Hi all,
I have these lines repeated many times, every 1 second, in the error log:
Login failed for user 'user'
Login failed for user 'sa'
Login failed for user 'root'
Login failed for user 'admin'
Is someone trying to hack my SQL server (version is 2000)?
How can I control and stop these logins?
Thank you
SajithHi Sajith
"Sajith" wrote:
> Hi all,
> I have these lines repeated many times, every 1 second, in the error log:
> Login failed for user 'user'
> Login failed for user 'sa'
> Login failed for user 'root'
> Login failed for user 'admin'
> Is someone trying to hack my SQL server (version is 2000)?
>
Possibly
> How can I control and stop these logins?
Use SQL profiler to see if there is some pattern or identify the source.
You should close off the ports especially externally facing ones, but this
may be from an internal machine that has malware running. Try running Best
Pratices Analyser
http://www.microsoft.com/downloads/...&displaylang=en
or for SQL 2005
http://www.microsoft.com/downloads/...&displaylang=en the implement what it suggests.
If you don't need SQL Authentication switch it off.
Make sure SQL Server is service packed/hotfixed so that you have the latest
security patches or beyond.
Make sure that all your systems run the latest patches for the OS and
antivirus software.
> Thank you
> Sajith
HTH
John|||Hi
Thanks much for the quick reply...
Already tried the sql profiler which is not helping much (blank NT user name
and Login Name. Only host name comes in the profiler. We tried to ping and
realised it is not exists)
We dont have external connection. Only internal. If it is malware, will the
below tool help to detect?.
Our server is with latest service pack (sp4) for sql 2000 and updated
antivirus software.
Is there any way to detect this malware(if it is) or to get the ipaddress of
the source...(some people suggested sniffer, Is this a good method)
Please advise
many thanks
sajith
Regards
Sajith
"John Bell" wrote:
> Hi Sajith
> "Sajith" wrote:
>
> Possibly
> Use SQL profiler to see if there is some pattern or identify the source.
> You should close off the ports especially externally facing ones, but this
> may be from an internal machine that has malware running. Try running Best
> Pratices Analyser
> http://www.microsoft.com/downloads/...&displaylang=en
> or for SQL 2005
> http://www.microsoft.com/downloads/...&displaylang=en the implement what it suggests.
> If you don't need SQL Authentication switch it off.
> Make sure SQL Server is service packed/hotfixed so that you have the lates
t
> security patches or beyond.
> Make sure that all your systems run the latest patches for the OS and
> antivirus software.
>
> HTH
> John|||Hi
"Sajith" wrote:
> Hi
> Thanks much for the quick reply...
> Already tried the sql profiler which is not helping much (blank NT user na
me
> and Login Name. Only host name comes in the profiler. We tried to ping and
> realised it is not exists)
> We dont have external connection. Only internal. If it is malware, will th
e
> below tool help to detect?.
> Our server is with latest service pack (sp4) for sql 2000 and updated
> antivirus software.
> Is there any way to detect this malware(if it is) or to get the ipaddress
of
> the source...(some people suggested sniffer, Is this a good method)
> Please advise
> many thanks
> sajith
> Regards
> Sajith
>
You don't know how far this has gone to disguise itself so even looking at
network packets may be not give you a true source. The number of client on
the network will determine how difficult this may be to track down,
especially if they all are up to date with AV software. Do you have the
Malicious Software Removal Tool
http://www.microsoft.com/security/m...ve/default.mspx ?
Johnsql
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment