Hi all,
I have these lines repeated many times, every 1 second, in the error log:
Login failed for user 'user'
Login failed for user 'sa'
Login failed for user 'root'
Login failed for user 'admin'
Is someone trying to hack my SQL server (version is 2000)?
How can I control and stop these logins?
Thank you
Sajith
Answered in another newsgroup.
|||Sure looks like it...can you see the source IP in the Security Event logs?
Kevin Hill
3NF Consulting
http://www.3nf-inc.com/NewsGroups.htm
Real-world stuff I run across with SQL Server:
http://kevin3nf.blogspot.com
"Sajith" <Sajith@.discussions.microsoft.com> wrote in message
news:122146B0-305E-4E0F-90F1-99B67A9FDE61@.microsoft.com...
> Hi all,
> I have these lines repeated many times, every 1 second, in the error log:
> Login failed for user 'user'
> Login failed for user 'sa'
> Login failed for user 'root'
> Login failed for user 'admin'
> Is someone trying to hack my SQL server (version is 2000)?
>
> How can I control and stop these logins?
> Thank you
> Sajith
|||Is the server exposed to the WWW? If so, does it need to be? I would disable
the TCP/IP protocols and cut off the ports if you are not sharing the
server. Do you have SP2 (at least) installed? Consider that 80% of all
hacking comes from within the organization. Have you notified your security
department?
____________________________________
William (Bill) Vaughn
Author, Mentor, Consultant
Microsoft MVP
INETA Speaker
www.betav.com/blog/billva
www.betav.com
Please reply only to the newsgroup so that others can benefit.
This posting is provided "AS IS" with no warranties, and confers no rights.
__________________________________
Visit www.hitchhikerguides.net to get more information on my latest book:
Hitchhiker's Guide to Visual Studio and SQL Server (7th Edition)
and Hitchhiker's Guide to SQL Server 2005 Compact Edition (EBook)
------
"Sajith" <Sajith@.discussions.microsoft.com> wrote in message
news:122146B0-305E-4E0F-90F1-99B67A9FDE61@.microsoft.com...
> Hi all,
> I have these lines repeated many times, every 1 second, in the error log:
> Login failed for user 'user'
> Login failed for user 'sa'
> Login failed for user 'root'
> Login failed for user 'admin'
> Is someone trying to hack my SQL server (version is 2000)?
>
> How can I control and stop these logins?
> Thank you
> Sajith
|||This server is exposed to www. but it is very secured. sql server 2000 is
with sp4 and in Windows 2003 with latest patch.
I have already notified the security dept. Today they are activating sniffer
s/w for this. Thanks for your valuable advise...
"William (Bill) Vaughn" wrote:
> Is the server exposed to the WWW? If so, does it need to be? I would disable
> the TCP/IP protocols and cut off the ports if you are not sharing the
> server. Do you have SP2 (at least) installed? Consider that 80% of all
> hacking comes from within the organization. Have you notified your security
> department?
> --
> ____________________________________
> William (Bill) Vaughn
> Author, Mentor, Consultant
> Microsoft MVP
> INETA Speaker
> www.betav.com/blog/billva
> www.betav.com
> Please reply only to the newsgroup so that others can benefit.
> This posting is provided "AS IS" with no warranties, and confers no rights.
> __________________________________
> Visit www.hitchhikerguides.net to get more information on my latest book:
> Hitchhiker's Guide to Visual Studio and SQL Server (7th Edition)
> and Hitchhiker's Guide to SQL Server 2005 Compact Edition (EBook)
> ------
> "Sajith" <Sajith@.discussions.microsoft.com> wrote in message
> news:122146B0-305E-4E0F-90F1-99B67A9FDE61@.microsoft.com...
>
>
|||Hi kevin,
it is not listed under the even log. today we are activating the sniffer
s/w, I will tell you the status soon. thanks for your valuable advise...
"Kevin3NF" wrote:
> Sure looks like it...can you see the source IP in the Security Event logs?
> --
> Kevin Hill
> 3NF Consulting
> http://www.3nf-inc.com/NewsGroups.htm
> Real-world stuff I run across with SQL Server:
> http://kevin3nf.blogspot.com
>
> "Sajith" <Sajith@.discussions.microsoft.com> wrote in message
> news:122146B0-305E-4E0F-90F1-99B67A9FDE61@.microsoft.com...
>
>
Showing posts with label second. Show all posts
Showing posts with label second. Show all posts
Wednesday, March 21, 2012
Login failed for user
Hi all,
I have these lines repeated many times, every 1 second, in the error log:
Login failed for user 'user'
Login failed for user 'sa'
Login failed for user 'root'
Login failed for user 'admin'
Is someone trying to hack my SQL server (version is 2000)?
How can I control and stop these logins?
Thank you
Sajith
Hi Sajith
"Sajith" wrote:
> Hi all,
> I have these lines repeated many times, every 1 second, in the error log:
> Login failed for user 'user'
> Login failed for user 'sa'
> Login failed for user 'root'
> Login failed for user 'admin'
> Is someone trying to hack my SQL server (version is 2000)?
>
Possibly
> How can I control and stop these logins?
Use SQL profiler to see if there is some pattern or identify the source.
You should close off the ports especially externally facing ones, but this
may be from an internal machine that has malware running. Try running Best
Pratices Analyser
http://www.microsoft.com/downloads/details.aspx?FamilyId=B352EB1F-D3CA-44EE-893E-9E07339C1F22&displaylang=en
or for SQL 2005
http://www.microsoft.com/downloads/details.aspx?FamilyId=DA0531E4-E94C-4991-82FA-F0E3FBD05E63&displaylang=en the implement what it suggests.
If you don't need SQL Authentication switch it off.
Make sure SQL Server is service packed/hotfixed so that you have the latest
security patches or beyond.
Make sure that all your systems run the latest patches for the OS and
antivirus software.
> Thank you
> Sajith
HTH
John
|||Hi
Thanks much for the quick reply...
Already tried the sql profiler which is not helping much (blank NT user name
and Login Name. Only host name comes in the profiler. We tried to ping and
realised it is not exists)
We dont have external connection. Only internal. If it is malware, will the
below tool help to detect?.
Our server is with latest service pack (sp4) for sql 2000 and updated
antivirus software.
Is there any way to detect this malware(if it is) or to get the ipaddress of
the source...(some people suggested sniffer, Is this a good method)
Please advise
many thanks
sajith
Regards
Sajith
"John Bell" wrote:
> Hi Sajith
> "Sajith" wrote:
> Possibly
> Use SQL profiler to see if there is some pattern or identify the source.
