Hi all,
I have these lines repeated many times, every 1 second, in the error log:
Login failed for user 'user'
Login failed for user 'sa'
Login failed for user 'root'
Login failed for user 'admin'
Is someone trying to hack my SQL server (version is 2000)?
How can I control and stop these logins?
Thank you
Sajith
Answered in another newsgroup.
|||Sure looks like it...can you see the source IP in the Security Event logs?
Kevin Hill
3NF Consulting
http://www.3nf-inc.com/NewsGroups.htm
Real-world stuff I run across with SQL Server:
http://kevin3nf.blogspot.com
"Sajith" <Sajith@.discussions.microsoft.com> wrote in message
news:122146B0-305E-4E0F-90F1-99B67A9FDE61@.microsoft.com...
> Hi all,
> I have these lines repeated many times, every 1 second, in the error log:
> Login failed for user 'user'
> Login failed for user 'sa'
> Login failed for user 'root'
> Login failed for user 'admin'
> Is someone trying to hack my SQL server (version is 2000)?
>
> How can I control and stop these logins?
> Thank you
> Sajith
|||Is the server exposed to the WWW? If so, does it need to be? I would disable
the TCP/IP protocols and cut off the ports if you are not sharing the
server. Do you have SP2 (at least) installed? Consider that 80% of all
hacking comes from within the organization. Have you notified your security
department?
____________________________________
William (Bill) Vaughn
Author, Mentor, Consultant
Microsoft MVP
INETA Speaker
www.betav.com/blog/billva
www.betav.com
Please reply only to the newsgroup so that others can benefit.
This posting is provided "AS IS" with no warranties, and confers no rights.
__________________________________
Visit www.hitchhikerguides.net to get more information on my latest book:
Hitchhiker's Guide to Visual Studio and SQL Server (7th Edition)
and Hitchhiker's Guide to SQL Server 2005 Compact Edition (EBook)
------
"Sajith" <Sajith@.discussions.microsoft.com> wrote in message
news:122146B0-305E-4E0F-90F1-99B67A9FDE61@.microsoft.com...
> Hi all,
> I have these lines repeated many times, every 1 second, in the error log:
> Login failed for user 'user'
> Login failed for user 'sa'
> Login failed for user 'root'
> Login failed for user 'admin'
> Is someone trying to hack my SQL server (version is 2000)?
>
> How can I control and stop these logins?
> Thank you
> Sajith
|||This server is exposed to www. but it is very secured. sql server 2000 is
with sp4 and in Windows 2003 with latest patch.
I have already notified the security dept. Today they are activating sniffer
s/w for this. Thanks for your valuable advise...
"William (Bill) Vaughn" wrote:
> Is the server exposed to the WWW? If so, does it need to be? I would disable
> the TCP/IP protocols and cut off the ports if you are not sharing the
> server. Do you have SP2 (at least) installed? Consider that 80% of all
> hacking comes from within the organization. Have you notified your security
> department?
> --
> ____________________________________
> William (Bill) Vaughn
> Author, Mentor, Consultant
> Microsoft MVP
> INETA Speaker
> www.betav.com/blog/billva
> www.betav.com
> Please reply only to the newsgroup so that others can benefit.
> This posting is provided "AS IS" with no warranties, and confers no rights.
> __________________________________
> Visit www.hitchhikerguides.net to get more information on my latest book:
> Hitchhiker's Guide to Visual Studio and SQL Server (7th Edition)
> and Hitchhiker's Guide to SQL Server 2005 Compact Edition (EBook)
> ------
> "Sajith" <Sajith@.discussions.microsoft.com> wrote in message
> news:122146B0-305E-4E0F-90F1-99B67A9FDE61@.microsoft.com...
>
>
|||Hi kevin,
it is not listed under the even log. today we are activating the sniffer
s/w, I will tell you the status soon. thanks for your valuable advise...
"Kevin3NF" wrote:
> Sure looks like it...can you see the source IP in the Security Event logs?
> --
> Kevin Hill
> 3NF Consulting
> http://www.3nf-inc.com/NewsGroups.htm
> Real-world stuff I run across with SQL Server:
> http://kevin3nf.blogspot.com
>
> "Sajith" <Sajith@.discussions.microsoft.com> wrote in message
> news:122146B0-305E-4E0F-90F1-99B67A9FDE61@.microsoft.com...
