June 13, 2005 at 12:16 pm
I noticed earlier today that I had a lot of SQL 1433 connections (or attempted connections) on my firewall which is not normal. I ran a program called Active Reports which showed that my server and 209.131.129.43 had an "ESTABLISHED" session (not an approved IP). I also saw in a report from my firewall that IS~COZUMEL and db.pansystems.gr were connecting to my reporting services domain. None of these should be! I also looked in EM in the Process Info but there were no intrusive hosts connected, but when I shut down SQL Server and SQL Agent all the connections dropped. I locked things down and haven't had any other connections made but I am still seeing denied attempts by all three on my firewall.
This is a SQL 2000 sp4 box with up to date (todays date) anti-virus. I did a virus scan and came up with nothing. Is there a "backdoor" that could be installed? or was this an attempt to scan my ports? Has anyone had any experience with this?
June 13, 2005 at 12:35 pm
Yes, we did.
The place where you should look first is Windows Security Log. If you will see logon/logoff events every 4 seconds it is Enterprise Manager from another computer on the other side of the Firewall. It will be only 1 record in the SQL Server Current Activity window.
We also had another case where the remote computer that also was a server was not up to date with security patches, same picture in the Firewall log
Yet another case I once had was when a Web Application developer made a mistake and put Connection.Open statement inside the loop that updates records, so new connection was open every time the next record was updated, so when users who had 250 records on the page clicked Submit button 250 connections were created.
Let us know what did you find
Yelena
Regards,Yelena Varsha
June 13, 2005 at 1:14 pm
I took a look at the Application log and I see a lot of failed attempts for SA and Admin login. Looks like they were attempting to hack it. Every now and then in between those I see a Login succeeded for user "NT AUTHORITY\NETWORK SERVICE" is there anyway they can login as the NETWORK SERVICE account? Will let you know what else I find.
June 14, 2005 at 3:53 am
changing the Port the SQL Server is listening on is pretty much standard practice now, in the aftermath of Code red and slammer! Highly recommended! Not entirely convinced having a NAT on ur firewall that allows access to ur SQL Server is a good plan either. can u not arrange a VPN, if external access is requried??
June 14, 2005 at 6:34 am
I'll have to change the port. Any suggestions on whether or not I should stay within the registered port range or go with the dynamic/private range? Creating a VPN has been on my list (guess it just got prioritized). Problem is I am a one man show and there is sooo much to do. Thanks for the replies.
June 14, 2005 at 6:50 am
just try not to hit a port that's standard to summat else (can usualy find standard port lists on the web!). Last time i set one up, i put in on port 2030 ... no special reason particularly, just anything but 1433/4!! lol
I understand the "One man show" principle ... but just to add to ur workload, it's sounding like ur firewall could do with a good audit and lockdown ... u definitely dont want an internet exposed SQL Server ... but if ppl do NEED (not "want"!) offsite access, then this should definitely be done through a VPN!
Just remember, u cant be a good security officer if ur not a git to ur employees!!
June 15, 2005 at 1:23 pm
I wouldn't put that VPN project off, as you'll have quite a lot more to do if someone hacks into your 'sa' account from outside.
So long, and thanks for all the fish,
Russell Shilling, MCDBA, MCSA 2K3, MCSE 2K3
Viewing 7 posts - 1 through 6 (of 6 total)
You must be logged in to reply to this topic. Login to reply