> You should close off the ports especially externally facing ones, but this
> may be from an internal machine that has malware running. Try running Best
> Pratices Analyser
> http://www.microsoft.com/downloads/details.aspx?FamilyId=B352EB1F-D3CA-44EE-893E-9E07339C1F22&displaylang=en
> or for SQL 2005
> http://www.microsoft.com/downloads/details.aspx?FamilyId=DA0531E4-E94C-4991-82FA-F0E3FBD05E63&displaylang=en the implement what it suggests.
> If you don't need SQL Authentication switch it off.
> Make sure SQL Server is service packed/hotfixed so that you have the latest
> security patches or beyond.
> Make sure that all your systems run the latest patches for the OS and
> antivirus software.
>
> HTH
> John
|||Hi
"Sajith" wrote:
> Hi
> Thanks much for the quick reply...
> Already tried the sql profiler which is not helping much (blank NT user name
> and Login Name. Only host name comes in the profiler. We tried to ping and
> realised it is not exists)
> We dont have external connection. Only internal. If it is malware, will the
> below tool help to detect?.
> Our server is with latest service pack (sp4) for sql 2000 and updated
> antivirus software.
> Is there any way to detect this malware(if it is) or to get the ipaddress of
> the source...(some people suggested sniffer, Is this a good method)
> Please advise
> many thanks
> sajith
> Regards
> Sajith
>
You don't know how far this has gone to disguise itself so even looking at
network packets may be not give you a true source. The number of client on
the network will determine how difficult this may be to track down,
especially if they all are up to date with AV software. Do you have the
Malicious Software Removal Tool
http://www.microsoft.com/security/malwareremove/default.mspx ?
John
I have these lines repeated many times, every 1 second, in the error log:
Login failed for user 'user'
Login failed for user 'sa'
Login failed for user 'root'
Login failed for user 'admin'
Is someone trying to hack my SQL server (version is 2000)?
How can I control and stop these logins?
Thank you
Sajith
Hi Sajith
"Sajith" wrote:
> Hi all,
> I have these lines repeated many times, every 1 second, in the error log:
> Login failed for user 'user'
> Login failed for user 'sa'
> Login failed for user 'root'
> Login failed for user 'admin'
> Is someone trying to hack my SQL server (version is 2000)?
>
Possibly
> How can I control and stop these logins?
Use SQL profiler to see if there is some pattern or identify the source.
You should close off the ports especially externally facing ones, but this
may be from an internal machine that has malware running. Try running Best
Pratices Analyser
http://www.microsoft.com/downloads/details.aspx?FamilyId=B352EB1F-D3CA-44EE-893E-9E07339C1F22&displaylang=en
or for SQL 2005
http://www.microsoft.com/downloads/details.aspx?FamilyId=DA0531E4-E94C-4991-82FA-F0E3FBD05E63&displaylang=en the implement what it suggests.
If you don't need SQL Authentication switch it off.
Make sure SQL Server is service packed/hotfixed so that you have the latest
security patches or beyond.
Make sure that all your systems run the latest patches for the OS and
antivirus software.
> Thank you
> Sajith
HTH
John
|||Hi
Thanks much for the quick reply...
Already tried the sql profiler which is not helping much (blank NT user name
and Login Name. Only host name comes in the profiler. We tried to ping and
realised it is not exists)
We dont have external connection. Only internal. If it is malware, will the
below tool help to detect?.
Our server is with latest service pack (sp4) for sql 2000 and updated
antivirus software.
Is there any way to detect this malware(if it is) or to get the ipaddress of
the source...(some people suggested sniffer, Is this a good method)
Please advise
many thanks
sajith
Regards
Sajith
"John Bell" wrote:
> Hi Sajith
> "Sajith" wrote:
> Possibly
> Use SQL profiler to see if there is some pattern or identify the source.
> You should close off the ports especially externally facing ones, but this
> may be from an internal machine that has malware running. Try running Best
> Pratices Analyser
> http://www.microsoft.com/downloads/details.aspx?FamilyId=B352EB1F-D3CA-44EE-893E-9E07339C1F22&displaylang=en
> or for SQL 2005
> http://www.microsoft.com/downloads/details.aspx?FamilyId=DA0531E4-E94C-4991-82FA-F0E3FBD05E63&displaylang=en the implement what it suggests.
> If you don't need SQL Authentication switch it off.
> Make sure SQL Server is service packed/hotfixed so that you have the latest
> security patches or beyond.
> Make sure that all your systems run the latest patches for the OS and
> antivirus software.
>
> HTH
> John
|||Hi
"Sajith" wrote:
> Hi
> Thanks much for the quick reply...
> Already tried the sql profiler which is not helping much (blank NT user name
> and Login Name. Only host name comes in the profiler. We tried to ping and
> realised it is not exists)
> We dont have external connection. Only internal. If it is malware, will the
> below tool help to detect?.
> Our server is with latest service pack (sp4) for sql 2000 and updated
> antivirus software.
> Is there any way to detect this malware(if it is) or to get the ipaddress of
> the source...(some people suggested sniffer, Is this a good method)
> Please advise
> many thanks
> sajith
> Regards
> Sajith
>
You don't know how far this has gone to disguise itself so even looking at
network packets may be not give you a true source. The number of client on
the network will determine how difficult this may be to track down,
especially if they all are up to date with AV software. Do you have the
Malicious Software Removal Tool
http://www.microsoft.com/security/malwareremove/default.mspx ?
John
Login Failed for user
Hi all,
I have these lines repeated many times, every 1 second, in the error log:
Login failed for user 'user'
Login failed for user 'sa'
Login failed for user 'root'
Login failed for user 'admin'
Is someone trying to hack my SQL server (version is 2000)?
How can I control and stop these logins?
Thank you
SajithAnswered in another newsgroup.|||Sure looks like it...can you see the source IP in the Security Event logs?
Kevin Hill
3NF Consulting
http://www.3nf-inc.com/NewsGroups.htm
Real-world stuff I run across with SQL Server:
http://kevin3nf.blogspot.com
"Sajith" <Sajith@.discussions.microsoft.com> wrote in message
news:122146B0-305E-4E0F-90F1-99B67A9FDE61@.microsoft.com...
> Hi all,
> I have these lines repeated many times, every 1 second, in the error log:
> Login failed for user 'user'
> Login failed for user 'sa'
> Login failed for user 'root'
> Login failed for user 'admin'
> Is someone trying to hack my SQL server (version is 2000)?
>
> How can I control and stop these logins?
> Thank you
> Sajith|||Is the server exposed to the WWW? If so, does it need to be? I would disable
the TCP/IP protocols and cut off the ports if you are not sharing the
server. Do you have SP2 (at least) installed? Consider that 80% of all
hacking comes from within the organization. Have you notified your security
department?