>
>
Showing posts with label repeated. Show all posts
Showing posts with label repeated. Show all posts
Wednesday, March 21, 2012
Login failed for user
Hi all,
I have these lines repeated many times, every 1 second, in the error log:
Login failed for user 'user'
Login failed for user 'sa'
Login failed for user 'root'
Login failed for user 'admin'
Is someone trying to hack my SQL server (version is 2000)?
How can I control and stop these logins?
Thank you
Sajith
Hi Sajith
"Sajith" wrote:
> Hi all,
> I have these lines repeated many times, every 1 second, in the error log:
> Login failed for user 'user'
> Login failed for user 'sa'
> Login failed for user 'root'
> Login failed for user 'admin'
> Is someone trying to hack my SQL server (version is 2000)?
>
Possibly
> How can I control and stop these logins?
Use SQL profiler to see if there is some pattern or identify the source.
You should close off the ports especially externally facing ones, but this
may be from an internal machine that has malware running. Try running Best
Pratices Analyser
http://www.microsoft.com/downloads/details.aspx?FamilyId=B352EB1F-D3CA-44EE-893E-9E07339C1F22&displaylang=en
or for SQL 2005
http://www.microsoft.com/downloads/details.aspx?FamilyId=DA0531E4-E94C-4991-82FA-F0E3FBD05E63&displaylang=en the implement what it suggests.
If you don't need SQL Authentication switch it off.
Make sure SQL Server is service packed/hotfixed so that you have the latest
security patches or beyond.
Make sure that all your systems run the latest patches for the OS and
antivirus software.
> Thank you
> Sajith
HTH
John
|||Hi
Thanks much for the quick reply...
Already tried the sql profiler which is not helping much (blank NT user name
and Login Name. Only host name comes in the profiler. We tried to ping and
realised it is not exists)
We dont have external connection. Only internal. If it is malware, will the
below tool help to detect?.
Our server is with latest service pack (sp4) for sql 2000 and updated
antivirus software.
Is there any way to detect this malware(if it is) or to get the ipaddress of
the source...(some people suggested sniffer, Is this a good method)
Please advise
many thanks
sajith
Regards
Sajith
"John Bell" wrote:
> Hi Sajith
> "Sajith" wrote:
> Possibly
> Use SQL profiler to see if there is some pattern or identify the source.
> You should close off the ports especially externally facing ones, but this
> may be from an internal machine that has malware running. Try running Best
> Pratices Analyser
> http://www.microsoft.com/downloads/details.aspx?FamilyId=B352EB1F-D3CA-44EE-893E-9E07339C1F22&displaylang=en
> or for SQL 2005
> http://www.microsoft.com/downloads/details.aspx?FamilyId=DA0531E4-E94C-4991-82FA-F0E3FBD05E63&displaylang=en the implement what it suggests.
> If you don't need SQL Authentication switch it off.
> Make sure SQL Server is service packed/hotfixed so that you have the latest
> security patches or beyond.
> Make sure that all your systems run the latest patches for the OS and
> antivirus software.
>
> HTH
> John
|||Hi
"Sajith" wrote:
> Hi
> Thanks much for the quick reply...
> Already tried the sql profiler which is not helping much (blank NT user name
> and Login Name. Only host name comes in the profiler. We tried to ping and
> realised it is not exists)
> We dont have external connection. Only internal. If it is malware, will the
> below tool help to detect?.
> Our server is with latest service pack (sp4) for sql 2000 and updated
> antivirus software.
> Is there any way to detect this malware(if it is) or to get the ipaddress of
> the source...(some people suggested sniffer, Is this a good method)
> Please advise
> many thanks
> sajith
> Regards
> Sajith
>
You don't know how far this has gone to disguise itself so even looking at
network packets may be not give you a true source. The number of client on
the network will determine how difficult this may be to track down,
especially if they all are up to date with AV software. Do you have the
Malicious Software Removal Tool
http://www.microsoft.com/security/malwareremove/default.mspx ?
John
I have these lines repeated many times, every 1 second, in the error log:
Login failed for user 'user'
Login failed for user 'sa'
Login failed for user 'root'
Login failed for user 'admin'
Is someone trying to hack my SQL server (version is 2000)?
How can I control and stop these logins?
Thank you
Sajith
Hi Sajith
"Sajith" wrote:
> Hi all,
> I have these lines repeated many times, every 1 second, in the error log:
> Login failed for user 'user'
> Login failed for user 'sa'
> Login failed for user 'root'
> Login failed for user 'admin'
> Is someone trying to hack my SQL server (version is 2000)?
>
Possibly
> How can I control and stop these logins?
Use SQL profiler to see if there is some pattern or identify the source.
