December 3, 2015 at 8:29 am
Hello, we noticed today that we had thousands of connections being made to our SQL Server from NT AUTHORITY\SYSTEM and they were not cleaning up after themselves. When I ran a SQL profiler trace on this login I see hundreds of queries being executed from this login. It is cycling through the databases and executing various select queries.
Who can actually log on and use this account? The Hostname source says its coming directly from my server but I really don't understand why I'm seeing queries being executed from this login. Could this be a hacking attempt? I checked everyone who is logged into the server right now and its just myself... so I know I'm not doing it.
Any insight?
December 3, 2015 at 9:46 am
I restarted SQL and the number of connections went from 4000 to 30 and all seemed to be good. But as I sit here and monitor the server.... the number of NT AUTHORITY\SYSTEM connections just continues to increase. It started at 6 and now its up to 14.
Why does it keep opening connections for this account and is this typical behavior? Am I supposed to be seeing repetitive queries coming in against this login over and over?
December 3, 2015 at 10:44 am
This account NT AUTHORITY\SYSTEM is a local windows server account used as the default account under which some SQL Server services (backup, replication, ?, etc.) run under.
It's odd that it would be querying across all databases under multiple connections. By default this account has SYSADMIN privilege, so it could be used as a vector for hacking. From the SQL Profiler trace, can you see what type of queries it is executing?
Here is a link to a blog discussion where it is debated whether this account can be safely disabled.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
December 3, 2015 at 11:02 am
Yea it is really strange and most strange to me that the connection count just keeps growing and growing.
Its running all sorts of queries...
dbcc sqlperf(netstats)
set dateformat ymd select secdiff = datediff (ss,'2015-12-03 11:02:36, getdate())
set quoted identifier on set arithabort off set numeric_roundabort off etc... (various set statements)
select distinct count(*) from sys.dm_exec_sessions where session_id > 50
select serverproperty('LicenseType')
and it goes on and on....
December 3, 2015 at 11:11 am
the clientid indicates that the queries are coming from koqcoll.exe - that is the sql server agent right?
EDIT: my bad sorry... it appears the file is associated with IBM Tivoli..... curious-er.
December 4, 2015 at 7:40 am
amy26 (12/3/2015)
the clientid indicates that the queries are coming from koqcoll.exe - that is the sql server agent right?EDIT: my bad sorry... it appears the file is associated with IBM Tivoli..... curious-er.
... Tivoli Management Framework (TMF) is a CORBA-based systems and network management framework from IBM, previously developed by Tivoli Systems, Inc. ...
It allows administrators to manage large numbers of remote locations or devices. ...
Looking at the sample queries from above, it seems consistent with what a resource management or performance monitoring tool would periodically run. It's probably benign (not a hack attach) but just misconfigured in such a way that it's polling too frequently or not cleaning up connections for some reason.
Are you the DBA on this SQL Server instance, perhaps the network administrator installed this tool to monitor servers without informing you?
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
December 4, 2015 at 6:51 pm
Thanks Eric, yea as soon as he turned off Tivoli, everything stopped. I am the DBA and yea the people that manage the server itself had turned this on. Course they are nitwits and didn't know anything about what they turned on or what it was doing. They were blaming me for the issues and claimed it wasn't them. As soon as I pinpointed the exact executable and told them they were like "oh... yea... umm we'll turn that off". So, now they have to go back and figure out what the hell they are doing and why they are spamming my system every 3 minutes and creating thousands of connections. 🙂
December 5, 2015 at 7:46 am
I understand why network operations need to monitor and centrally manage all servers across the enterprise, but they need to coordinate the DBA before they start digging inside database instances. This just goes to show how throwing technology (like a 3rd party monitoring solution) at a theoretical problem (like performance) just creates more actual problems and wastes money, unless they first RTFM and then take ownership of the process.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
December 5, 2015 at 12:04 pm
Totally agree.
Viewing 9 posts - 1 through 8 (of 8 total)
You must be logged in to reply to this topic. Login to reply