____________________________________
William (Bill) Vaughn
Author, Mentor, Consultant
Microsoft MVP
INETA Speaker
www.betav.com/blog/billva
www.betav.com
Please reply only to the newsgroup so that others can benefit.
This posting is provided "AS IS" with no warranties, and confers no rights.
__________________________________
Visit www.hitchhikerguides.net to get more information on my latest book:
Hitchhiker's Guide to Visual Studio and SQL Server (7th Edition)
and Hitchhiker's Guide to SQL Server 2005 Compact Edition (EBook)
----
---
"Sajith" <Sajith@.discussions.microsoft.com> wrote in message
news:122146B0-305E-4E0F-90F1-99B67A9FDE61@.microsoft.com...
> Hi all,
> I have these lines repeated many times, every 1 second, in the error log:
> Login failed for user 'user'
> Login failed for user 'sa'
> Login failed for user 'root'
> Login failed for user 'admin'
> Is someone trying to hack my SQL server (version is 2000)?
>
> How can I control and stop these logins?
> Thank you
> Sajith|||This server is exposed to www. but it is very secured. sql server 2000 is
with sp4 and in Windows 2003 with latest patch.
I have already notified the security dept. Today they are activating sniffer
s/w for this. Thanks for your valuable advise...
"William (Bill) Vaughn" wrote:
> Is the server exposed to the WWW? If so, does it need to be? I would disab
le
> the TCP/IP protocols and cut off the ports if you are not sharing the
> server. Do you have SP2 (at least) installed? Consider that 80% of all
> hacking comes from within the organization. Have you notified your securit
y
> department?
> --
> ____________________________________
> William (Bill) Vaughn
> Author, Mentor, Consultant
> Microsoft MVP
> INETA Speaker
> www.betav.com/blog/billva
> www.betav.com
> Please reply only to the newsgroup so that others can benefit.
> This posting is provided "AS IS" with no warranties, and confers no rights
.
> __________________________________
> Visit www.hitchhikerguides.net to get more information on my latest book:
> Hitchhiker's Guide to Visual Studio and SQL Server (7th Edition)
> and Hitchhiker's Guide to SQL Server 2005 Compact Edition (EBook)
> ----
---
> "Sajith" <Sajith@.discussions.microsoft.com> wrote in message
> news:122146B0-305E-4E0F-90F1-99B67A9FDE61@.microsoft.com...
>
>|||Hi kevin,
it is not listed under the even log. today we are activating the sniffer
s/w, I will tell you the status soon. thanks for your valuable advise...
"Kevin3NF" wrote:
> Sure looks like it...can you see the source IP in the Security Event logs?
> --
> Kevin Hill
> 3NF Consulting
> http://www.3nf-inc.com/NewsGroups.htm
> Real-world stuff I run across with SQL Server:
> http://kevin3nf.blogspot.com
>
> "Sajith" <Sajith@.discussions.microsoft.com> wrote in message
> news:122146B0-305E-4E0F-90F1-99B67A9FDE61@.microsoft.com...
>
>
I have these lines repeated many times, every 1 second, in the error log:
Login failed for user 'user'
Login failed for user 'sa'
Login failed for user 'root'
Login failed for user 'admin'
Is someone trying to hack my SQL server (version is 2000)?
How can I control and stop these logins?
Thank you
SajithAnswered in another newsgroup.|||Sure looks like it...can you see the source IP in the Security Event logs?
Kevin Hill
3NF Consulting
http://www.3nf-inc.com/NewsGroups.htm
Real-world stuff I run across with SQL Server:
http://kevin3nf.blogspot.com
"Sajith" <Sajith@.discussions.microsoft.com> wrote in message
news:122146B0-305E-4E0F-90F1-99B67A9FDE61@.microsoft.com...
> Hi all,
> I have these lines repeated many times, every 1 second, in the error log:
> Login failed for user 'user'
> Login failed for user 'sa'
> Login failed for user 'root'
> Login failed for user 'admin'
> Is someone trying to hack my SQL server (version is 2000)?
>
> How can I control and stop these logins?
> Thank you
> Sajith|||Is the server exposed to the WWW? If so, does it need to be? I would disable
the TCP/IP protocols and cut off the ports if you are not sharing the
server. Do you have SP2 (at least) installed? Consider that 80% of all
hacking comes from within the organization. Have you notified your security
department?
____________________________________
William (Bill) Vaughn
Author, Mentor, Consultant
Microsoft MVP
INETA Speaker
www.betav.com/blog/billva
www.betav.com
Please reply only to the newsgroup so that others can benefit.
This posting is provided "AS IS" with no warranties, and confers no rights.
__________________________________
Visit www.hitchhikerguides.net to get more information on my latest book:
Hitchhiker's Guide to Visual Studio and SQL Server (7th Edition)
and Hitchhiker's Guide to SQL Server 2005 Compact Edition (EBook)
----
---
"Sajith" <Sajith@.discussions.microsoft.com> wrote in message
news:122146B0-305E-4E0F-90F1-99B67A9FDE61@.microsoft.com...
> Hi all,
> I have these lines repeated many times, every 1 second, in the error log:
> Login failed for user 'user'
> Login failed for user 'sa'
> Login failed for user 'root'
> Login failed for user 'admin'
> Is someone trying to hack my SQL server (version is 2000)?
>
> How can I control and stop these logins?
> Thank you
> Sajith|||This server is exposed to www. but it is very secured. sql server 2000 is
with sp4 and in Windows 2003 with latest patch.
I have already notified the security dept. Today they are activating sniffer
s/w for this. Thanks for your valuable advise...
"William (Bill) Vaughn" wrote:
> Is the server exposed to the WWW? If so, does it need to be? I would disab
le
> the TCP/IP protocols and cut off the ports if you are not sharing the
> server. Do you have SP2 (at least) installed? Consider that 80% of all
> hacking comes from within the organization. Have you notified your securit
y
> department?
> --
> ____________________________________
> William (Bill) Vaughn
> Author, Mentor, Consultant
> Microsoft MVP
> INETA Speaker
> www.betav.com/blog/billva
> www.betav.com
> Please reply only to the newsgroup so that others can benefit.
> This posting is provided "AS IS" with no warranties, and confers no rights
.
> __________________________________
> Visit www.hitchhikerguides.net to get more information on my latest book:
> Hitchhiker's Guide to Visual Studio and SQL Server (7th Edition)
> and Hitchhiker's Guide to SQL Server 2005 Compact Edition (EBook)
> ----
---
> "Sajith" <Sajith@.discussions.microsoft.com> wrote in message
> news:122146B0-305E-4E0F-90F1-99B67A9FDE61@.microsoft.com...