You should close off the ports especially externally facing ones, but this
may be from an internal machine that has malware running. Try running Best
Pratices Analyser
http://www.microsoft.com/downloads/details.aspx?FamilyId=B352EB1F-D3CA-44EE-893E-9E07339C1F22&displaylang=en
or for SQL 2005
http://www.microsoft.com/downloads/details.aspx?FamilyId=DA0531E4-E94C-4991-82FA-F0E3FBD05E63&displaylang=en the implement what it suggests.
If you don't need SQL Authentication switch it off.
Make sure SQL Server is service packed/hotfixed so that you have the latest
security patches or beyond.
Make sure that all your systems run the latest patches for the OS and
antivirus software.
> Thank you
> Sajith
HTH
John
|||Hi
Thanks much for the quick reply...
Already tried the sql profiler which is not helping much (blank NT user name
and Login Name. Only host name comes in the profiler. We tried to ping and
realised it is not exists)
We dont have external connection. Only internal. If it is malware, will the
below tool help to detect?.
Our server is with latest service pack (sp4) for sql 2000 and updated
antivirus software.
Is there any way to detect this malware(if it is) or to get the ipaddress of
the source...(some people suggested sniffer, Is this a good method)
Please advise
many thanks
sajith
Regards
Sajith
"John Bell" wrote:
> Hi Sajith
> "Sajith" wrote:
> Possibly
> Use SQL profiler to see if there is some pattern or identify the source.
> You should close off the ports especially externally facing ones, but this
> may be from an internal machine that has malware running. Try running Best
> Pratices Analyser
> http://www.microsoft.com/downloads/details.aspx?FamilyId=B352EB1F-D3CA-44EE-893E-9E07339C1F22&displaylang=en
> or for SQL 2005
> http://www.microsoft.com/downloads/details.aspx?FamilyId=DA0531E4-E94C-4991-82FA-F0E3FBD05E63&displaylang=en the implement what it suggests.
> If you don't need SQL Authentication switch it off.
> Make sure SQL Server is service packed/hotfixed so that you have the latest
> security patches or beyond.
> Make sure that all your systems run the latest patches for the OS and
> antivirus software.
>
> HTH
> John
|||Hi
"Sajith" wrote:
> Hi
> Thanks much for the quick reply...
> Already tried the sql profiler which is not helping much (blank NT user name
> and Login Name. Only host name comes in the profiler. We tried to ping and
> realised it is not exists)
> We dont have external connection. Only internal. If it is malware, will the
> below tool help to detect?.
> Our server is with latest service pack (sp4) for sql 2000 and updated
> antivirus software.
> Is there any way to detect this malware(if it is) or to get the ipaddress of
> the source...(some people suggested sniffer, Is this a good method)
> Please advise
> many thanks
> sajith
> Regards
> Sajith
>
You don't know how far this has gone to disguise itself so even looking at
network packets may be not give you a true source. The number of client on
the network will determine how difficult this may be to track down,
especially if they all are up to date with AV software. Do you have the
Malicious Software Removal Tool
http://www.microsoft.com/security/malwareremove/default.mspx ?
John
Login Failed for user
Hi all,
I have these lines repeated many times, every 1 second, in the error log:
Login failed for user 'user'
Login failed for user 'sa'
Login failed for user 'root'
Login failed for user 'admin'
Is someone trying to hack my SQL server (version is 2000)?
How can I control and stop these logins?
Thank you
SajithAnswered in another newsgroup.|||Sure looks like it...can you see the source IP in the Security Event logs?
Kevin Hill
3NF Consulting
http://www.3nf-inc.com/NewsGroups.htm
Real-world stuff I run across with SQL Server:
http://kevin3nf.blogspot.com
"Sajith" <Sajith@.discussions.microsoft.com> wrote in message
news:122146B0-305E-4E0F-90F1-99B67A9FDE61@.microsoft.com...
> Hi all,
> I have these lines repeated many times, every 1 second, in the error log:
> Login failed for user 'user'
> Login failed for user 'sa'
> Login failed for user 'root'
> Login failed for user 'admin'
> Is someone trying to hack my SQL server (version is 2000)?
>
> How can I control and stop these logins?
> Thank you
> Sajith|||Is the server exposed to the WWW? If so, does it need to be? I would disable
the TCP/IP protocols and cut off the ports if you are not sharing the
server. Do you have SP2 (at least) installed? Consider that 80% of all
hacking comes from within the organization. Have you notified your security
department?
