Post reply

what or where is this?

  • March 18, 2009 at 7:15 am

    #219175

    From SQL Log:

    ============================

    Date3/17/2009 10:28:30 PM

    LogSQL Server (Current - 3/18/2009 8:00:00 AM)

    SourceLogon

    Message

    Login failed for user 'sa'. [CLIENT: 10.15.101.24]

    Date3/17/2009 10:28:30 PM

    LogSQL Server (Current - 3/18/2009 8:00:00 AM)

    SourceLogon

    Message

    Error: 18456, Severity: 14, State: 8.

    ===========================

    State 8 is password mismatch.

    I also saw this at 12:27 a.m. once. So it seems to occur at odd hours. This makes me realize maybe it's the backup guy trying to do agent backups (which makes my DR plan somewhat less effective)? :angry:

    Client is the SQL box itself.

    I looked through jobs and don't see anything running around 10. I checked maintenance plan history, it finished ok at 9:07 p.m.. There were no errors there.

    I checked Scheduled Tasks, there are none.

    I guess the next thing try is to run profiler overnight?

  • March 18, 2009 at 7:35 am

    #961853

    profiler will not show much more than an attempt to login, so that won't help much.

    i think the key is to nslookup or ping 10.15.101.24

    is that the server itself, or someone else's machine?

    it might be just as you think: someone set up some automated process to occur at 10:30 or 12:30 (that machine's local time...hence the ~3 minute difference?) to run a job or stored proc.

    find that machine, and see if there is a local scheduled task, or a local job trying to log into your server.

    Lowell

    --help us help you! If you post a question, make sure you include a CREATE TABLE... statement and INSERT INTO... statement into that table to give the volunteers here representative data. with your description of the problem, we can provide a tested, verifiable solution to your question! asking the question the right way gets you a tested answer the fastest way possible!

  • March 18, 2009 at 7:49 am

    #961879

    Yes, that ip is the local machine. I was trying to load security in MS, but it took forever. I just rdp'd to it to view it. I think I found the culprit:

    Event Type:Success Audit

    Event Source:Security

    Event Category:Logon/Logoff

    Event ID:576

    Date:3/17/2009

    Time:10:28:27 PM

    User:DOMAIN\Arcserve

    Computer:SQLPRD

    Description:

    Special privileges assigned to new logon:

    User Name:

    Domain:

    Logon ID:(0x0,0x137643E9)

    Privileges:SeSecurityPrivilege

    SeBackupPrivilege

    SeRestorePrivilege

    SeTakeOwnershipPrivilege

    SeDebugPrivilege

    SeSystemEnvironmentPrivilege

    SeLoadDriverPrivilege

    SeImpersonatePrivilege

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    The backup guy is out today, so we'll see if it happens again tonight.

    I changed to a different sa password when we upgraded to 2005, so this is a good catch.

  • March 18, 2009 at 8:21 am

    #961929

    cool, glad you found it; it's probably nothing more than updating the ArcServe program to have your new sa password, or even better, create a login just for that process.

    Lowell

    --help us help you! If you post a question, make sure you include a CREATE TABLE... statement and INSERT INTO... statement into that table to give the volunteers here representative data. with your description of the problem, we can provide a tested, verifiable solution to your question! asking the question the right way gets you a tested answer the fastest way possible!

Viewing 4 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic. Login to reply