June 30, 2003 at 9:02 am
I've recently turned on auditing on one of my SQL 2000 servers for failed logins. I tested it and it seemed fine.
When I checked the error logs a couple of hours later I noticed that all 4 of my sql logins notched up 15-20 failed logins each all within a couple of seconds. No other events are logged and I'm pretty sure no-one is trying to hack the server.
Any ideas where they could have come from?
Thanks
June 30, 2003 at 9:27 am
Are you using SQL or Windows Authentication?
June 30, 2003 at 9:31 am
It's SQL
June 30, 2003 at 4:46 pm
Were they valid login names on your server? ie. I seen servers open to the Internet that regularly experience similar hack attempts on login ids such as SA, SQL, ADMIN and ROOT (SA is understandable, but ROOT is a real shot in the dark).
A bummer with these audit messages is that they give you no other information.
An option is to run a profiler trace continually, and select all columns. _Sometimes_ a value is returned in the hostname column.
Cheers,
- Mark
July 1, 2003 at 3:59 am
They were all valid logins and not names you would normally guess. In saying that there's been 2 attempts to login with 'Admin' that have also failed. May have to do some profiling......
July 1, 2003 at 8:21 am
The 'Admin' login may be from an Access database with linked tables, since the default Access "account" is Admin with no password. I've noticed this same log in failure on my servers, and we've tried resetting up those users DSN's (once we could identify who they were), it seemed to clear it up. Also, some security programs (Microsoft Baseline Security Analyzer, others I'm sure), will enumerate through your SQL accounts and try to log in to them, to test for weak passwords, something to keep in mind.
Joseph
July 1, 2003 at 10:25 am
Profiler has traced the Admin account back to an Access application - thanks for that. Still looking for the others..........
Viewing 7 posts - 1 through 6 (of 6 total)
You must be logged in to reply to this topic. Login to reply