____________________________________
William (Bill) Vaughn
Author, Mentor, Consultant
Microsoft MVP
INETA Speaker
www.betav.com/blog/billva
www.betav.com
Please reply only to the newsgroup so that others can benefit.
This posting is provided "AS IS" with no warranties, and confers no rights.
__________________________________
Visit www.hitchhikerguides.net to get more information on my latest book:
Hitchhiker's Guide to Visual Studio and SQL Server (7th Edition)
and Hitchhiker's Guide to SQL Server 2005 Compact Edition (EBook)
----
---
"Sajith" <Sajith@.discussions.microsoft.com> wrote in message
news:122146B0-305E-4E0F-90F1-99B67A9FDE61@.microsoft.com...
> Hi all,
> I have these lines repeated many times, every 1 second, in the error log:
> Login failed for user 'user'
> Login failed for user 'sa'
> Login failed for user 'root'
> Login failed for user 'admin'
> Is someone trying to hack my SQL server (version is 2000)?
>
> How can I control and stop these logins?
> Thank you
> Sajith|||This server is exposed to www. but it is very secured. sql server 2000 is
with sp4 and in Windows 2003 with latest patch.
I have already notified the security dept. Today they are activating sniffer
s/w for this. Thanks for your valuable advise...
"William (Bill) Vaughn" wrote:
> Is the server exposed to the WWW? If so, does it need to be? I would disab
le
> the TCP/IP protocols and cut off the ports if you are not sharing the
> server. Do you have SP2 (at least) installed? Consider that 80% of all
> hacking comes from within the organization. Have you notified your securit
y
> department?
> --
> ____________________________________
> William (Bill) Vaughn
> Author, Mentor, Consultant
> Microsoft MVP
> INETA Speaker
> www.betav.com/blog/billva
> www.betav.com
> Please reply only to the newsgroup so that others can benefit.
> This posting is provided "AS IS" with no warranties, and confers no rights
.
> __________________________________
> Visit www.hitchhikerguides.net to get more information on my latest book:
> Hitchhiker's Guide to Visual Studio and SQL Server (7th Edition)
> and Hitchhiker's Guide to SQL Server 2005 Compact Edition (EBook)
> ----
---
> "Sajith" <Sajith@.discussions.microsoft.com> wrote in message
> news:122146B0-305E-4E0F-90F1-99B67A9FDE61@.microsoft.com...
>
>|||Hi kevin,
it is not listed under the even log. today we are activating the sniffer
s/w, I will tell you the status soon. thanks for your valuable advise...
"Kevin3NF" wrote:
> Sure looks like it...can you see the source IP in the Security Event logs?
> --
> Kevin Hill
> 3NF Consulting
> http://www.3nf-inc.com/NewsGroups.htm
> Real-world stuff I run across with SQL Server:
> http://kevin3nf.blogspot.com
>
> "Sajith" <Sajith@.discussions.microsoft.com> wrote in message
> news:122146B0-305E-4E0F-90F1-99B67A9FDE61@.microsoft.com...
>
>
I have these lines repeated many times, every 1 second, in the error log:
Login failed for user 'user'
Login failed for user 'sa'
Login failed for user 'root'
Login failed for user 'admin'
Is someone trying to hack my SQL server (version is 2000)?
How can I control and stop these logins?
Thank you
SajithAnswered in another newsgroup.|||Sure looks like it...can you see the source IP in the Security Event logs?
Kevin Hill
3NF Consulting
http://www.3nf-inc.com/NewsGroups.htm
Real-world stuff I run across with SQL Server:
http://kevin3nf.blogspot.com
"Sajith" <Sajith@.discussions.microsoft.com> wrote in message
news:122146B0-305E-4E0F-90F1-99B67A9FDE61@.microsoft.com...
> Hi all,
> I have these lines repeated many times, every 1 second, in the error log:
> Login failed for user 'user'
> Login failed for user 'sa'
> Login failed for user 'root'
> Login failed for user 'admin'
> Is someone trying to hack my SQL server (version is 2000)?
>
> How can I control and stop these logins?
> Thank you
> Sajith|||Is the server exposed to the WWW? If so, does it need to be? I would disable
the TCP/IP protocols and cut off the ports if you are not sharing the
server. Do you have SP2 (at least) installed? Consider that 80% of all
hacking comes from within the organization. Have you notified your security
department?
____________________________________
William (Bill) Vaughn
Author, Mentor, Consultant
Microsoft MVP
INETA Speaker
www.betav.com/blog/billva
www.betav.com
Please reply only to the newsgroup so that others can benefit.
This posting is provided "AS IS" with no warranties, and confers no rights.