>
>|||Hi kevin,
it is not listed under the even log. today we are activating the sniffer
s/w, I will tell you the status soon. thanks for your valuable advise...
"Kevin3NF" wrote:
> Sure looks like it...can you see the source IP in the Security Event logs?
> --
> Kevin Hill
> 3NF Consulting
> http://www.3nf-inc.com/NewsGroups.htm
> Real-world stuff I run across with SQL Server:
> http://kevin3nf.blogspot.com
>
> "Sajith" <Sajith@.discussions.microsoft.com> wrote in message
> news:122146B0-305E-4E0F-90F1-99B67A9FDE61@.microsoft.com...
>
>
Login failed for user
Hi all,
I have these lines repeated many times, every 1 second, in the error log:
Login failed for user 'user'
Login failed for user 'sa'
Login failed for user 'root'
Login failed for user 'admin'
Is someone trying to hack my SQL server (version is 2000)?
How can I control and stop these logins?
Thank you
SajithHi Sajith
"Sajith" wrote:
> Hi all,
> I have these lines repeated many times, every 1 second, in the error log:
> Login failed for user 'user'
> Login failed for user 'sa'
> Login failed for user 'root'
> Login failed for user 'admin'
> Is someone trying to hack my SQL server (version is 2000)?
>
Possibly
> How can I control and stop these logins?
Use SQL profiler to see if there is some pattern or identify the source.
You should close off the ports especially externally facing ones, but this
may be from an internal machine that has malware running. Try running Best
Pratices Analyser
http://www.microsoft.com/downloads/...&displaylang=en
or for SQL 2005
http://www.microsoft.com/downloads/...&displaylang=en the implement what it suggests.
If you don't need SQL Authentication switch it off.
Make sure SQL Server is service packed/hotfixed so that you have the latest
security patches or beyond.
Make sure that all your systems run the latest patches for the OS and
antivirus software.
> Thank you
> Sajith
HTH
John|||Hi
Thanks much for the quick reply...
Already tried the sql profiler which is not helping much (blank NT user name
and Login Name. Only host name comes in the profiler. We tried to ping and
realised it is not exists)
We dont have external connection. Only internal. If it is malware, will the
below tool help to detect?.
Our server is with latest service pack (sp4) for sql 2000 and updated
antivirus software.
Is there any way to detect this malware(if it is) or to get the ipaddress of
the source...(some people suggested sniffer, Is this a good method)
Please advise
many thanks
sajith
Regards
Sajith
"John Bell" wrote:
> Hi Sajith
> "Sajith" wrote:
>
> Possibly
> Use SQL profiler to see if there is some pattern or identify the source.
> You should close off the ports especially externally facing ones, but this
> may be from an internal machine that has malware running. Try running Best
> Pratices Analyser
> http://www.microsoft.com/downloads/...&displaylang=en
> or for SQL 2005
> http://www.microsoft.com/downloads/...&displaylang=en the implement what it suggests.
> If you don't need SQL Authentication switch it off.
> Make sure SQL Server is service packed/hotfixed so that you have the lates
t
> security patches or beyond.
> Make sure that all your systems run the latest patches for the OS and
> antivirus software.
>
> HTH
> John|||Hi
"Sajith" wrote:
> Hi
> Thanks much for the quick reply...
> Already tried the sql profiler which is not helping much (blank NT user na
me
> and Login Name. Only host name comes in the profiler. We tried to ping and
> realised it is not exists)
> We dont have external connection. Only internal. If it is malware, will th
e
> below tool help to detect?.
> Our server is with latest service pack (sp4) for sql 2000 and updated
> antivirus software.
> Is there any way to detect this malware(if it is) or to get the ipaddress
of
> the source...(some people suggested sniffer, Is this a good method)
> Please advise
> many thanks
> sajith
> Regards
> Sajith
>
You don't know how far this has gone to disguise itself so even looking at
network packets may be not give you a true source. The number of client on
the network will determine how difficult this may be to track down,
especially if they all are up to date with AV software. Do you have the
Malicious Software Removal Tool
http://www.microsoft.com/security/m...ve/default.mspx ?
Johnsql
I have these lines repeated many times, every 1 second, in the error log:
Login failed for user 'user'
Login failed for user 'sa'
Login failed for user 'root'
Login failed for user 'admin'
Is someone trying to hack my SQL server (version is 2000)?
How can I control and stop these logins?
Thank you
SajithHi Sajith
"Sajith" wrote:
> Hi all,
> I have these lines repeated many times, every 1 second, in the error log:
> Login failed for user 'user'
> Login failed for user 'sa'
> Login failed for user 'root'
> Login failed for user 'admin'
> Is someone trying to hack my SQL server (version is 2000)?
>
Possibly
> How can I control and stop these logins?
Use SQL profiler to see if there is some pattern or identify the source.
You should close off the ports especially externally facing ones, but this
may be from an internal machine that has malware running. Try running Best
Pratices Analyser
http://www.microsoft.com/downloads/...&displaylang=en
or for SQL 2005
http://www.microsoft.com/downloads/...&displaylang=en the implement what it suggests.
If you don't need SQL Authentication switch it off.
Make sure SQL Server is service packed/hotfixed so that you have the latest
security patches or beyond.
Make sure that all your systems run the latest patches for the OS and
antivirus software.
> Thank you
> Sajith
HTH
John|||Hi
Thanks much for the quick reply...
Already tried the sql profiler which is not helping much (blank NT user name
and Login Name. Only host name comes in the profiler. We tried to ping and
realised it is not exists)
We dont have external connection. Only internal. If it is malware, will the
below tool help to detect?.
Our server is with latest service pack (sp4) for sql 2000 and updated
antivirus software.
Is there any way to detect this malware(if it is) or to get the ipaddress of
the source...(some people suggested sniffer, Is this a good method)
Please advise
many thanks
sajith
Regards
Sajith
"John Bell" wrote:
> Hi Sajith
> "Sajith" wrote:
>
> Possibly
> Use SQL profiler to see if there is some pattern or identify the source.
> You should close off the ports especially externally facing ones, but this
> may be from an internal machine that has malware running. Try running Best
> Pratices Analyser
> http://www.microsoft.com/downloads/...&displaylang=en
> or for SQL 2005
> http://www.microsoft.com/downloads/...&displaylang=en the implement what it suggests.
> If you don't need SQL Authentication switch it off.
> Make sure SQL Server is service packed/hotfixed so that you have the lates
t
> security patches or beyond.
> Make sure that all your systems run the latest patches for the OS and
> antivirus software.
>
> HTH
> John|||Hi
"Sajith" wrote:
> Hi
> Thanks much for the quick reply...
