June 11, 2004 at 7:22 am
Application Log
in the Event Viewer:
Source: MSSQLSERVER
EventID: 17055
Message: Login failed for 'sql'
The attempt is being made every second
with different usernames: sa,web,saadmin,etc.
If I understand it right
hacker's program is trying to
find a valid username and password.
What are my options how to stop this thing?
Shall we ask Web Hosting company to change Firewall rules and reject all the connections on port 1433 from outside?
But we need be able to communicate to this SQL box from our office in Toronto.
I reported this issue to WebHosting company
but they are a bit slow in responding.
I suspect this attack is affecting SQl Server performance because
yesterday we had a strange ASP error:
[DBNETLIB]ConnectionOpen Connect(().]SQL Server does not exist or access is denied.
Is there anything I can do
while WebHosting company (TELUS) is getting back to me?
June 11, 2004 at 7:49 am
I would certainly change the firewall rules, I would also change the port that SQL is listening on from 1433.
June 11, 2004 at 8:38 am
OK.
If we change SQL port 1433
to something else(how to choose what the new port should be?)
then I suspect we need to change all our database connection strings in all our applications.
I've never done this before - to specify port number
in your database connection string.
We have a couple of Cold Fusion applications,
two ASP applications. I need to find out how to
to do it now...
June 11, 2004 at 8:42 am
If you're database connections are using DSN's to connect you can just change the port in the DSN. I'm not sure about using strings built directly within an app however.
June 11, 2004 at 8:49 am
I forgot what it's called - DSN or DSNless.
This is what I use:
PROVIDER=SQLOLEDB.1;DATA SOURCE=MachineName;INITIAL CATALOG=DatabaseName;USER ID=iserid;PASSWORD=password;
Where would I need to insert port?
I need to read some ASP or VB documentation.
June 11, 2004 at 8:52 am
Depending on the MDAC version on the front end I believe that it will connect to udp1434 to learn the port that SQL is running on, so it shouldn't be a problem.
June 14, 2004 at 7:29 am
WebHosting company started to block
traffic on port 1433 except two IP's
that I gave them. This stopped the attack.
But WebHosting company
says it's a temporary solution.
They would like to discuss with us
a long-term solution next week.
I guess they want VPN or something else.
Viewing 7 posts - 1 through 6 (of 6 total)
You must be logged in to reply to this topic. Login to reply