__________________________________
Visit www.hitchhikerguides.net to get more information on my latest book:
Hitchhiker's Guide to Visual Studio and SQL Server (7th Edition)
and Hitchhiker's Guide to SQL Server 2005 Compact Edition (EBook)
----
---
"Sajith" <Sajith@.discussions.microsoft.com> wrote in message
news:122146B0-305E-4E0F-90F1-99B67A9FDE61@.microsoft.com...
> Hi all,
> I have these lines repeated many times, every 1 second, in the error log:
> Login failed for user 'user'
> Login failed for user 'sa'
> Login failed for user 'root'
> Login failed for user 'admin'
> Is someone trying to hack my SQL server (version is 2000)?
>
> How can I control and stop these logins?
> Thank you
> Sajith|||This server is exposed to www. but it is very secured. sql server 2000 is
with sp4 and in Windows 2003 with latest patch.
I have already notified the security dept. Today they are activating sniffer
s/w for this. Thanks for your valuable advise...
"William (Bill) Vaughn" wrote:
> Is the server exposed to the WWW? If so, does it need to be? I would disab
le
> the TCP/IP protocols and cut off the ports if you are not sharing the
> server. Do you have SP2 (at least) installed? Consider that 80% of all
> hacking comes from within the organization. Have you notified your securit
y
> department?
> --
> ____________________________________
> William (Bill) Vaughn
> Author, Mentor, Consultant
> Microsoft MVP
> INETA Speaker
> www.betav.com/blog/billva
> www.betav.com
> Please reply only to the newsgroup so that others can benefit.
> This posting is provided "AS IS" with no warranties, and confers no rights
.
> __________________________________
> Visit www.hitchhikerguides.net to get more information on my latest book:
> Hitchhiker's Guide to Visual Studio and SQL Server (7th Edition)
> and Hitchhiker's Guide to SQL Server 2005 Compact Edition (EBook)
> ----
---
> "Sajith" <Sajith@.discussions.microsoft.com> wrote in message
> news:122146B0-305E-4E0F-90F1-99B67A9FDE61@.microsoft.com...
>
>|||Hi kevin,
it is not listed under the even log. today we are activating the sniffer
s/w, I will tell you the status soon. thanks for your valuable advise...
"Kevin3NF" wrote:
> Sure looks like it...can you see the source IP in the Security Event logs?
> --
> Kevin Hill
> 3NF Consulting
> http://www.3nf-inc.com/NewsGroups.htm
> Real-world stuff I run across with SQL Server:
> http://kevin3nf.blogspot.com
>
> "Sajith" <Sajith@.discussions.microsoft.com> wrote in message
> news:122146B0-305E-4E0F-90F1-99B67A9FDE61@.microsoft.com...
>
>
Login failed for user
Hi all,
I have these lines repeated many times, every 1 second, in the error log:
Login failed for user 'user'
Login failed for user 'sa'
Login failed for user 'root'
Login failed for user 'admin'
Is someone trying to hack my SQL server (version is 2000)?
How can I control and stop these logins?
Thank you
SajithHi Sajith
"Sajith" wrote:
> Hi all,
> I have these lines repeated many times, every 1 second, in the error log:
> Login failed for user 'user'
> Login failed for user 'sa'
> Login failed for user 'root'
> Login failed for user 'admin'
> Is someone trying to hack my SQL server (version is 2000)?
>
Possibly
> How can I control and stop these logins?
Use SQL profiler to see if there is some pattern or identify the source.
You should close off the ports especially externally facing ones, but this
may be from an internal machine that has malware running. Try running Best
Pratices Analyser
http://www.microsoft.com/downloads/...&displaylang=en
or for SQL 2005
http://www.microsoft.com/downloads/...&displaylang=en the implement what it suggests.
If you don't need SQL Authentication switch it off.
Make sure SQL Server is service packed/hotfixed so that you have the latest
security patches or beyond.
Make sure that all your systems run the latest patches for the OS and
antivirus software.
> Thank you
> Sajith
HTH
John|||Hi
Thanks much for the quick reply...
Already tried the sql profiler which is not helping much (blank NT user name
and Login Name. Only host name comes in the profiler. We tried to ping and
realised it is not exists)
We dont have external connection. Only internal. If it is malware, will the
below tool help to detect?.
Our server is with latest service pack (sp4) for sql 2000 and updated
antivirus software.