> Already tried the sql profiler which is not helping much (blank NT user na
me
> and Login Name. Only host name comes in the profiler. We tried to ping and
> realised it is not exists)
> We dont have external connection. Only internal. If it is malware, will th
e
> below tool help to detect?.
> Our server is with latest service pack (sp4) for sql 2000 and updated
> antivirus software.
> Is there any way to detect this malware(if it is) or to get the ipaddress
of
> the source...(some people suggested sniffer, Is this a good method)
> Please advise
> many thanks
> sajith
> Regards
> Sajith
>
You don't know how far this has gone to disguise itself so even looking at
network packets may be not give you a true source. The number of client on
the network will determine how difficult this may be to track down,
especially if they all are up to date with AV software. Do you have the
Malicious Software Removal Tool
http://www.microsoft.com/security/m...ve/default.mspx ?
Johnsql
Login failed for user
Hi all,
I have these lines repeated many times, every 1 second, in the error log:
Login failed for user 'user'
Login failed for user 'sa'
Login failed for user 'root'
Login failed for user 'admin'
Is someone trying to hack my SQL server (version is 2000)?
How can I control and stop these logins?
Thank you
SajithHi Sajith
"Sajith" wrote:
> Hi all,
> I have these lines repeated many times, every 1 second, in the error log:
> Login failed for user 'user'
> Login failed for user 'sa'
> Login failed for user 'root'
> Login failed for user 'admin'
> Is someone trying to hack my SQL server (version is 2000)?
>
Possibly
> How can I control and stop these logins?
Use SQL profiler to see if there is some pattern or identify the source.
You should close off the ports especially externally facing ones, but this
may be from an internal machine that has malware running. Try running Best
Pratices Analyser
http://www.microsoft.com/downloads/details.aspx?FamilyId=B352EB1F-D3CA-44EE-893E-9E07339C1F22&displaylang=en
or for SQL 2005
http://www.microsoft.com/downloads/details.aspx?FamilyId=DA0531E4-E94C-4991-82FA-F0E3FBD05E63&displaylang=en the implement what it suggests.
If you don't need SQL Authentication switch it off.
Make sure SQL Server is service packed/hotfixed so that you have the latest
security patches or beyond.
Make sure that all your systems run the latest patches for the OS and
antivirus software.
> Thank you
> Sajith
HTH
John|||Hi
Thanks much for the quick reply...
Already tried the sql profiler which is not helping much (blank NT user name
and Login Name. Only host name comes in the profiler. We tried to ping and
realised it is not exists)
We dont have external connection. Only internal. If it is malware, will the
below tool help to detect?.
Our server is with latest service pack (sp4) for sql 2000 and updated
antivirus software.
Is there any way to detect this malware(if it is) or to get the ipaddress of
the source...(some people suggested sniffer, Is this a good method)
Please advise
many thanks
sajith
Regards
Sajith
"John Bell" wrote:
> Hi Sajith
> "Sajith" wrote:
> > Hi all,
> >
> > I have these lines repeated many times, every 1 second, in the error log:
> >
> > Login failed for user 'user'
> > Login failed for user 'sa'
> > Login failed for user 'root'
> > Login failed for user 'admin'
> >
> > Is someone trying to hack my SQL server (version is 2000)?
> >
> Possibly
> >
> > How can I control and stop these logins?
> Use SQL profiler to see if there is some pattern or identify the source.
> You should close off the ports especially externally facing ones, but this
> may be from an internal machine that has malware running. Try running Best
> Pratices Analyser
> http://www.microsoft.com/downloads/details.aspx?FamilyId=B352EB1F-D3CA-44EE-893E-9E07339C1F22&displaylang=en
> or for SQL 2005
> http://www.microsoft.com/downloads/details.aspx?FamilyId=DA0531E4-E94C-4991-82FA-F0E3FBD05E63&displaylang=en the implement what it suggests.
> If you don't need SQL Authentication switch it off.
> Make sure SQL Server is service packed/hotfixed so that you have the latest
> security patches or beyond.
> Make sure that all your systems run the latest patches for the OS and
> antivirus software.
>
> > Thank you
> >
> > Sajith
> HTH
> John|||Hi
"Sajith" wrote:
> Hi
> Thanks much for the quick reply...
> Already tried the sql profiler which is not helping much (blank NT user name
> and Login Name. Only host name comes in the profiler. We tried to ping and
> realised it is not exists)
> We dont have external connection. Only internal. If it is malware, will the
> below tool help to detect?.
> Our server is with latest service pack (sp4) for sql 2000 and updated
> antivirus software.
> Is there any way to detect this malware(if it is) or to get the ipaddress of
> the source...(some people suggested sniffer, Is this a good method)
> Please advise
> many thanks
> sajith
> Regards
> Sajith
>
You don't know how far this has gone to disguise itself so even looking at
network packets may be not give you a true source. The number of client on
the network will determine how difficult this may be to track down,
especially if they all are up to date with AV software. Do you have the
Malicious Software Removal Tool
http://www.microsoft.com/security/malwareremove/default.mspx ?
John
I have these lines repeated many times, every 1 second, in the error log:
Login failed for user 'user'
Login failed for user 'sa'
Login failed for user 'root'
Login failed for user 'admin'
Is someone trying to hack my SQL server (version is 2000)?
How can I control and stop these logins?
Thank you
SajithHi Sajith
"Sajith" wrote:
> Hi all,
> I have these lines repeated many times, every 1 second, in the error log:
> Login failed for user 'user'
> Login failed for user 'sa'
> Login failed for user 'root'
> Login failed for user 'admin'
> Is someone trying to hack my SQL server (version is 2000)?
>
Possibly
> How can I control and stop these logins?
Use SQL profiler to see if there is some pattern or identify the source.
You should close off the ports especially externally facing ones, but this
may be from an internal machine that has malware running. Try running Best
Pratices Analyser
http://www.microsoft.com/downloads/details.aspx?FamilyId=B352EB1F-D3CA-44EE-893E-9E07339C1F22&displaylang=en
or for SQL 2005
http://www.microsoft.com/downloads/details.aspx?FamilyId=DA0531E4-E94C-4991-82FA-F0E3FBD05E63&displaylang=en the implement what it suggests.
If you don't need SQL Authentication switch it off.
Make sure SQL Server is service packed/hotfixed so that you have the latest
security patches or beyond.
Make sure that all your systems run the latest patches for the OS and
antivirus software.
> Thank you
> Sajith
HTH
John|||Hi
Thanks much for the quick reply...
Already tried the sql profiler which is not helping much (blank NT user name
and Login Name. Only host name comes in the profiler. We tried to ping and
realised it is not exists)
We dont have external connection. Only internal. If it is malware, will the
below tool help to detect?.
