user 'sa' with no password for a while.

    The all IP are external and I'm under attack.

    So, after read your suggestions, I decided to create a new user and disable 'sa'

    I hope this work out.

    Thanks.

  • ailton (7/16/2010)


    Yes,

    Unfortunately, we had user 'sa' with no password for a while.

    The all IP are external and I'm under attack.

    So, after read your suggestions, I decided to create a new user and disable 'sa'

    I hope this work out.

    Thanks.

    I would not really rely on that as 'protection'.

    If the machine needs access from out side your internal network, it needs to be properly secured.

    A couple of the responses might be helpful, but consider hiring someone who does this for a living.

    This is not something you want to do learn as you go.

    Greg E

  • Just to add...

    You have no idea what these guys have left on your machine. Your entire network has been compromised at its base level. If i were you i would now assume that every machine on your network is now under their control. All personal details will be being syphoned off to be used for illicit purposes.

    This may not actually be the case, but you have to assume that it is. You have no evidence to the contrary.



    Clear Sky SQL
    My Blog[/url]

  • Maybe the SA password was change by accidental.

Viewing 11 posts - 1 through 10 (of 10 total)

You must be logged in to reply to this topic. Login to reply