Is there any way to detect this malware(if it is) or to get the ipaddress of
the source...(some people suggested sniffer, Is this a good method)
Please advise
many thanks
sajith
Regards
Sajith
"John Bell" wrote:
> Hi Sajith
> "Sajith" wrote:
>
> Possibly
> Use SQL profiler to see if there is some pattern or identify the source.
> You should close off the ports especially externally facing ones, but this
> may be from an internal machine that has malware running. Try running Best
> Pratices Analyser
> http://www.microsoft.com/downloads/...&displaylang=en
> or for SQL 2005
> http://www.microsoft.com/downloads/...&displaylang=en the implement what it suggests.
> If you don't need SQL Authentication switch it off.
> Make sure SQL Server is service packed/hotfixed so that you have the lates
t
> security patches or beyond.
> Make sure that all your systems run the latest patches for the OS and
> antivirus software.
>
> HTH
> John|||Hi
"Sajith" wrote:
> Hi
> Thanks much for the quick reply...
> Already tried the sql profiler which is not helping much (blank NT user na
me
> and Login Name. Only host name comes in the profiler. We tried to ping and
> realised it is not exists)
> We dont have external connection. Only internal. If it is malware, will th
e
> below tool help to detect?.
> Our server is with latest service pack (sp4) for sql 2000 and updated
> antivirus software.
> Is there any way to detect this malware(if it is) or to get the ipaddress
of
> the source...(some people suggested sniffer, Is this a good method)
> Please advise
> many thanks
> sajith
> Regards
> Sajith
>
You don't know how far this has gone to disguise itself so even looking at
network packets may be not give you a true source. The number of client on
the network will determine how difficult this may be to track down,
especially if they all are up to date with AV software. Do you have the
Malicious Software Removal Tool
http://www.microsoft.com/security/m...ve/default.mspx ?
Johnsql
I have these lines repeated many times, every 1 second, in the error log:
Login failed for user 'user'
Login failed for user 'sa'
Login failed for user 'root'
Login failed for user 'admin'
Is someone trying to hack my SQL server (version is 2000)?
How can I control and stop these logins?
Thank you
SajithHi Sajith
"Sajith" wrote:
> Hi all,
> I have these lines repeated many times, every 1 second, in the error log:
> Login failed for user 'user'
> Login failed for user 'sa'
> Login failed for user 'root'
> Login failed for user 'admin'
> Is someone trying to hack my SQL server (version is 2000)?
>
Possibly
> How can I control and stop these logins?
Use SQL profiler to see if there is some pattern or identify the source.
You should close off the ports especially externally facing ones, but this
may be from an internal machine that has malware running. Try running Best
Pratices Analyser
http://www.microsoft.com/downloads/...&displaylang=en
or for SQL 2005
http://www.microsoft.com/downloads/...&displaylang=en the implement what it suggests.
If you don't need SQL Authentication switch it off.
Make sure SQL Server is service packed/hotfixed so that you have the latest
security patches or beyond.
Make sure that all your systems run the latest patches for the OS and
antivirus software.
> Thank you
> Sajith
HTH
John|||Hi
Thanks much for the quick reply...
Already tried the sql profiler which is not helping much (blank NT user name
and Login Name. Only host name comes in the profiler. We tried to ping and
realised it is not exists)
We dont have external connection. Only internal. If it is malware, will the
below tool help to detect?.
Our server is with latest service pack (sp4) for sql 2000 and updated
antivirus software.
Is there any way to detect this malware(if it is) or to get the ipaddress of
the source...(some people suggested sniffer, Is this a good method)
Please advise
many thanks
sajith
Regards
Sajith
"John Bell" wrote:
> Hi Sajith
> "Sajith" wrote:
>
> Possibly
> Use SQL profiler to see if there is some pattern or identify the source.
> You should close off the ports especially externally facing ones, but this
> may be from an internal machine that has malware running. Try running Best
> Pratices Analyser
> http://www.microsoft.com/downloads/...&displaylang=en
> or for SQL 2005
> http://www.microsoft.com/downloads/...&displaylang=en the implement what it suggests.
> If you don't need SQL Authentication switch it off.
> Make sure SQL Server is service packed/hotfixed so that you have the lates
t
> security patches or beyond.
> Make sure that all your systems run the latest patches for the OS and
> antivirus software.
>
> HTH
> John|||Hi
"Sajith" wrote:
> Hi
> Thanks much for the quick reply...
> Already tried the sql profiler which is not helping much (blank NT user na
me
> and Login Name. Only host name comes in the profiler. We tried to ping and
> realised it is not exists)
> We dont have external connection. Only internal. If it is malware, will th
e
> below tool help to detect?.