Our server is with latest service pack (sp4) for sql 2000 and updated
antivirus software.
Is there any way to detect this malware(if it is) or to get the ipaddress of
the source...(some people suggested sniffer, Is this a good method)
Please advise
many thanks
sajith
Regards
Sajith
"John Bell" wrote:
> Hi Sajith
> "Sajith" wrote:
> > Hi all,
> >
> > I have these lines repeated many times, every 1 second, in the error log:
> >
> > Login failed for user 'user'
> > Login failed for user 'sa'
> > Login failed for user 'root'
> > Login failed for user 'admin'
> >
> > Is someone trying to hack my SQL server (version is 2000)?
> >
> Possibly
> >
> > How can I control and stop these logins?
> Use SQL profiler to see if there is some pattern or identify the source.
> You should close off the ports especially externally facing ones, but this
> may be from an internal machine that has malware running. Try running Best
> Pratices Analyser
> http://www.microsoft.com/downloads/details.aspx?FamilyId=B352EB1F-D3CA-44EE-893E-9E07339C1F22&displaylang=en
> or for SQL 2005
> http://www.microsoft.com/downloads/details.aspx?FamilyId=DA0531E4-E94C-4991-82FA-F0E3FBD05E63&displaylang=en the implement what it suggests.
> If you don't need SQL Authentication switch it off.
> Make sure SQL Server is service packed/hotfixed so that you have the latest
> security patches or beyond.
> Make sure that all your systems run the latest patches for the OS and
> antivirus software.
>
> > Thank you
> >
> > Sajith
> HTH
> John|||Hi
"Sajith" wrote:
> Hi
> Thanks much for the quick reply...
> Already tried the sql profiler which is not helping much (blank NT user name
> and Login Name. Only host name comes in the profiler. We tried to ping and
> realised it is not exists)
> We dont have external connection. Only internal. If it is malware, will the
> below tool help to detect?.
> Our server is with latest service pack (sp4) for sql 2000 and updated
> antivirus software.
> Is there any way to detect this malware(if it is) or to get the ipaddress of
> the source...(some people suggested sniffer, Is this a good method)
> Please advise
> many thanks
> sajith
> Regards
> Sajith
>
You don't know how far this has gone to disguise itself so even looking at
network packets may be not give you a true source. The number of client on
the network will determine how difficult this may be to track down,
especially if they all are up to date with AV software. Do you have the
Malicious Software Removal Tool
http://www.microsoft.com/security/malwareremove/default.mspx ?
John
Wednesday, March 7, 2012
Logical connections very different from user connections
Hi,
We are administering a 64 bit sql 2005 instance that averages 400
transactions per second or so during business hours. The server is
performing quite well, but recently we've been seeing some performance
tick data that I don't understand.
In the SQLServer:General Statistics category, the server reports 270
logical connections. However, the User Connections perf ticks returns
491 connections. I am at a loss to explain the difference between the
two values. We consider 270 client connections to be an acceptable
number, but 491 is significantly higher than we would like to see.
I've searched for documentation explaining the difference between the
two perf ticks, but I haven't had any luck. I'm looking for a) some
information on what the difference between the two ticks is, and b)
some information that will help me determine if the discrepancy is
important.
Any advice or pointers as to where I could look next would be greatly
appreciated.
Sean Reilly
Software Architect
Point2 Technologies, Inc
(306) 955-1855Doesn't SQL Server group user connections based on certain conditions?
This would explain the difference.
Jim.
"Sean Reilly" wrote:
> Hi,
> We are administering a 64 bit sql 2005 instance that averages 400
> transactions per second or so during business hours. The server is
> performing quite well, but recently we've been seeing some performance
> tick data that I don't understand.
> In the SQLServer:General Statistics category, the server reports 270
> logical connections. However, the User Connections perf ticks returns
> 491 connections. I am at a loss to explain the difference between the
> two values. We consider 270 client connections to be an acceptable
> number, but 491 is significantly higher than we would like to see.
> I've searched for documentation explaining the difference between the
> two perf ticks, but I haven't had any luck. I'm looking for a) some
> information on what the difference between the two ticks is, and b)
> some information that will help me determine if the discrepancy is
> important.
> Any advice or pointers as to where I could look next would be greatly
> appreciated.
> Sean Reilly
> Software Architect
> Point2 Technologies, Inc
> (306) 955-1855
>|||Jim,
I hope that something like this does explain what I'm seeing. Do you
have any ideas as to what those conditions might be?
Thanks,
Sean|||From BOL:
"Connections can be shared among users. Users running OLE DB applications
need a connection for each open connection object, users running Open
Database Connectivity (ODBC) applications need a connection for each active
connection handle in the application, and users running DB-Library
applications need one connection for each process started that calls the
DB-Library dbopen function."
I'm not sure you have a lot of control over these features, but it would be
worth investigation "Connections" in any MS publications.
"Sean Reilly" wrote:
> Jim,
> I hope that something like this does explain what I'm seeing. Do you
> have any ideas as to what those conditions might be?
> Thanks,
> Sean
>|||Jim,
I'm pretty sure that the BOL entry you quoted refers to the client end
of the connection. I believe that Ole DB, ODBC and DB-Library
connections are all the same kind of connection from the server's
perspective.
A further data point for anyone who may be interested: when I use the
activity montior in SSMS, the number of connections reported matches
the smaller perf tick value (logical connections).
We are administering a 64 bit sql 2005 instance that averages 400
transactions per second or so during business hours. The server is
performing quite well, but recently we've been seeing some performance
tick data that I don't understand.
In the SQLServer:General Statistics category, the server reports 270
logical connections. However, the User Connections perf ticks returns
491 connections. I am at a loss to explain the difference between the
two values. We consider 270 client connections to be an acceptable
number, but 491 is significantly higher than we would like to see.
I've searched for documentation explaining the difference between the
two perf ticks, but I haven't had any luck. I'm looking for a) some
information on what the difference between the two ticks is, and b)
some information that will help me determine if the discrepancy is
important.
Any advice or pointers as to where I could look next would be greatly
appreciated.
Sean Reilly
Software Architect
Point2 Technologies, Inc
(306) 955-1855Doesn't SQL Server group user connections based on certain conditions?
This would explain the difference.
Jim.
"Sean Reilly" wrote:
> Hi,
> We are administering a 64 bit sql 2005 instance that averages 400
> transactions per second or so during business hours. The server is
> performing quite well, but recently we've been seeing some performance
> tick data that I don't understand.
> In the SQLServer:General Statistics category, the server reports 270
> logical connections. However, the User Connections perf ticks returns
> 491 connections. I am at a loss to explain the difference between the
> two values. We consider 270 client connections to be an acceptable
> number, but 491 is significantly higher than we would like to see.