> Our server is with latest service pack (sp4) for sql 2000 and updated
> antivirus software.
> Is there any way to detect this malware(if it is) or to get the ipaddress
of
> the source...(some people suggested sniffer, Is this a good method)
> Please advise
> many thanks
> sajith
> Regards
> Sajith
>
You don't know how far this has gone to disguise itself so even looking at
network packets may be not give you a true source. The number of client on
the network will determine how difficult this may be to track down,
especially if they all are up to date with AV software. Do you have the
Malicious Software Removal Tool
http://www.microsoft.com/security/m...ve/default.mspx ?
Johnsql
Login failed for user
Hi all,
I have these lines repeated many times, every 1 second, in the error log:
Login failed for user 'user'
Login failed for user 'sa'
Login failed for user 'root'
Login failed for user 'admin'
Is someone trying to hack my SQL server (version is 2000)?
How can I control and stop these logins?
Thank you
SajithHi Sajith
"Sajith" wrote:
> Hi all,
> I have these lines repeated many times, every 1 second, in the error log:
> Login failed for user 'user'
> Login failed for user 'sa'
> Login failed for user 'root'
> Login failed for user 'admin'
> Is someone trying to hack my SQL server (version is 2000)?
>
Possibly
> How can I control and stop these logins?
Use SQL profiler to see if there is some pattern or identify the source.
You should close off the ports especially externally facing ones, but this
may be from an internal machine that has malware running. Try running Best
Pratices Analyser
http://www.microsoft.com/downloads/details.aspx?FamilyId=B352EB1F-D3CA-44EE-893E-9E07339C1F22&displaylang=en
or for SQL 2005
http://www.microsoft.com/downloads/details.aspx?FamilyId=DA0531E4-E94C-4991-82FA-F0E3FBD05E63&displaylang=en the implement what it suggests.
If you don't need SQL Authentication switch it off.
Make sure SQL Server is service packed/hotfixed so that you have the latest
security patches or beyond.
Make sure that all your systems run the latest patches for the OS and
antivirus software.
> Thank you
> Sajith
HTH
John|||Hi
Thanks much for the quick reply...
Already tried the sql profiler which is not helping much (blank NT user name
and Login Name. Only host name comes in the profiler. We tried to ping and
realised it is not exists)
We dont have external connection. Only internal. If it is malware, will the
below tool help to detect?.
Our server is with latest service pack (sp4) for sql 2000 and updated
antivirus software.
Is there any way to detect this malware(if it is) or to get the ipaddress of
the source...(some people suggested sniffer, Is this a good method)
Please advise
many thanks
sajith
Regards
Sajith
"John Bell" wrote:
> Hi Sajith
> "Sajith" wrote:
> > Hi all,
> >
> > I have these lines repeated many times, every 1 second, in the error log:
> >
> > Login failed for user 'user'
> > Login failed for user 'sa'
> > Login failed for user 'root'
> > Login failed for user 'admin'
> >
> > Is someone trying to hack my SQL server (version is 2000)?
> >
> Possibly
> >
> > How can I control and stop these logins?
> Use SQL profiler to see if there is some pattern or identify the source.
> You should close off the ports especially externally facing ones, but this
> may be from an internal machine that has malware running. Try running Best
> Pratices Analyser
> http://www.microsoft.com/downloads/details.aspx?FamilyId=B352EB1F-D3CA-44EE-893E-9E07339C1F22&displaylang=en
> or for SQL 2005
> http://www.microsoft.com/downloads/details.aspx?FamilyId=DA0531E4-E94C-4991-82FA-F0E3FBD05E63&displaylang=en the implement what it suggests.
> If you don't need SQL Authentication switch it off.
> Make sure SQL Server is service packed/hotfixed so that you have the latest
> security patches or beyond.
> Make sure that all your systems run the latest patches for the OS and
> antivirus software.
>
> > Thank you
> >
> > Sajith
> HTH
> John|||Hi
"Sajith" wrote:
> Hi
> Thanks much for the quick reply...
> Already tried the sql profiler which is not helping much (blank NT user name
> and Login Name. Only host name comes in the profiler. We tried to ping and
> realised it is not exists)
> We dont have external connection. Only internal. If it is malware, will the
> below tool help to detect?.
> Our server is with latest service pack (sp4) for sql 2000 and updated
> antivirus software.