> I've searched for documentation explaining the difference between the
> two perf ticks, but I haven't had any luck. I'm looking for a) some
> information on what the difference between the two ticks is, and b)
> some information that will help me determine if the discrepancy is
> important.
> Any advice or pointers as to where I could look next would be greatly
> appreciated.
> Sean Reilly
> Software Architect
> Point2 Technologies, Inc
> (306) 955-1855
>|||Jim,
I hope that something like this does explain what I'm seeing. Do you
have any ideas as to what those conditions might be?
Thanks,
Sean|||From BOL:
"Connections can be shared among users. Users running OLE DB applications
need a connection for each open connection object, users running Open
Database Connectivity (ODBC) applications need a connection for each active
connection handle in the application, and users running DB-Library
applications need one connection for each process started that calls the
DB-Library dbopen function."
I'm not sure you have a lot of control over these features, but it would be
worth investigation "Connections" in any MS publications.
"Sean Reilly" wrote:
> Jim,
> I hope that something like this does explain what I'm seeing. Do you
> have any ideas as to what those conditions might be?
> Thanks,
> Sean
>|||Jim,
I'm pretty sure that the BOL entry you quoted refers to the client end
of the connection. I believe that Ole DB, ODBC and DB-Library
connections are all the same kind of connection from the server's
perspective.
A further data point for anyone who may be interested: when I use the
activity montior in SSMS, the number of connections reported matches
the smaller perf tick value (logical connections).
Logical connections very different from user connections
Hi,
We are administering a 64 bit sql 2005 instance that averages 400
transactions per second or so during business hours. The server is
performing quite well, but recently we've been seeing some performance
tick data that I don't understand.
In the SQLServer:General Statistics category, the server reports 270
logical connections. However, the User Connections perf ticks returns
491 connections. I am at a loss to explain the difference between the
two values. We consider 270 client connections to be an acceptable
number, but 491 is significantly higher than we would like to see.
I've searched for documentation explaining the difference between the
two perf ticks, but I haven't had any luck. I'm looking for a) some
information on what the difference between the two ticks is, and b)
some information that will help me determine if the discrepancy is
important.
Any advice or pointers as to where I could look next would be greatly
appreciated.
Sean Reilly
Software Architect
Point2 Technologies, Inc
(306) 955-1855Doesn't SQL Server group user connections based on certain conditions?
This would explain the difference.
Jim.
"Sean Reilly" wrote:
> Hi,
> We are administering a 64 bit sql 2005 instance that averages 400
> transactions per second or so during business hours. The server is
> performing quite well, but recently we've been seeing some performance
> tick data that I don't understand.
> In the SQLServer:General Statistics category, the server reports 270
> logical connections. However, the User Connections perf ticks returns
> 491 connections. I am at a loss to explain the difference between the
> two values. We consider 270 client connections to be an acceptable
> number, but 491 is significantly higher than we would like to see.
> I've searched for documentation explaining the difference between the
> two perf ticks, but I haven't had any luck. I'm looking for a) some
> information on what the difference between the two ticks is, and b)
> some information that will help me determine if the discrepancy is
> important.
> Any advice or pointers as to where I could look next would be greatly
> appreciated.
> Sean Reilly
> Software Architect
> Point2 Technologies, Inc
> (306) 955-1855
>|||Jim,
I hope that something like this does explain what I'm seeing. Do you
have any ideas as to what those conditions might be?
Thanks,
Sean|||From BOL:
"Connections can be shared among users. Users running OLE DB applications
need a connection for each open connection object, users running Open
Database Connectivity (ODBC) applications need a connection for each active
connection handle in the application, and users running DB-Library
applications need one connection for each process started that calls the
DB-Library dbopen function."
I'm not sure you have a lot of control over these features, but it would be
worth investigation "Connections" in any MS publications.
"Sean Reilly" wrote:
> Jim,
> I hope that something like this does explain what I'm seeing. Do you
> have any ideas as to what those conditions might be?
> Thanks,
> Sean
>|||Jim,
I'm pretty sure that the BOL entry you quoted refers to the client end
of the connection. I believe that Ole DB, ODBC and DB-Library
connections are all the same kind of connection from the server's
perspective.
A further data point for anyone who may be interested: when I use the
activity montior in SSMS, the number of connections reported matches
the smaller perf tick value (logical connections).
We are administering a 64 bit sql 2005 instance that averages 400
transactions per second or so during business hours. The server is
performing quite well, but recently we've been seeing some performance
tick data that I don't understand.
In the SQLServer:General Statistics category, the server reports 270
logical connections. However, the User Connections perf ticks returns
491 connections. I am at a loss to explain the difference between the
two values. We consider 270 client connections to be an acceptable
number, but 491 is significantly higher than we would like to see.
I've searched for documentation explaining the difference between the
two perf ticks, but I haven't had any luck. I'm looking for a) some
information on what the difference between the two ticks is, and b)
some information that will help me determine if the discrepancy is
important.
Any advice or pointers as to where I could look next would be greatly
appreciated.
Sean Reilly
Software Architect
Point2 Technologies, Inc
(306) 955-1855Doesn't SQL Server group user connections based on certain conditions?
This would explain the difference.
Jim.
"Sean Reilly" wrote:
> Hi,
> We are administering a 64 bit sql 2005 instance that averages 400
> transactions per second or so during business hours. The server is
> performing quite well, but recently we've been seeing some performance
> tick data that I don't understand.
> In the SQLServer:General Statistics category, the server reports 270
> logical connections. However, the User Connections perf ticks returns
> 491 connections. I am at a loss to explain the difference between the
> two values. We consider 270 client connections to be an acceptable
> number, but 491 is significantly higher than we would like to see.
> I've searched for documentation explaining the difference between the
> two perf ticks, but I haven't had any luck. I'm looking for a) some
> information on what the difference between the two ticks is, and b)
> some information that will help me determine if the discrepancy is
> important.
> Any advice or pointers as to where I could look next would be greatly
> appreciated.
> Sean Reilly
> Software Architect
> Point2 Technologies, Inc
> (306) 955-1855
>|||Jim,
I hope that something like this does explain what I'm seeing. Do you
have any ideas as to what those conditions might be?
Thanks,
Sean|||From BOL:
"Connections can be shared among users. Users running OLE DB applications
need a connection for each open connection object, users running Open
Database Connectivity (ODBC) applications need a connection for each active
connection handle in the application, and users running DB-Library
applications need one connection for each process started that calls the
DB-Library dbopen function."
I'm not sure you have a lot of control over these features, but it would be
worth investigation "Connections" in any MS publications.