> Is there any way to detect this malware(if it is) or to get the ipaddress of
> the source...(some people suggested sniffer, Is this a good method)
> Please advise
> many thanks
> sajith
> Regards
> Sajith
>
You don't know how far this has gone to disguise itself so even looking at
network packets may be not give you a true source. The number of client on
the network will determine how difficult this may be to track down,
especially if they all are up to date with AV software. Do you have the
Malicious Software Removal Tool
http://www.microsoft.com/security/malwareremove/default.mspx ?
John
I have these lines repeated many times, every 1 second, in the error log:
Login failed for user 'user'
Login failed for user 'sa'
Login failed for user 'root'
Login failed for user 'admin'
Is someone trying to hack my SQL server (version is 2000)?
How can I control and stop these logins?
Thank you
SajithHi Sajith
"Sajith" wrote:
> Hi all,
> I have these lines repeated many times, every 1 second, in the error log:
> Login failed for user 'user'
> Login failed for user 'sa'
> Login failed for user 'root'
> Login failed for user 'admin'
> Is someone trying to hack my SQL server (version is 2000)?
>
Possibly
> How can I control and stop these logins?
Use SQL profiler to see if there is some pattern or identify the source.
You should close off the ports especially externally facing ones, but this
may be from an internal machine that has malware running. Try running Best
Pratices Analyser
http://www.microsoft.com/downloads/details.aspx?FamilyId=B352EB1F-D3CA-44EE-893E-9E07339C1F22&displaylang=en
or for SQL 2005
http://www.microsoft.com/downloads/details.aspx?FamilyId=DA0531E4-E94C-4991-82FA-F0E3FBD05E63&displaylang=en the implement what it suggests.
If you don't need SQL Authentication switch it off.
Make sure SQL Server is service packed/hotfixed so that you have the latest
security patches or beyond.
Make sure that all your systems run the latest patches for the OS and
antivirus software.
> Thank you
> Sajith
HTH
John|||Hi
Thanks much for the quick reply...
Already tried the sql profiler which is not helping much (blank NT user name
and Login Name. Only host name comes in the profiler. We tried to ping and
realised it is not exists)
We dont have external connection. Only internal. If it is malware, will the
below tool help to detect?.
Our server is with latest service pack (sp4) for sql 2000 and updated
antivirus software.
Is there any way to detect this malware(if it is) or to get the ipaddress of
the source...(some people suggested sniffer, Is this a good method)
Please advise
many thanks
sajith
Regards
Sajith
"John Bell" wrote:
> Hi Sajith
> "Sajith" wrote:
> > Hi all,
> >
> > I have these lines repeated many times, every 1 second, in the error log:
> >
> > Login failed for user 'user'
> > Login failed for user 'sa'
> > Login failed for user 'root'
> > Login failed for user 'admin'
> >
> > Is someone trying to hack my SQL server (version is 2000)?
> >
> Possibly
> >
> > How can I control and stop these logins?
> Use SQL profiler to see if there is some pattern or identify the source.
> You should close off the ports especially externally facing ones, but this
> may be from an internal machine that has malware running. Try running Best
> Pratices Analyser
> http://www.microsoft.com/downloads/details.aspx?FamilyId=B352EB1F-D3CA-44EE-893E-9E07339C1F22&displaylang=en
> or for SQL 2005
> http://www.microsoft.com/downloads/details.aspx?FamilyId=DA0531E4-E94C-4991-82FA-F0E3FBD05E63&displaylang=en the implement what it suggests.
> If you don't need SQL Authentication switch it off.
> Make sure SQL Server is service packed/hotfixed so that you have the latest
> security patches or beyond.
> Make sure that all your systems run the latest patches for the OS and
> antivirus software.
>
> > Thank you
> >
> > Sajith
> HTH
> John|||Hi
"Sajith" wrote:
> Hi
> Thanks much for the quick reply...
> Already tried the sql profiler which is not helping much (blank NT user name
> and Login Name. Only host name comes in the profiler. We tried to ping and
> realised it is not exists)
> We dont have external connection. Only internal. If it is malware, will the
> below tool help to detect?.
> Our server is with latest service pack (sp4) for sql 2000 and updated
> antivirus software.
> Is there any way to detect this malware(if it is) or to get the ipaddress of
> the source...(some people suggested sniffer, Is this a good method)
> Please advise
> many thanks
> sajith
> Regards
> Sajith
>
You don't know how far this has gone to disguise itself so even looking at
network packets may be not give you a true source. The number of client on
the network will determine how difficult this may be to track down,
especially if they all are up to date with AV software. Do you have the
Malicious Software Removal Tool
http://www.microsoft.com/security/malwareremove/default.mspx ?
John
Subscribe to:
Posts (Atom)