"Sean Reilly" wrote:
> Jim,
> I hope that something like this does explain what I'm seeing. Do you
> have any ideas as to what those conditions might be?
> Thanks,
> Sean
>|||Jim,
I'm pretty sure that the BOL entry you quoted refers to the client end
of the connection. I believe that Ole DB, ODBC and DB-Library
connections are all the same kind of connection from the server's
perspective.
A further data point for anyone who may be interested: when I use the
activity montior in SSMS, the number of connections reported matches
the smaller perf tick value (logical connections).
Friday, February 24, 2012
Logging to second disk -- what happens when it crashes?
Currently we have SQL Server running on a single RAID5 array.
The data and the logs are all written to this array. We don't
have huge volume of activity, but it is growing. Most activity
is from our website that interacts a lot with the database.
The data and the logs are all written to this array. We don't
have huge volume of activity, but it is growing. Most activity
is from our website that interacts a lot with the database.
We have read that it is a good idea to separate the data files
from the log files, having each on separate disks (or in the
case of RAID, separate arrays). So, we are considering adding
a separate SCSI hard drive, or maybe a RAID 1 system, and have
sql server log to that instead.
My question is, what happens if that secondary drive or array
completely fails. Let's say it melts. Assuming the OS doesn't
crash (Windows 2003 Server), what will SQL Server 2000 do when
the drive stops working and it is trying to write its data
logging to it? Will it continue to function and write alert
events? Will it shutdown? If it shuts down, how do we alter its
configuration to tell it to use another drive for the logs?
Also, what kind of throughput would we need to be doing to see
any kind of benefit to making this change? It is easier to
justify the expense of another disk or RAID setup if it is
actually going to matter. ;-)
Thanks all!
Thomas"Thomas" <thomas-ggl-02@.data.iatn.net> wrote in message
news:a9081691.0406021521.54c0f399@.posting.google.c om...
> Currently we have SQL Server running on a single RAID5 array.
> The data and the logs are all written to this array. We don't
> have huge volume of activity, but it is growing. Most activity
> is from our website that interacts a lot with the database.
> We have read that it is a good idea to separate the data files
> from the log files, having each on separate disks (or in the
> case of RAID, separate arrays). So, we are considering adding
> a separate SCSI hard drive, or maybe a RAID 1 system, and have
> sql server log to that instead.
RAID 1 at the least. Don't use a single drive in this case.
> My question is, what happens if that secondary drive or array
> completely fails. Let's say it melts. Assuming the OS doesn't
> crash (Windows 2003 Server), what will SQL Server 2000 do when
> the drive stops working and it is trying to write its data
> logging to it? Will it continue to function and write alert
> events? Will it shutdown? If it shuts down, how do we alter its
> configuration to tell it to use another drive for the logs?
It will stop running. It can't write anything. Just the same as if you
lost your data drive.
At that point you pull out your disaster recovery plan and go from here.
We've had a few cases where either the log or data disks went off-line and
it was just a matter of bringing them back online through the RAID
controller interface. SQL 2000 picked up where it left off.
> Also, what kind of throughput would we need to be doing to see
> any kind of benefit to making this change? It is easier to
> justify the expense of another disk or RAID setup if it is
> actually going to matter. ;-)
> Thanks all!
> Thomas|||"Greg D. Moore \(Strider\)" <mooregr_deleteth1s@.greenms.com> wrote in message news:<kStvc.34031$j24.13232@.twister.nyroc.rr.com>...
> "Thomas" <thomas-ggl-02@.data.iatn.net> wrote in message
> news:a9081691.0406021521.54c0f399@.posting.google.c om...
> > My question is, what happens if that secondary drive or array
> > completely fails. Let's say it melts. Assuming the OS doesn't
> > crash (Windows 2003 Server), what will SQL Server 2000 do when
> > the drive stops working and it is trying to write its data
> > logging to it? Will it continue to function and write alert
> > events? Will it shutdown? If it shuts down, how do we alter its
> > configuration to tell it to use another drive for the logs?
> It will stop running. It can't write anything. Just the same as if you
> lost your data drive.
> At that point you pull out your disaster recovery plan and go from here.
> We've had a few cases where either the log or data disks went off-line and
> it was just a matter of bringing them back online through the RAID
> controller interface. SQL 2000 picked up where it left off.
Let's imagine that this new RAID 1 for the logging goes down hard,
controller malfunction or what have you, and it will take a few days
to be repaired. In the meantime our data drive is working fine, and
we want to move the logging back to that array. You mentioned that
SQL Server would "stop running." If it isn't running, how would we
be able to update its configuration to change the location of the
logfiles?
Thanks for your feedback and advice!
Regards,
Thomas|||"Thomas" <thomas-ggl-01@.data.iatn.net> wrote in message
news:4f2cac50.0406030702.4308cd27@.posting.google.c om...
> "Greg D. Moore \(Strider\)" <mooregr_deleteth1s@.greenms.com> wrote in
message news:<kStvc.34031$j24.13232@.twister.nyroc.rr.com>...
> > "Thomas" <thomas-ggl-02@.data.iatn.net> wrote in message
> > news:a9081691.0406021521.54c0f399@.posting.google.c om...
> > > My question is, what happens if that secondary drive or array
> > > completely fails. Let's say it melts. Assuming the OS doesn't
> > > crash (Windows 2003 Server), what will SQL Server 2000 do when
> > > the drive stops working and it is trying to write its data
> > > logging to it? Will it continue to function and write alert
> > > events? Will it shutdown? If it shuts down, how do we alter its
> > > configuration to tell it to use another drive for the logs?
> > It will stop running. It can't write anything. Just the same as if you
> > lost your data drive.
> > At that point you pull out your disaster recovery plan and go from here.
> > We've had a few cases where either the log or data disks went off-line
and
> > it was just a matter of bringing them back online through the RAID
> > controller interface. SQL 2000 picked up where it left off.
> Let's imagine that this new RAID 1 for the logging goes down hard,
> controller malfunction or what have you, and it will take a few days
> to be repaired. In the meantime our data drive is working fine, and
> we want to move the logging back to that array. You mentioned that
> SQL Server would "stop running." If it isn't running, how would we
> be able to update its configuration to change the location of the
> logfiles?
Well, first of all, if you lose your log device, you have to do a restore
from backup in any case. At that point simply restore the backup to a
different device using the MOVE option.
Now, if your master DB and other system DBs are on the failed device, you
need to startup SQL server manually and specify on the command line where
they are.
MS has multiple KB articles on this.
Turn the question around... what happens if the RAID device with your DATA
fails? (ironically in some ways this can be EASIER to recover from assuming
you have good backups.)
> Thanks for your feedback and advice!
> Regards,
> Thomas
Subscribe to:
Posts (Atom)